diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md index b38cf78717..c9801bd936 100644 --- a/browsers/edge/about-microsoft-edge.md +++ b/browsers/edge/about-microsoft-edge.md @@ -1,166 +1,166 @@ ---- -title: Microsoft Edge system and language requirements -description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. -ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb -ms.reviewer: -manager: dansimp -ms.author: eravena -author: eavena -ms.prod: edge -ms.mktglfcycl: general -ms.topic: reference -ms.sitesec: library -title: Microsoft Edge for IT Pros -ms.localizationpriority: medium -ms.date: 10/02/2018 ---- - -# Microsoft Edge system and language requirements ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. - - ->[!IMPORTANT] ->The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. - - -## Minimum system requirements -Some of the components might also need additional system resources. Check the component's documentation for more information. - - -| Item | Minimum requirements | -|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | -| Operating system |

Note
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | -| Memory |

| -| Hard drive space | | -| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | -| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | -| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | -| Peripherals | Internet connection and a compatible pointing device | - ---- - - -## Supported languages - -Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/en-us/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. - -If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. - - -| Language | Country/Region | Code | -|----------------------------------------------------|-----------------------------------------|----------------| -| Afrikaans (South Africa) | South Africa | af-ZA | -| Albanian (Albania) | Albania | sq-AL | -| Amharic | Ethiopia | am-ET | -| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | -| Armenian | Armenia | hy-AM | -| Assamese | India | as-IN | -| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | -| Bangla (Bangladesh) | Bangladesh | bn-BD | -| Bangla (India) | India | bn-IN | -| Basque (Basque) | Spain | eu-ES | -| Belarusian (Belarus) | Belarus | be-BY | -| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | -| Bulgarian (Bulgaria) | Bulgaria | bg-BG | -| Catalan (Catalan) | Spain | ca-ES | -| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | -| Cherokee (Cherokee) | United States | chr-Cher-US | -| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | -| Chinese (Simplified, China) | People's Republic of China | zh-CN | -| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | -| Croatian (Croatia) | Croatia | hr-HR | -| Czech (Czech Republic) | Czech Republic | cs-CZ | -| Danish (Denmark) | Denmark | da-DK | -| Dari | Afghanistan | prs-AF | -| Dutch (Netherlands) | Netherlands | nl-NL | -| English (United Kingdom) | United Kingdom | en-GB | -| English (United States) | United States | en-US | -| Estonian (Estonia) | Estonia | et-EE | -| Filipino (Philippines) | Philippines | fil-PH | -| Finnish (Finland) | Finland | fi_FI | -| French (Canada) | Canada | fr-CA | -| French (France) | France | fr-FR | -| Galician (Galician) | Spain | gl-ES | -| Georgian | Georgia | ka-GE | -| German (Germany) | Germany | de-DE | -| Greek (Greece) | Greece | el-GR | -| Gujarati | India | gu-IN | -| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | -| Hebrew (Israel) | Israel | he-IL | -| Hindi (India) | India | hi-IN | -| Hungarian (Hungary) | Hungary | hu-HU | -| Icelandic | Iceland | is-IS | -| Igbo | Nigeria | ig-NG | -| Indonesian (Indonesia) | Indonesia | id-ID | -| Irish | Ireland | ga-IE | -| isiXhosa | South Africa | xh-ZA | -| isiZulu | South Africa | zu-ZA | -| Italian (Italy) | Italy | it-IT | -| Japanese (Japan) | Japan | ja-JP | -| Kannada | India | kn-IN | -| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | -| Khmer (Cambodia) | Cambodia | km-KH | -| K'iche' | Guatemala | quc-Latn-GT | -| Kinyarwanda | Rwanda | rw-RW | -| KiSwahili | Kenya, Tanzania | sw-KE | -| Konkani | India | kok-IN | -| Korean (Korea) | Korea | ko-KR | -| Kyrgyz | Kyrgyzstan | ky-KG | -| Lao (Laos) | Lao P.D.R. | lo-LA | -| Latvian (Latvia) | Latvia | lv-LV | -| Lithuanian (Lithuania) | Lithuania | lt-LT | -| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | -| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | -| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | -| Malayalam | India | ml-IN | -| Maltese | Malta | mt-MT | -| Maori | New Zealand | mi-NZ | -| Marathi | India | mr-IN | -| Mongolian (Cyrillic) | Mongolia | mn-MN | -| Nepali | Federal Democratic Republic of Nepal | ne-NP | -| Norwegian (Nynorsk) | Norway | nn-NO | -| Norwegian, Bokmål (Norway) | Norway | nb-NO | -| Odia | India | or-IN | -| Polish (Poland) | Poland | pl-PL | -| Portuguese (Brazil) | Brazil | pt-BR | -| Portuguese (Portugal) | Portugal | pt-PT | -| Punjabi | India | pa-IN | -| Punjabi (Arabic) | Pakistan | pa-Arab-PK | -| Quechua | Peru | quz-PE | -| Romanian (Romania) | Romania | ro-RO | -| Russian (Russia) | Russia | ru-RU | -| Scottish Gaelic | United Kingdom | gd-GB | -| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | -| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | -| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | -| Sesotho sa Leboa | South Africa | nso-ZA | -| Setswana (South Africa) | South Africa and Botswana | tn-ZA | -| Sindhi (Arabic) | Pakistan | sd-Arab-PK | -| Sinhala | Sri Lanka | si-LK | -| Slovak (Slovakia) | Slovakia | sk-SK | -| Slovenian (Slovenia) | Slovenia | sl-SL | -| Spanish (Mexico) | Mexico | es-MX | -| Spanish (Spain, International Sort) | Spain | en-ES | -| Swedish (Sweden) | Sweden | sv-SE | -| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | -| Tamil (India) | India and Sri Lanka | ta-IN | -| Tatar | Russia | tt-RU | -| Telugu | India | te-IN | -| Thai (Thailand) | Thailand | th-TH | -| Tigrinya (Ethiopia) | Ethiopia | ti-ET | -| Turkish (Turkey) | Turkey | tr-TR | -| Turkmen | Turkmenistan | tk-TM | -| Ukrainian (Ukraine) | Ukraine | uk-UA | -| Urdu | Pakistan | ur-PK | -| Uyghur | People's Republic of China | ug-CN | -| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | -| Valencian | Spain | ca-ES-valencia | -| Vietnamese | Vietnam | vi-VN | -| Welsh | United Kingdom | cy-GB | -| Wolof | Senegal | wo-SN | -| Yoruba | Nigeria | yo-NG | - ---- +--- +title: Microsoft Edge system and language requirements +description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. +ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb +ms.reviewer: +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.prod: edge +ms.mktglfcycl: general +ms.topic: reference +ms.sitesec: library +title: Microsoft Edge for IT Pros +ms.localizationpriority: medium +ms.date: 10/02/2018 +--- + +# Microsoft Edge system and language requirements +>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. + + +>[!IMPORTANT] +>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. + + +## Minimum system requirements +Some of the components might also need additional system resources. Check the component's documentation for more information. + + +| Item | Minimum requirements | +|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | +| Operating system |

Note
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | +| Memory |

| +| Hard drive space | | +| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | +| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | +| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | +| Peripherals | Internet connection and a compatible pointing device | + +--- + + +## Supported languages + +Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/en-us/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. + +If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. + + +| Language | Country/Region | Code | +|----------------------------------------------------|-----------------------------------------|----------------| +| Afrikaans (South Africa) | South Africa | af-ZA | +| Albanian (Albania) | Albania | sq-AL | +| Amharic | Ethiopia | am-ET | +| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | +| Armenian | Armenia | hy-AM | +| Assamese | India | as-IN | +| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | +| Bangla (Bangladesh) | Bangladesh | bn-BD | +| Bangla (India) | India | bn-IN | +| Basque (Basque) | Spain | eu-ES | +| Belarusian (Belarus) | Belarus | be-BY | +| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | +| Bulgarian (Bulgaria) | Bulgaria | bg-BG | +| Catalan (Catalan) | Spain | ca-ES | +| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | +| Cherokee (Cherokee) | United States | chr-Cher-US | +| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | +| Chinese (Simplified, China) | People's Republic of China | zh-CN | +| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | +| Croatian (Croatia) | Croatia | hr-HR | +| Czech (Czech Republic) | Czech Republic | cs-CZ | +| Danish (Denmark) | Denmark | da-DK | +| Dari | Afghanistan | prs-AF | +| Dutch (Netherlands) | Netherlands | nl-NL | +| English (United Kingdom) | United Kingdom | en-GB | +| English (United States) | United States | en-US | +| Estonian (Estonia) | Estonia | et-EE | +| Filipino (Philippines) | Philippines | fil-PH | +| Finnish (Finland) | Finland | fi_FI | +| French (Canada) | Canada | fr-CA | +| French (France) | France | fr-FR | +| Galician (Galician) | Spain | gl-ES | +| Georgian | Georgia | ka-GE | +| German (Germany) | Germany | de-DE | +| Greek (Greece) | Greece | el-GR | +| Gujarati | India | gu-IN | +| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | +| Hebrew (Israel) | Israel | he-IL | +| Hindi (India) | India | hi-IN | +| Hungarian (Hungary) | Hungary | hu-HU | +| Icelandic | Iceland | is-IS | +| Igbo | Nigeria | ig-NG | +| Indonesian (Indonesia) | Indonesia | id-ID | +| Irish | Ireland | ga-IE | +| isiXhosa | South Africa | xh-ZA | +| isiZulu | South Africa | zu-ZA | +| Italian (Italy) | Italy | it-IT | +| Japanese (Japan) | Japan | ja-JP | +| Kannada | India | kn-IN | +| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | +| Khmer (Cambodia) | Cambodia | km-KH | +| K'iche' | Guatemala | quc-Latn-GT | +| Kinyarwanda | Rwanda | rw-RW | +| KiSwahili | Kenya, Tanzania | sw-KE | +| Konkani | India | kok-IN | +| Korean (Korea) | Korea | ko-KR | +| Kyrgyz | Kyrgyzstan | ky-KG | +| Lao (Laos) | Lao P.D.R. | lo-LA | +| Latvian (Latvia) | Latvia | lv-LV | +| Lithuanian (Lithuania) | Lithuania | lt-LT | +| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | +| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | +| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | +| Malayalam | India | ml-IN | +| Maltese | Malta | mt-MT | +| Maori | New Zealand | mi-NZ | +| Marathi | India | mr-IN | +| Mongolian (Cyrillic) | Mongolia | mn-MN | +| Nepali | Federal Democratic Republic of Nepal | ne-NP | +| Norwegian (Nynorsk) | Norway | nn-NO | +| Norwegian, Bokmål (Norway) | Norway | nb-NO | +| Odia | India | or-IN | +| Polish (Poland) | Poland | pl-PL | +| Portuguese (Brazil) | Brazil | pt-BR | +| Portuguese (Portugal) | Portugal | pt-PT | +| Punjabi | India | pa-IN | +| Punjabi (Arabic) | Pakistan | pa-Arab-PK | +| Quechua | Peru | quz-PE | +| Romanian (Romania) | Romania | ro-RO | +| Russian (Russia) | Russia | ru-RU | +| Scottish Gaelic | United Kingdom | gd-GB | +| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | +| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | +| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | +| Sesotho sa Leboa | South Africa | nso-ZA | +| Setswana (South Africa) | South Africa and Botswana | tn-ZA | +| Sindhi (Arabic) | Pakistan | sd-Arab-PK | +| Sinhala | Sri Lanka | si-LK | +| Slovak (Slovakia) | Slovakia | sk-SK | +| Slovenian (Slovenia) | Slovenia | sl-SL | +| Spanish (Mexico) | Mexico | es-MX | +| Spanish (Spain, International Sort) | Spain | en-ES | +| Swedish (Sweden) | Sweden | sv-SE | +| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | +| Tamil (India) | India and Sri Lanka | ta-IN | +| Tatar | Russia | tt-RU | +| Telugu | India | te-IN | +| Thai (Thailand) | Thailand | th-TH | +| Tigrinya (Ethiopia) | Ethiopia | ti-ET | +| Turkish (Turkey) | Turkey | tr-TR | +| Turkmen | Turkmenistan | tk-TM | +| Ukrainian (Ukraine) | Ukraine | uk-UA | +| Urdu | Pakistan | ur-PK | +| Uyghur | People's Republic of China | ug-CN | +| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | +| Valencian | Spain | ca-ES-valencia | +| Vietnamese | Vietnam | vi-VN | +| Welsh | United Kingdom | cy-GB | +| Wolof | Senegal | wo-SN | +| Yoruba | Nigeria | yo-NG | + +--- diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 1c5ce07a92..18890c69ed 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -1,222 +1,221 @@ ---- -description: You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. -ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 -ms.reviewer: -author: eavena -ms.author: eravena -manager: dansimp -ms.prod: edge -ms.mktglfcycl: explore -ms.topic: reference -ms.sitesec: library -title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) -ms.localizationpriority: medium -ms.date: 10/29/2018 ---- - -# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge - -> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain. - -Other policy settings in Microsoft Edge include allowing Adobe Flash content to play automatically, provision a favorites list, set default search engine, and more. You configure a Group Policy setting in the Administrative Templates folders, which are registry-based policy settings that Group Policy enforces. Group Policy stores these settings in a specific registry location, which users cannot change. Also, Group Policy-aware Windows features and applications look for these settings in the registry, and if found the policy setting gets used instead of the regular settings. - -**_You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:_** - -      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* - -When you edit a Group Policy setting, you have the following configuration options: - -- **Enabled** - writes the policy setting to the registry with a value that enables it. -- **Disabled** - writes the policy setting to the registry with a value that disables it. -- **Not configured** - leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users. - -Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL. - - -## Allow a shared books folder -[!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)] - -## Allow Address bar drop-down list suggestions -[!INCLUDE [allow-address-bar-suggestions-include.md](includes/allow-address-bar-suggestions-include.md)] - -## Allow Adobe Flash -[!INCLUDE [allow-adobe-flash-include.md](includes/allow-adobe-flash-include.md)] - -## Allow clearing browsing data on exit -[!INCLUDE [allow-clearing-browsing-data-include.md](includes/allow-clearing-browsing-data-include.md)] - -## Allow configuration updates for the Books Library -[!INCLUDE [allow-config-updates-books-include.md](includes/allow-config-updates-books-include.md)] - -## Allow Cortana -[!INCLUDE [allow-cortana-include.md](includes/allow-cortana-include.md)] - -## Allow Developer Tools -[!INCLUDE [allow-dev-tools-include.md](includes/allow-dev-tools-include.md)] - -## Allow extended telemetry for the Books tab -[!INCLUDE [allow-ext-telemetry-books-tab-include.md](includes/allow-ext-telemetry-books-tab-include.md)] - -## Allow Extensions -[!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)] - -## Allow fullscreen mode -[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] - -## Allow InPrivate browsing -[!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)] - -## Allow Microsoft Compatibility List -[!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)] - -## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed -[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] - -## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed -[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] - -## Allow printing -[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] - -## Allow Saving History -[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] - -## Allow search engine customization -[!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)] - -## Allow sideloading of Extensions -[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] - -## Allow web content on New Tab page -[!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)] - -## Always show the Books Library in Microsoft Edge -[!INCLUDE [always-enable-book-library-include.md](includes/always-enable-book-library-include.md)] - -## Configure additional search engines -[!INCLUDE [configure-additional-search-engines-include.md](includes/configure-additional-search-engines-include.md)] - -## Configure Autofill -[!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)] - -## Configure collection of browsing data for Microsoft 365 Analytics -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] - -## Configure cookies -[!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)] - -## Configure Do Not Track -[!INCLUDE [configure-do-not-track-include.md](includes/configure-do-not-track-include.md)] - -## Configure Favorites -[!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)] - -## Configure Favorites Bar -[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] - -## Configure Home Button -[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] - -## Configure kiosk mode -[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] - -## Configure kiosk reset after idle timeout -[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] - -## Configure Open Microsoft Edge With -[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] - -## Configure Password Manager -[!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)] - -## Configure Pop-up Blocker -[!INCLUDE [configure-pop-up-blocker-include.md](includes/configure-pop-up-blocker-include.md)] - -## Configure search suggestions in Address bar -[!INCLUDE [configure-search-suggestions-address-bar-include.md](includes/configure-search-suggestions-address-bar-include.md)] - -## Configure Start pages -[!INCLUDE [configure-start-pages-include.md](includes/configure-start-pages-include.md)] - -## Configure the Adobe Flash Click-to-Run setting -[!INCLUDE [configure-adobe-flash-click-to-run-include.md](includes/configure-adobe-flash-click-to-run-include.md)] - -## Configure the Enterprise Mode Site List -[!INCLUDE [configure-enterprise-mode-site-list-include.md](includes/configure-enterprise-mode-site-list-include.md)] - -## Configure Windows Defender SmartScreen -[!INCLUDE [configure-windows-defender-smartscreen-include.md](includes/configure-windows-defender-smartscreen-include.md)] - -## Disable lockdown of Start pages -[!INCLUDE [disable-lockdown-of-start-pages-include.md](includes/disable-lockdown-of-start-pages-include.md)] - -## Do not sync -[!INCLUDE [do-not-sync-include.md](includes/do-not-sync-include.md)] - -## Do not sync browser settings -[!INCLUDE [do-not-sync-browser-settings-include.md](includes/do-not-sync-browser-settings-include.md)] - -## Keep favorites in sync between Internet Explorer and Microsoft Edge -[!INCLUDE [keep-fav-sync-ie-edge-include.md](includes/keep-fav-sync-ie-edge-include.md)] - -## Prevent access to the about:flags page -[!INCLUDE [prevent-access-about-flag-include.md](includes/prevent-access-about-flag-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for files -[!INCLUDE [prevent-bypassing-win-defender-files-include.md](includes/prevent-bypassing-win-defender-files-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for sites -[!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)] - -## Prevent certificate error overrides -[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] - -## Prevent changes to Favorites on Microsoft Edge -[!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)] - -## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -[!INCLUDE [prevent-live-tile-pinning-start-include](includes/prevent-live-tile-pinning-start-include.md)] - -## Prevent the First Run webpage from opening on Microsoft Edge -[!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)] - -## Prevent turning off required extensions -[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] - -## Prevent using Localhost IP address for WebRTC -[!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)] - -## Provision Favorites -[!INCLUDE [provision-favorites-include](includes/provision-favorites-include.md)] - -## Send all intranet sites to Internet Explorer 11 -[!INCLUDE [send-all-intranet-sites-ie-include.md](includes/send-all-intranet-sites-ie-include.md)] - -## Set default search engine -[!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)] - -## Set Home Button URL -[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] - -## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] - -## Show message when opening sites in Internet Explorer -[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] - -## Unlock Home Button -[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] - - - -## Related topics -- [Mobile Device Management (MDM) settings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) -- [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921) -- [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922) -- [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923) -- [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). +--- +description: You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. +ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 +ms.reviewer: +author: eavena +ms.author: eravena +audience: itpro manager: dansimp +ms.prod: edge +ms.mktglfcycl: explore +ms.topic: reference +ms.sitesec: library +title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) +ms.localizationpriority: medium +--- + +# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge + +> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain. + +Other policy settings in Microsoft Edge include allowing Adobe Flash content to play automatically, provision a favorites list, set default search engine, and more. You configure a Group Policy setting in the Administrative Templates folders, which are registry-based policy settings that Group Policy enforces. Group Policy stores these settings in a specific registry location, which users cannot change. Also, Group Policy-aware Windows features and applications look for these settings in the registry, and if found the policy setting gets used instead of the regular settings. + +**_You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:_** + +      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* + +When you edit a Group Policy setting, you have the following configuration options: + +- **Enabled** - writes the policy setting to the registry with a value that enables it. +- **Disabled** - writes the policy setting to the registry with a value that disables it. +- **Not configured** - leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users. + +Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL. + + +## Allow a shared books folder +[!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)] + +## Allow Address bar drop-down list suggestions +[!INCLUDE [allow-address-bar-suggestions-include.md](includes/allow-address-bar-suggestions-include.md)] + +## Allow Adobe Flash +[!INCLUDE [allow-adobe-flash-include.md](includes/allow-adobe-flash-include.md)] + +## Allow clearing browsing data on exit +[!INCLUDE [allow-clearing-browsing-data-include.md](includes/allow-clearing-browsing-data-include.md)] + +## Allow configuration updates for the Books Library +[!INCLUDE [allow-config-updates-books-include.md](includes/allow-config-updates-books-include.md)] + +## Allow Cortana +[!INCLUDE [allow-cortana-include.md](includes/allow-cortana-include.md)] + +## Allow Developer Tools +[!INCLUDE [allow-dev-tools-include.md](includes/allow-dev-tools-include.md)] + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](includes/allow-ext-telemetry-books-tab-include.md)] + +## Allow Extensions +[!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)] + +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] + +## Allow InPrivate browsing +[!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)] + +## Allow Microsoft Compatibility List +[!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)] + +## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] + +## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed +[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] + +## Allow search engine customization +[!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)] + +## Allow sideloading of Extensions +[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] + +## Allow web content on New Tab page +[!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)] + +## Always show the Books Library in Microsoft Edge +[!INCLUDE [always-enable-book-library-include.md](includes/always-enable-book-library-include.md)] + +## Configure additional search engines +[!INCLUDE [configure-additional-search-engines-include.md](includes/configure-additional-search-engines-include.md)] + +## Configure Autofill +[!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)] + +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] + +## Configure cookies +[!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)] + +## Configure Do Not Track +[!INCLUDE [configure-do-not-track-include.md](includes/configure-do-not-track-include.md)] + +## Configure Favorites +[!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)] + +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] + +## Configure Home Button +[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] + +## Configure kiosk mode +[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] + +## Configure kiosk reset after idle timeout +[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] + +## Configure Password Manager +[!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)] + +## Configure Pop-up Blocker +[!INCLUDE [configure-pop-up-blocker-include.md](includes/configure-pop-up-blocker-include.md)] + +## Configure search suggestions in Address bar +[!INCLUDE [configure-search-suggestions-address-bar-include.md](includes/configure-search-suggestions-address-bar-include.md)] + +## Configure Start pages +[!INCLUDE [configure-start-pages-include.md](includes/configure-start-pages-include.md)] + +## Configure the Adobe Flash Click-to-Run setting +[!INCLUDE [configure-adobe-flash-click-to-run-include.md](includes/configure-adobe-flash-click-to-run-include.md)] + +## Configure the Enterprise Mode Site List +[!INCLUDE [configure-enterprise-mode-site-list-include.md](includes/configure-enterprise-mode-site-list-include.md)] + +## Configure Windows Defender SmartScreen +[!INCLUDE [configure-windows-defender-smartscreen-include.md](includes/configure-windows-defender-smartscreen-include.md)] + +## Disable lockdown of Start pages +[!INCLUDE [disable-lockdown-of-start-pages-include.md](includes/disable-lockdown-of-start-pages-include.md)] + +## Do not sync +[!INCLUDE [do-not-sync-include.md](includes/do-not-sync-include.md)] + +## Do not sync browser settings +[!INCLUDE [do-not-sync-browser-settings-include.md](includes/do-not-sync-browser-settings-include.md)] + +## Keep favorites in sync between Internet Explorer and Microsoft Edge +[!INCLUDE [keep-fav-sync-ie-edge-include.md](includes/keep-fav-sync-ie-edge-include.md)] + +## Prevent access to the about:flags page +[!INCLUDE [prevent-access-about-flag-include.md](includes/prevent-access-about-flag-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for files +[!INCLUDE [prevent-bypassing-win-defender-files-include.md](includes/prevent-bypassing-win-defender-files-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for sites +[!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)] + +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] + +## Prevent changes to Favorites on Microsoft Edge +[!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)] + +## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +[!INCLUDE [prevent-live-tile-pinning-start-include](includes/prevent-live-tile-pinning-start-include.md)] + +## Prevent the First Run webpage from opening on Microsoft Edge +[!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)] + +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] + +## Prevent using Localhost IP address for WebRTC +[!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)] + +## Provision Favorites +[!INCLUDE [provision-favorites-include](includes/provision-favorites-include.md)] + +## Send all intranet sites to Internet Explorer 11 +[!INCLUDE [send-all-intranet-sites-ie-include.md](includes/send-all-intranet-sites-ie-include.md)] + +## Set default search engine +[!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)] + +## Set Home Button URL +[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] + +## Show message when opening sites in Internet Explorer +[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] + +## Unlock Home Button +[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] + + + +## Related topics +- [Mobile Device Management (MDM) settings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) +- [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921) +- [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922) +- [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923) +- [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 888b51a3bc..19530f7f71 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -1,102 +1,102 @@ ---- -title: Change history for Microsoft Edge (Microsoft Edge for IT Pros) -description: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. -ms.prod: edge -ms.topic: reference -ms.mktglfcycl: explore -ms.sitesec: library -ms.localizationpriority: medium -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: ---- - -# Change history for Microsoft Edge -Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. - - -#### [2018](#tab/2018/) -## October 2018 - -The Microsoft Edge team introduces new group policies and MDM settings for Microsoft Edge on Windows 10. The new policies let you enable/disable -full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions. - -We have discontinued the **Configure Favorites** group policy, so use the [Provision Favorites](available-policies.md#provision-favorites) policy instead. - ->>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: ->> ->>      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - - - -| **New or updated** | **Group Policy** | **Description** | -|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------| -| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] | -| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] | -| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] | -| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] | -| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] | -| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] | -| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | -| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | -| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | -| New | [Configure kiosk mode](available-policies.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | -| New | [Configure kiosk reset after idle timeout](available-policies.md#configure-kiosk-reset-after-idle-timeout) | [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | -| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | -| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | -| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | -| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] | -| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] | -| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] | -| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] | -| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] | - -#### [2017](#tab/2017/) -## September 2017 - -|New or changed topic | Description | -|---------------------|-------------| -|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New | - -## February 2017 - -|New or changed topic | Description | -|----------------------|-------------| -|[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. | - - -#### [2016](#tab/2016/) -## November 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.| -|[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. | -|[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. | -|Microsoft Edge - Deployment Guide for IT Pros |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | -|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | - -## July 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | -|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. | -|[Available policies for Microsoft Edge](available-policies.md) |Updated | - - -## June 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |New | - -## May 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | - -* * * +--- +title: Change history for Microsoft Edge (Microsoft Edge for IT Pros) +description: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. +ms.prod: edge +ms.topic: reference +ms.mktglfcycl: explore +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +--- + +# Change history for Microsoft Edge +Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. + + +#### [2018](#tab/2018/) +## October 2018 + +The Microsoft Edge team introduces new group policies and MDM settings for Microsoft Edge on Windows 10. The new policies let you enable/disable +full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions. + +We have discontinued the **Configure Favorites** group policy, so use the [Provision Favorites](available-policies.md#provision-favorites) policy instead. + +>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: +>> +>>      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + + + +| **New or updated** | **Group Policy** | **Description** | +|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------| +| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] | +| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] | +| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] | +| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] | +| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] | +| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] | +| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | +| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | +| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | +| New | [Configure kiosk mode](available-policies.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | +| New | [Configure kiosk reset after idle timeout](available-policies.md#configure-kiosk-reset-after-idle-timeout) | [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | +| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | +| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | +| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | +| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] | +| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] | +| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] | +| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] | +| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] | + +#### [2017](#tab/2017/) +## September 2017 + +|New or changed topic | Description | +|---------------------|-------------| +|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New | + +## February 2017 + +|New or changed topic | Description | +|----------------------|-------------| +|[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. | + + +#### [2016](#tab/2016/) +## November 2016 + +|New or changed topic | Description | +|----------------------|-------------| +|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.| +|[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. | +|[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. | +|Microsoft Edge - Deployment Guide for IT Pros |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | +|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | + +## July 2016 + +|New or changed topic | Description | +|----------------------|-------------| +|[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | +|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. | +|[Available policies for Microsoft Edge](available-policies.md) |Updated | + + +## June 2016 + +|New or changed topic | Description | +|----------------------|-------------| +|[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |New | + +## May 2016 + +|New or changed topic | Description | +|----------------------|-------------| +|[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | + +* * * diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 5944d644ce..730c9d7ac2 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -7,7 +7,9 @@ "**/*.yml" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**", + "**/shortdesc/**" ] } ], @@ -28,7 +30,10 @@ "breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", + "audience": "ITPro", "ms.topic": "article", + "manager": "laurawi", + "ms.prod": "edge", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/browsers/edge/edge-technical-demos.md b/browsers/edge/edge-technical-demos.md index 5e6a3bbd9f..8326776612 100644 --- a/browsers/edge/edge-technical-demos.md +++ b/browsers/edge/edge-technical-demos.md @@ -1,38 +1,38 @@ ---- -title: Microsoft Edge training and demonstrations -ms.reviewer: -manager: dansimp -description: Get access to training and demonstrations for Microsoft Edge. -ms.prod: edge -ms.topic: article -ms.manager: elizapo -author: msdmaguire -ms.author: dmaguire -ms.localizationpriority: high ---- - -# Microsoft Edge training and demonstrations - -Explore security and compatibility features of Microsoft Edge, and get tips to increase manageability, productivity, and support for legacy apps. - -## Virtual labs - -Microsoft Hands-On Labs let you experience a software product or technology using a cloud-based private virtual machine environment. Get free access to one or more virtual machines, with no additional software or setup required. - -Check out the **Use Internet Explorer Enterprise Mode to fix compatibility issues (WS00137)" on the [self-paced labs site](https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02). - -## Features and functionality - -Find out more about new and improved features of Microsoft Edge, and how you can leverage them to bring increased productivity, security, manageability, and support for legacy apps to your secure, modern desktop. - -### Building a faster browser: Behind the scenes improvements in Microsoft Edge - -Get a behind the scenes look at Microsoft Edge and the improvements we've made to make it faster and more efficient. - -> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es14/player] - -### Building a safer browser: Four guards to keep users safe - -Learn about our security strategy and how we use the Four Guards to keep your users safe while they browse the Internet. - -> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es03/player] +--- +title: Microsoft Edge training and demonstrations +ms.reviewer: +audience: itpro manager: dansimp +description: Get access to training and demonstrations for Microsoft Edge. +ms.prod: edge +ms.topic: article +ms.manager: elizapo +author: msdmaguire +ms.author: dmaguire +ms.localizationpriority: high +--- + +# Microsoft Edge training and demonstrations + +Explore security and compatibility features of Microsoft Edge, and get tips to increase manageability, productivity, and support for legacy apps. + +## Virtual labs + +Microsoft Hands-On Labs let you experience a software product or technology using a cloud-based private virtual machine environment. Get free access to one or more virtual machines, with no additional software or setup required. + +Check out the **Use Internet Explorer Enterprise Mode to fix compatibility issues (WS00137)" on the [self-paced labs site](https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02). + +## Features and functionality + +Find out more about new and improved features of Microsoft Edge, and how you can leverage them to bring increased productivity, security, manageability, and support for legacy apps to your secure, modern desktop. + +### Building a faster browser: Behind the scenes improvements in Microsoft Edge + +Get a behind the scenes look at Microsoft Edge and the improvements we've made to make it faster and more efficient. + +> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es14/player] + +### Building a safer browser: Four guards to keep users safe + +Learn about our security strategy and how we use the Four Guards to keep your users safe while they browse the Internet. + +> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es03/player] diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index afd92b1690..c7882f76e7 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -2,18 +2,18 @@ description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11. ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4 ms.reviewer: +audience: itpro manager: dansimp author: eavena ms.author: eravena -ms.manager: dougkim -ms.prod: browser-edge +ms.manager: dansimp +ms.prod: edge ms.topic: reference ms.mktglfcycl: support ms.sitesec: library ms.pagetype: appcompat title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) ms.localizationpriority: medium -ms.date: 10/24/2018 --- # Use Enterprise Mode to improve compatibility @@ -45,7 +45,7 @@ If you're having trouble deciding whether Microsoft Edge is right for your organ ## Configure the Enterprise Mode Site List -[Available policy options](includes/configure-enterprise-mode-site-list-include.md) +[!INCLUDE [Available policy options](includes/configure-enterprise-mode-site-list-include.md)] ## Related topics diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md index 9997f747b5..d29ed1ca88 100644 --- a/browsers/edge/group-policies/address-bar-settings-gp.md +++ b/browsers/edge/group-policies/address-bar-settings-gp.md @@ -1,33 +1,33 @@ ---- -title: Microsoft Edge - Address bar group policies -description: Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services, hiding the functionality of the Address bar drop-down list. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Address bar - -Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services by hiding the functionality of the Address bar drop-down list. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - - - -## Allow Address bar drop-down list suggestions -[!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)] - -## Configure search suggestions in Address bar -[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] - +--- +title: Microsoft Edge - Address bar group policies +description: Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services, hiding the functionality of the Address bar drop-down list. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Address bar + +Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services by hiding the functionality of the Address bar drop-down list. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + + + +## Allow Address bar drop-down list suggestions +[!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)] + +## Configure search suggestions in Address bar +[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] + diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md index cb27d41986..6efc8ee3f8 100644 --- a/browsers/edge/group-policies/adobe-settings-gp.md +++ b/browsers/edge/group-policies/adobe-settings-gp.md @@ -1,35 +1,35 @@ ---- -title: Microsoft Edge - Adobe Flash group policies -description: Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the Configure the Adobe Flash Click-to-Run setting group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Adobe Flash - -Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. - -To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow Adobe Flash -[!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)] - - -## Configure the Adobe Flash Click-to-Run setting -[!INCLUDE [configure-adobe-flash-click-to-run-include.md](../includes/configure-adobe-flash-click-to-run-include.md)] - +--- +title: Microsoft Edge - Adobe Flash group policies +description: Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the Configure the Adobe Flash Click-to-Run setting group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Adobe Flash + +Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. + +To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). + + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow Adobe Flash +[!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)] + + +## Configure the Adobe Flash Click-to-Run setting +[!INCLUDE [configure-adobe-flash-click-to-run-include.md](../includes/configure-adobe-flash-click-to-run-include.md)] + diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md index b6649b869c..633b5b8b51 100644 --- a/browsers/edge/group-policies/books-library-management-gp.md +++ b/browsers/edge/group-policies/books-library-management-gp.md @@ -1,37 +1,37 @@ ---- -title: Microsoft Edge - Books Library group policies -description: Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder. You can also allow Microsoft Edge to update the configuration data for the library automatically. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Books Library - -Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder in Windows. You can configure Microsoft Edge to update the configuration data for the library automatically or gather diagnostic data, such as usage data. - - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow a shared books folder -[!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)] - -## Allow configuration updates for the Books Library -[!INCLUDE [allow-config-updates-books-include.md](../includes/allow-config-updates-books-include.md)] - -## Allow extended telemetry for the Books tab -[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] - -## Always show the Books Library in Microsoft Edge -[!INCLUDE [always-enable-book-library-include.md](../includes/always-enable-book-library-include.md)] +--- +title: Microsoft Edge - Books Library group policies +description: Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder. You can also allow Microsoft Edge to update the configuration data for the library automatically. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Books Library + +Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder in Windows. You can configure Microsoft Edge to update the configuration data for the library automatically or gather diagnostic data, such as usage data. + + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow a shared books folder +[!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)] + +## Allow configuration updates for the Books Library +[!INCLUDE [allow-config-updates-books-include.md](../includes/allow-config-updates-books-include.md)] + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Always show the Books Library in Microsoft Edge +[!INCLUDE [always-enable-book-library-include.md](../includes/always-enable-book-library-include.md)] diff --git a/browsers/edge/group-policies/browser-settings-management-gp.md b/browsers/edge/group-policies/browser-settings-management-gp.md index 8de1ada8f5..296b99b037 100644 --- a/browsers/edge/group-policies/browser-settings-management-gp.md +++ b/browsers/edge/group-policies/browser-settings-management-gp.md @@ -1,52 +1,52 @@ ---- -title: Microsoft Edge - Browser experience group policies -description: Not only do the other Microsoft Edge group policies enhance the browsing experience, but we must also talk about some of the most common or somewhat common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Browser experience - -Not only do the other Microsoft Edge group policies enhance the browsing experience, but we also want to mention some of the other and common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. The same goes for Pop-up Blocker; Microsoft Edge has a group policy that lets you prevent pop-up windows or let users choose to use Pop-up Blocker. You can use any one of the following group policies to continue enhancing the browsing experience for your users. - - - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow clearing browsing data on exit -[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] - -## Allow fullscreen mode -[!INCLUDE [allow-full-screen-include](../includes/allow-full-screen-include.md)] - -## Allow printing -[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] - -## Allow Saving History -[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)] - -## Configure Autofill -[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)] - -## Configure Pop-up Blocker -[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)] - -## Do not sync -[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] - -To learn about the policies to sync the browser settings, see [Sync browser settings](sync-browser-settings-gp.md). - - - +--- +title: Microsoft Edge - Browser experience group policies +description: Not only do the other Microsoft Edge group policies enhance the browsing experience, but we must also talk about some of the most common or somewhat common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Browser experience + +Not only do the other Microsoft Edge group policies enhance the browsing experience, but we also want to mention some of the other and common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. The same goes for Pop-up Blocker; Microsoft Edge has a group policy that lets you prevent pop-up windows or let users choose to use Pop-up Blocker. You can use any one of the following group policies to continue enhancing the browsing experience for your users. + + + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow clearing browsing data on exit +[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] + +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](../includes/allow-full-screen-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)] + +## Configure Autofill +[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)] + +## Configure Pop-up Blocker +[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)] + +## Do not sync +[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] + +To learn about the policies to sync the browser settings, see [Sync browser settings](sync-browser-settings-gp.md). + + + diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md index c13c677abc..a5d7e4f42b 100644 --- a/browsers/edge/group-policies/developer-settings-gp.md +++ b/browsers/edge/group-policies/developer-settings-gp.md @@ -1,31 +1,31 @@ ---- -title: Microsoft Edge - Developer tools -description: Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. -services: -keywords: -ms.localizationpriority: medium -manager: dougkim -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Developer tools - -Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow Developer Tools -[!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)] - -## Prevent access to the about:flags page -[!INCLUDE [prevent-access-about-flag-include](../includes/prevent-access-about-flag-include.md)] +--- +title: Microsoft Edge - Developer tools +description: Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. +services: +keywords: +ms.localizationpriority: medium +manager: dougkim +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Developer tools + +Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow Developer Tools +[!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)] + +## Prevent access to the about:flags page +[!INCLUDE [prevent-access-about-flag-include](../includes/prevent-access-about-flag-include.md)] diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md index 64ceac0368..5230bc5f52 100644 --- a/browsers/edge/group-policies/extensions-management-gp.md +++ b/browsers/edge/group-policies/extensions-management-gp.md @@ -1,33 +1,33 @@ ---- -title: Microsoft Edge - Extensions group policies -description: Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Extensions - -Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow Extensions -[!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)] - -## Allow sideloading of extensions -[!INCLUDE [allow-sideloading-extensions-include](../includes/allow-sideloading-extensions-include.md)] - -## Prevent turning off required extensions -[!INCLUDE [prevent-turning-off-required-extensions-include](../includes/prevent-turning-off-required-extensions-include.md)] +--- +title: Microsoft Edge - Extensions group policies +description: Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Extensions + +Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow Extensions +[!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)] + +## Allow sideloading of extensions +[!INCLUDE [allow-sideloading-extensions-include](../includes/allow-sideloading-extensions-include.md)] + +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include](../includes/prevent-turning-off-required-extensions-include.md)] diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md index 9e33839605..6ba684a843 100644 --- a/browsers/edge/group-policies/favorites-management-gp.md +++ b/browsers/edge/group-policies/favorites-management-gp.md @@ -1,39 +1,39 @@ ---- -title: Microsoft Edge - Favorites group policies -description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. -services: -keywords: -ms.localizationpriority: medium -manager: dansimp -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Favorites - -You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. - ->[!TIP] ->You can find the Favorites under C:\\Users\\<_username_>\\Favorites. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configure Favorites Bar -[!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] - -## Keep favorites in sync between Internet Explorer and Microsoft Edge -[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] - -## Prevent changes to Favorites on Microsoft Edge -[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] - -## Provision Favorites -[!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] +--- +title: Microsoft Edge - Favorites group policies +description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. +services: +keywords: +ms.localizationpriority: medium +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +ms.topic: reference +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Favorites + +You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. + +>[!TIP] +>You can find the Favorites under C:\\Users\\<_username_>\\Favorites. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] + +## Keep favorites in sync between Internet Explorer and Microsoft Edge +[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] + +## Prevent changes to Favorites on Microsoft Edge +[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] + +## Provision Favorites +[!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md index 653b98b0c5..f9db9cbcb3 100644 --- a/browsers/edge/group-policies/home-button-gp.md +++ b/browsers/edge/group-policies/home-button-gp.md @@ -1,47 +1,47 @@ ---- -title: Microsoft Edge - Home button group policies -description: Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - -# Home button - -Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. - -## Relevant group policies - -- [Configure Home Button](#configure-home-button) -- [Set Home Button URL](#set-home-button-url) -- [Unlock Home Button](#unlock-home-button) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Show home button and load Start page or New Tab page](../images/home-button-start-new-tab-page-v4-sm.png) - -![Show home button and load custom URL](../images/home-buttom-custom-url-v4-sm.png) - -![Hide home button](../images/home-button-hide-v4-sm.png) - - -## Configure Home Button -[!INCLUDE [configure-home-button-include.md](../includes/configure-home-button-include.md)] - -## Set Home Button URL -[!INCLUDE [set-home-button-url-include](../includes/set-home-button-url-include.md)] - -## Unlock Home Button -[!INCLUDE [unlock-home-button-include.md](../includes/unlock-home-button-include.md)] - +--- +title: Microsoft Edge - Home button group policies +description: Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.topic: reference +--- + +# Home button + +Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. + +## Relevant group policies + +- [Configure Home Button](#configure-home-button) +- [Set Home Button URL](#set-home-button-url) +- [Unlock Home Button](#unlock-home-button) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Show home button and load Start page or New Tab page](../images/home-button-start-new-tab-page-v4-sm.png) + +![Show home button and load custom URL](../images/home-buttom-custom-url-v4-sm.png) + +![Hide home button](../images/home-button-hide-v4-sm.png) + + +## Configure Home Button +[!INCLUDE [configure-home-button-include.md](../includes/configure-home-button-include.md)] + +## Set Home Button URL +[!INCLUDE [set-home-button-url-include](../includes/set-home-button-url-include.md)] + +## Unlock Home Button +[!INCLUDE [unlock-home-button-include.md](../includes/unlock-home-button-include.md)] + diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md index c6779219cb..24dc169b1a 100644 --- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -1,79 +1,79 @@ ---- -title: Microsoft Edge - Interoperability and enterprise mode guidance -description: Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. -ms.localizationpriority: medium -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - -# Interoperability and enterprise mode guidance - -Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. - ->[!TIP] ->If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. - -**Technology not supported by Microsoft Edge** - - -- ActiveX controls - -- Browser Helper Objects - -- VBScript - -- x-ua-compatible headers - -- \ tags - -- Legacy document modes - -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. - -Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - -## Relevant group policies - - -1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) - -2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) - -3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) - -4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Use Enterprise Mode with Microsoft Edge to improve compatibility](../images/use-enterprise-mode-with-microsoft-edge-sm.png) - - -## Configure the Enterprise Mode Site List - -[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] - - -## Send all intranet sites to Internet Explorer 11 - -[!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)] - - -## Show message when opening sites in Internet Explorer - -[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] - - -## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge - -[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] +--- +title: Microsoft Edge - Interoperability and enterprise mode guidance +description: Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. +ms.localizationpriority: medium +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.topic: reference +--- + +# Interoperability and enterprise mode guidance + +Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. + +>[!TIP] +>If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. + +**Technology not supported by Microsoft Edge** + + +- ActiveX controls + +- Browser Helper Objects + +- VBScript + +- x-ua-compatible headers + +- \ tags + +- Legacy document modes + +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. + +Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. + +## Relevant group policies + + +1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) + +2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) + +3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) + +4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Use Enterprise Mode with Microsoft Edge to improve compatibility](../images/use-enterprise-mode-with-microsoft-edge-sm.png) + + +## Configure the Enterprise Mode Site List + +[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] + + +## Send all intranet sites to Internet Explorer 11 + +[!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)] + + +## Show message when opening sites in Internet Explorer + +[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] + + +## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge + +[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md index 89d7050a86..7e0cf5f89e 100644 --- a/browsers/edge/group-policies/new-tab-page-settings-gp.md +++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md @@ -1,46 +1,46 @@ ---- -title: Microsoft Edge - New Tab page group policies -description: Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - - -# New Tab page - -Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. - ->[!NOTE] ->New tab pages do not load while running InPrivate mode. - -## Relevant group policies - -- [Set New Tab page URL](#set-new-tab-page-url) -- [Allow web content on New Tab page](#allow-web-content-on-new-tab-page) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Load the default New Tab page](../images/load-default-new-tab-page-sm.png) - -![Load a blank page instead of the default New Tab page](../images/load-blank-page-not-new-tab-page-sm.png) - -![Let users choose what loads](../images/users-choose-new-tab-page-sm.png) - - -## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] - -## Allow web content on New Tab page -[!INCLUDE [allow-web-content-new-tab-page-include](../includes/allow-web-content-new-tab-page-include.md)] +--- +title: Microsoft Edge - New Tab page group policies +description: Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.topic: reference +--- + + +# New Tab page + +Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. + +>[!NOTE] +>New tab pages do not load while running InPrivate mode. + +## Relevant group policies + +- [Set New Tab page URL](#set-new-tab-page-url) +- [Allow web content on New Tab page](#allow-web-content-on-new-tab-page) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Load the default New Tab page](../images/load-default-new-tab-page-sm.png) + +![Load a blank page instead of the default New Tab page](../images/load-blank-page-not-new-tab-page-sm.png) + +![Let users choose what loads](../images/users-choose-new-tab-page-sm.png) + + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] + +## Allow web content on New Tab page +[!INCLUDE [allow-web-content-new-tab-page-include](../includes/allow-web-content-new-tab-page-include.md)] diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md index 51f6c1d949..7ff02e7924 100644 --- a/browsers/edge/group-policies/prelaunch-preload-gp.md +++ b/browsers/edge/group-policies/prelaunch-preload-gp.md @@ -1,10 +1,11 @@ --- title: Microsoft Edge - Prelaunch and tab preload group policies description: Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. +audience: itpro manager: dansimp ms.author: eravena author: eavena -ms.date: 10/02/2018 +ms.prod: edge ms.reviewer: ms.localizationpriority: medium ms.topic: reference diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md index 1dfa9b9928..6d4876ef46 100644 --- a/browsers/edge/group-policies/search-engine-customization-gp.md +++ b/browsers/edge/group-policies/search-engine-customization-gp.md @@ -1,10 +1,11 @@ --- title: Microsoft Edge - Search engine customization group policies description: Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default. +audience: itpro manager: dansimp ms.author: eravena author: eavena -ms.date: 10/02/2018 +ms.prod: edge ms.reviewer: ms.localizationpriority: medium ms.topic: reference diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md index d2322bf7dc..67e656daa8 100644 --- a/browsers/edge/group-policies/security-privacy-management-gp.md +++ b/browsers/edge/group-policies/security-privacy-management-gp.md @@ -1,74 +1,74 @@ ---- -title: Microsoft Edge - Security and privacy group policies -description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Security and privacy - -Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. - -Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. - -The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components. - -For more details on the security features in Microsoft Edge, see [Help protect against web-based security threats](#help-protect-against-web-based-security-threats) below. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configure cookies -[!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)] - -## Configure Password Manager -[!INCLUDE [configure-password-manager-include](../includes/configure-password-manager-include.md)] - -## Configure Windows Defender SmartScreen -[!INCLUDE [configure-windows-defender-smartscreen-include](../includes/configure-windows-defender-smartscreen-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for files -[!INCLUDE [prevent-bypassing-win-defender-files-include](../includes/prevent-bypassing-win-defender-files-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for sites -[!INCLUDE [prevent-bypassing-win-defender-sites-include](../includes/prevent-bypassing-win-defender-sites-include.md)] - -## Prevent certificate error overrides -[!INCLUDE [prevent-certificate-error-overrides-include](../includes/prevent-certificate-error-overrides-include.md)] - -## Prevent using Localhost IP address for WebRTC -[!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)] - - -## Help protect against web-based security threats - -While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system’s resources. You can help protect against threats by using strong security protocols to ensure against such threats. - -Thieves use things like _phishing_ attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference. - -Another method thieves often use _hacking_ to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device. - -Microsoft Edge addresses these threats to help make browsing the web a safer experience. - - -| Feature | Description | -|-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **[Windows Hello](https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](https://w3c.github.io/webauthn/). | -| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | -| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include | -| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | -| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | -| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | -| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | -| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | -| **All web content runs in an app container sandbox** | Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | -| **Extension model and HTML5 support** | Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). | -| **Reduced attack surfaces** | Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. | - ---- +--- +title: Microsoft Edge - Security and privacy group policies +description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.topic: reference +--- + +# Security and privacy + +Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. + +Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. + +The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components. + +For more details on the security features in Microsoft Edge, see [Help protect against web-based security threats](#help-protect-against-web-based-security-threats) below. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configure cookies +[!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)] + +## Configure Password Manager +[!INCLUDE [configure-password-manager-include](../includes/configure-password-manager-include.md)] + +## Configure Windows Defender SmartScreen +[!INCLUDE [configure-windows-defender-smartscreen-include](../includes/configure-windows-defender-smartscreen-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for files +[!INCLUDE [prevent-bypassing-win-defender-files-include](../includes/prevent-bypassing-win-defender-files-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for sites +[!INCLUDE [prevent-bypassing-win-defender-sites-include](../includes/prevent-bypassing-win-defender-sites-include.md)] + +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include](../includes/prevent-certificate-error-overrides-include.md)] + +## Prevent using Localhost IP address for WebRTC +[!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)] + + +## Help protect against web-based security threats + +While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system’s resources. You can help protect against threats by using strong security protocols to ensure against such threats. + +Thieves use things like _phishing_ attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference. + +Another method thieves often use _hacking_ to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device. + +Microsoft Edge addresses these threats to help make browsing the web a safer experience. + + +| Feature | Description | +|-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **[Windows Hello](https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](https://w3c.github.io/webauthn/). | +| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | +| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include

| +| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | +| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | +| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | +| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | +| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | +| **All web content runs in an app container sandbox** | Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | +| **Extension model and HTML5 support** | Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). | +| **Reduced attack surfaces** | Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. | + +--- diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md index a94f166a21..ce15044aad 100644 --- a/browsers/edge/group-policies/start-pages-gp.md +++ b/browsers/edge/group-policies/start-pages-gp.md @@ -1,43 +1,43 @@ ---- -title: Microsoft Edge - Start pages group policies -description: Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. -manager: dansimp -ms.author: eravena -author: eavena -ms.localizationpriority: medium -ms.date: 10/02/2018 -ms.reviewer: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - -# Start pages - -Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. - -## Relevant group policies - -- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) -- [Configure Start Pages](#configure-start-pages) -- [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Load URLs defined in Configure Start pages](../images/load-urls-defined-in-configure-open-edge-with-sm.png) - - -## Configure Open Microsoft Edge With -[!INCLUDE [configure-open-edge-with-include](../includes/configure-open-edge-with-include.md)] - -## Configure Start Pages -[!INCLUDE [configure-start-pages-include](../includes/configure-start-pages-include.md)] - -## Disable Lockdown of Start pages -[!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)] - +--- +title: Microsoft Edge - Start pages group policies +description: Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.localizationpriority: medium +ms.date: 10/02/2018 +ms.reviewer: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.topic: reference +--- + +# Start pages + +Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. + +## Relevant group policies + +- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) +- [Configure Start Pages](#configure-start-pages) +- [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Load URLs defined in Configure Start pages](../images/load-urls-defined-in-configure-open-edge-with-sm.png) + + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include](../includes/configure-open-edge-with-include.md)] + +## Configure Start Pages +[!INCLUDE [configure-start-pages-include](../includes/configure-start-pages-include.md)] + +## Disable Lockdown of Start pages +[!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)] + diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md index f14bbe0caf..86ed0db6fc 100644 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -1,45 +1,45 @@ ---- -title: Microsoft Edge - Sync browser settings -description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Sync browser settings - - -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. - - -## Relevant policies -- [Do not sync browser settings](#do-not-sync-browser-settings) -- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Sync browser settings automatically](../images/sync-browser-settings-automatically-sm.png) - -![Prevent syncing of browser settings](../images/prevent-syncing-browser-settings-sm.png) - - -### Verify the configuration -To verify the settings: -1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). -2. Click **Settings**. -3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) - - -## Do not sync browser settings -[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] +--- +title: Microsoft Edge - Sync browser settings +description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.topic: reference +--- + +# Sync browser settings + + +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. + + +## Relevant policies +- [Do not sync browser settings](#do-not-sync-browser-settings) +- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Sync browser settings automatically](../images/sync-browser-settings-automatically-sm.png) + +![Prevent syncing of browser settings](../images/prevent-syncing-browser-settings-sm.png) + + +### Verify the configuration +To verify the settings: +1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). +2. Click **Settings**. +3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) + + +## Do not sync browser settings +[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] diff --git a/browsers/edge/group-policies/telemetry-management-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md index 7ef162127b..3de0998564 100644 --- a/browsers/edge/group-policies/telemetry-management-gp.md +++ b/browsers/edge/group-policies/telemetry-management-gp.md @@ -1,31 +1,31 @@ ---- -title: Microsoft Edge - Telemetry and data collection group policies -description: Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. -manager: dansimp -ms.author: eravena -author: eavena -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Telemetry and data collection - -Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow extended telemetry for the Books tab -[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] - -## Configure collection of browsing data for Microsoft 365 Analytics -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)] - -## Configure Do Not Track -[!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)] - -## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -[!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)] +--- +title: Microsoft Edge - Telemetry and data collection group policies +description: Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +ms.date: 10/02/2018 +ms.reviewer: +ms.localizationpriority: medium +ms.topic: reference +--- + +# Telemetry and data collection + +Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)] + +## Configure Do Not Track +[!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)] + +## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +[!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)] diff --git a/browsers/edge/img-microsoft-edge-infographic-lg.md b/browsers/edge/img-microsoft-edge-infographic-lg.md index 3ac0066282..2a2ca7e399 100644 --- a/browsers/edge/img-microsoft-edge-infographic-lg.md +++ b/browsers/edge/img-microsoft-edge-infographic-lg.md @@ -1,15 +1,15 @@ ---- -description: A full-sized view of the Microsoft Edge infographic. -title: Full-sized view of the Microsoft Edge infographic -ms.date: 11/10/2016 -ms.reviewer: -manager: dansimp -ms.author: eravena -author: eavena ---- - -Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
-Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892) - -![Full-sized Microsoft Edge infographic](images/img-microsoft-edge-infographic-lg.png) - +--- +description: A full-sized view of the Microsoft Edge infographic. +title: Full-sized view of the Microsoft Edge infographic +ms.date: 11/10/2016 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +--- + +Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
+Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892) + +![Full-sized Microsoft Edge infographic](images/img-microsoft-edge-infographic-lg.png) + diff --git a/browsers/edge/includes/allow-address-bar-suggestions-include.md b/browsers/edge/includes/allow-address-bar-suggestions-include.md index 4c5c1fe4dd..fdcebd090e 100644 --- a/browsers/edge/includes/allow-address-bar-suggestions-include.md +++ b/browsers/edge/includes/allow-address-bar-suggestions-include.md @@ -1,52 +1,52 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-address-bar-drop-down-shortdesc](../shortdesc/allow-address-bar-drop-down-shortdesc.md)] - - -### Supported values - - -| Group Policy | MDM | Registry | Description | Most restricted | -|-----------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured **(default)** | 1 | 1 | Allowed. Show the Address bar drop-down list and make it available. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Address bar drop-down list suggestions -- **GP name:** AllowAddressBarDropdown -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowaddressbardropdown) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI -- **Value name:** ShowOneBox -- **Value type:** REG_DWORD - - -### Related policies - -[Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-address-bar-drop-down-shortdesc](../shortdesc/allow-address-bar-drop-down-shortdesc.md)] + + +### Supported values + + +| Group Policy | MDM | Registry | Description | Most restricted | +|-----------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured **(default)** | 1 | 1 | Allowed. Show the Address bar drop-down list and make it available. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Address bar drop-down list suggestions +- **GP name:** AllowAddressBarDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowaddressbardropdown) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI +- **Value name:** ShowOneBox +- **Value type:** REG_DWORD + + +### Related policies + +[Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +
diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md index 47675924db..3a7671c32a 100644 --- a/browsers/edge/includes/allow-adobe-flash-include.md +++ b/browsers/edge/includes/allow-adobe-flash-include.md @@ -3,6 +3,7 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 ms.reviewer: +audience: itpro manager: dansimp ms.prod: edge ms.topic: include @@ -34,7 +35,7 @@ ms.topic: include #### MDM settings - **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowflash) - **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash - **Data type:** Integer #### Registry settings diff --git a/browsers/edge/includes/allow-clearing-browsing-data-include.md b/browsers/edge/includes/allow-clearing-browsing-data-include.md index 64bd285ba5..bd8b84f244 100644 --- a/browsers/edge/includes/allow-clearing-browsing-data-include.md +++ b/browsers/edge/includes/allow-clearing-browsing-data-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented)* - -[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] - -### Supported values - - -| Group Policy | MDM | Registry | Description | Most restricted | -|------------------------------------------|:---:|:--------:|------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured **(default)** | 0 | 0 | Prevented. Users can configure the *Clear browsing data* option in Settings. | | -| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. | ![Most restricted value](../images/check-gn.png) | - ---- - - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow clearing browsing data on exit -- **GP name:** AllowClearingBrowsingDataOnExit -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-clearbrowsingdataonexit) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit -- **Data type:** Integer - -#### Registry -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy -- **Value name:** ClearBrowsingHistoryOnExit -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Prevented)* + +[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] + +### Supported values + + +| Group Policy | MDM | Registry | Description | Most restricted | +|------------------------------------------|:---:|:--------:|------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured **(default)** | 0 | 0 | Prevented. Users can configure the *Clear browsing data* option in Settings. | | +| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. | ![Most restricted value](../images/check-gn.png) | + +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow clearing browsing data on exit +- **GP name:** AllowClearingBrowsingDataOnExit +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-clearbrowsingdataonexit) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit +- **Data type:** Integer + +#### Registry +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy +- **Value name:** ClearBrowsingHistoryOnExit +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md index 49a95f52da..02b449e5e2 100644 --- a/browsers/edge/includes/allow-config-updates-books-include.md +++ b/browsers/edge/includes/allow-config-updates-books-include.md @@ -1,49 +1,49 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow configuration updates for the Books Library -- **GP name:** AllowConfigurationUpdateForBooksLibrary -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary -- **Value name:** AllowConfigurationUpdateForBooksLibrary -- **Value type:** REG_DWORD - -### Related topics - -[!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow configuration updates for the Books Library +- **GP name:** AllowConfigurationUpdateForBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary +- **Value name:** AllowConfigurationUpdateForBooksLibrary +- **Value type:** REG_DWORD + +### Related topics + +[!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] + +
diff --git a/browsers/edge/includes/allow-cortana-include.md b/browsers/edge/includes/allow-cortana-include.md index 2344e1dd4c..248600e48b 100644 --- a/browsers/edge/includes/allow-cortana-include.md +++ b/browsers/edge/includes/allow-cortana-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Allowed)* - -[!INCLUDE [allow-cortana-shortdesc](../shortdesc/allow-cortana-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------|:---:|:--------:|------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | 1 | Allowed. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Cortana -- **GP name:** AllowCortana -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Experience/[AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) -- **Supported devices:** Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\Windows\Windows Search -- **Value name:** AllowCortana -- **Value type:** REG_DWORD - -
- +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-cortana-shortdesc](../shortdesc/allow-cortana-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------|:---:|:--------:|------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | 1 | Allowed. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Cortana +- **GP name:** AllowCortana +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Experience/[AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) +- **Supported devices:** Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\Windows\Windows Search +- **Value name:** AllowCortana +- **Value type:** REG_DWORD + +
+ diff --git a/browsers/edge/includes/allow-dev-tools-include.md b/browsers/edge/includes/allow-dev-tools-include.md index d23b42dea1..8a715d6905 100644 --- a/browsers/edge/includes/allow-dev-tools-include.md +++ b/browsers/edge/includes/allow-dev-tools-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Enabled (Allowed)* - -[!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed | | - ---- - - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Developer Tools -- **GP name:** AllowDeveloperTools -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) -- **Supported devices:** Desktop -- **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\F12 -- **Value name:** AllowDeveloperTools -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed | | + +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Developer Tools +- **GP name:** AllowDeveloperTools +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) +- **Supported devices:** Desktop +- **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\F12 +- **Value name:** AllowDeveloperTools +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-enable-book-library-include.md b/browsers/edge/includes/allow-enable-book-library-include.md index ca38514f37..be4dcd7cfd 100644 --- a/browsers/edge/includes/allow-enable-book-library-include.md +++ b/browsers/edge/includes/allow-enable-book-library-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
->*Default setting: Disabled or not configured* - -[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | - ---- -### ADMX info and settings - -#### ADMX info -- **GP English name:** Always show the Books Library in Microsoft Edge -- **GP name:** AlwaysEnableBooksLibrary -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[Browser/AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** AlwaysEnableBooksLibrary -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured* + +[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | + +--- +### ADMX info and settings + +#### ADMX info +- **GP English name:** Always show the Books Library in Microsoft Edge +- **GP name:** AlwaysEnableBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[Browser/AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AlwaysEnableBooksLibrary +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md index bf40a1e858..1b39d3081d 100644 --- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md +++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
->*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* - -[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Gather and send only basic diagnostic data. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in *Settings > Diagnostics & feedback* to **Full**. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow extended telemetry for the Books tab -- **GP name:** EnableExtendedBooksTelemetry -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary -- **Value name:** EnableExtendedBooksTelemetry -- **Value type:** REG_DWORD - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
+>*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* + +[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Gather and send only basic diagnostic data. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in *Settings > Diagnostics & feedback* to **Full**. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow extended telemetry for the Books tab +- **GP name:** EnableExtendedBooksTelemetry +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Value name:** EnableExtendedBooksTelemetry +- **Value type:** REG_DWORD + + +
diff --git a/browsers/edge/includes/allow-extensions-include.md b/browsers/edge/includes/allow-extensions-include.md index 6660627600..977e027f08 100644 --- a/browsers/edge/includes/allow-extensions-include.md +++ b/browsers/edge/includes/allow-extensions-include.md @@ -1,49 +1,49 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-extensions-shortdesc](../shortdesc/allow-extensions-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------------------------|:---:|:--------:|-------------| -| Disabled | 0 | 0 | Prevented | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Extensions -- **GP name:** AllowExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Extensions -- **Value name:** ExtensionsEnabled -- **Value type:** REG_DWORD - -### Related topics - -[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-extensions-shortdesc](../shortdesc/allow-extensions-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|--------------------------------------------|:---:|:--------:|-------------| +| Disabled | 0 | 0 | Prevented | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Extensions +- **GP name:** AllowExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Extensions +- **Value name:** ExtensionsEnabled +- **Value type:** REG_DWORD + +### Related topics + +[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] + +
diff --git a/browsers/edge/includes/allow-full-screen-include.md b/browsers/edge/includes/allow-full-screen-include.md index 286ac8e876..34d3dc32be 100644 --- a/browsers/edge/includes/allow-full-screen-include.md +++ b/browsers/edge/includes/allow-full-screen-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - - -[!INCLUDE [allow-fullscreen-mode-shortdesc](../shortdesc/allow-fullscreen-mode-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow fullscreen mode -- **GP name:** AllowFullScreenMode -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFullscreen -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** AllowFullScreenMode -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Allowed)* + + +[!INCLUDE [allow-fullscreen-mode-shortdesc](../shortdesc/allow-fullscreen-mode-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow fullscreen mode +- **GP name:** AllowFullScreenMode +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFullscreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AllowFullScreenMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-inprivate-browsing-include.md b/browsers/edge/includes/allow-inprivate-browsing-include.md index bce38eb870..0d66095576 100644 --- a/browsers/edge/includes/allow-inprivate-browsing-include.md +++ b/browsers/edge/includes/allow-inprivate-browsing-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Enabled or not configured (Allowed)* - - -[!INCLUDE [allow-inprivate-browsing-shortdesc](../shortdesc/allow-inprivate-browsing-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow InPrivate browsing -- **GP name:** AllowInPrivate -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowInPrivate -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Enabled or not configured (Allowed)* + + +[!INCLUDE [allow-inprivate-browsing-shortdesc](../shortdesc/allow-inprivate-browsing-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow InPrivate browsing +- **GP name:** AllowInPrivate +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowInPrivate +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md index 8da879cdd9..580909fe1d 100644 --- a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md +++ b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Microsoft Compatibility List -- **GP name:** AllowCVList -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation -- **Value name:** MSCompatibilityMode -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Compatibility List +- **GP name:** AllowCVList +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation +- **Value name:** MSCompatibilityMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-prelaunch-include.md b/browsers/edge/includes/allow-prelaunch-include.md index 0aad17ca17..1953faa630 100644 --- a/browsers/edge/includes/allow-prelaunch-include.md +++ b/browsers/edge/includes/allow-prelaunch-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed -- **GP name:** AllowPreLaunch -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** AllowPrelaunch -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +- **GP name:** AllowPreLaunch +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AllowPrelaunch +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-printing-include.md b/browsers/edge/includes/allow-printing-include.md index dd60c9aaba..47055ba966 100644 --- a/browsers/edge/includes/allow-printing-include.md +++ b/browsers/edge/includes/allow-printing-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow printing -- **GP name:** AllowPrinting -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrinting -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowPrinting -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow printing +- **GP name:** AllowPrinting +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrinting +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowPrinting +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-saving-history-include.md b/browsers/edge/includes/allow-saving-history-include.md index 49913f23c9..874d301abb 100644 --- a/browsers/edge/includes/allow-saving-history-include.md +++ b/browsers/edge/includes/allow-saving-history-include.md @@ -1,47 +1,47 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Saving History -- **GP name:** AllowSavingHistory -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowSavingHistory -- **Value type:** REG_DWORD - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Saving History +- **GP name:** AllowSavingHistory +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowSavingHistory +- **Value type:** REG_DWORD + + +
diff --git a/browsers/edge/includes/allow-search-engine-customization-include.md b/browsers/edge/includes/allow-search-engine-customization-include.md index 6c1fb2e5db..eb4891088f 100644 --- a/browsers/edge/includes/allow-search-engine-customization-include.md +++ b/browsers/edge/includes/allow-search-engine-customization-include.md @@ -1,59 +1,59 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -##### ADMX info -- **GP English name:** Allow search engine customization -- **GP name:** AllowSearchEngineCustomization -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization -- **Data type:** Integer - - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Protected -- **Value name:** AllowSearchEngineCustomization -- **Value type:** REG_DWORD - - -### Related policies - -- [Set default search engine](../available-policies.md#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] - -- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -### Related topics - -- [!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] - -- [!INCLUDE [search-provider-discovery-shortdesc-include](search-provider-discovery-shortdesc-include.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + +--- + +### ADMX info and settings + +##### ADMX info +- **GP English name:** Allow search engine customization +- **GP name:** AllowSearchEngineCustomization +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization +- **Data type:** Integer + + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Protected +- **Value name:** AllowSearchEngineCustomization +- **Value type:** REG_DWORD + + +### Related policies + +- [Set default search engine](../available-policies.md#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +### Related topics + +- [!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] + +- [!INCLUDE [search-provider-discovery-shortdesc-include](search-provider-discovery-shortdesc-include.md)] + +
diff --git a/browsers/edge/includes/allow-shared-folder-books-include.md b/browsers/edge/includes/allow-shared-folder-books-include.md index 712fba9532..fadbac9ad5 100644 --- a/browsers/edge/includes/allow-shared-folder-books-include.md +++ b/browsers/edge/includes/allow-shared-folder-books-include.md @@ -1,53 +1,53 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1803*
->*Default setting: Disabled or not configured (Not allowed)* - -[!INCLUDE [allow-a-shared-books-folder-shortdesc](../shortdesc/allow-a-shared-books-folder-shortdesc.md)] - - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

Also, the users must be signed in with a school or work account. | | - ---- - -![Allow a shared books folder](../images/allow-shared-books-folder_sm.png) - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow a shared Books folder -- **GP name:** UseSharedFolderForBooks -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary -- **Value name:** UseSharedFolderForBooks -- **Value type:** REG_DWORD - -### Related policies - -**Allow a Windows app to share application data between users:** [!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1803*
+>*Default setting: Disabled or not configured (Not allowed)* + +[!INCLUDE [allow-a-shared-books-folder-shortdesc](../shortdesc/allow-a-shared-books-folder-shortdesc.md)] + + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

Also, the users must be signed in with a school or work account. | | + +--- + +![Allow a shared books folder](../images/allow-shared-books-folder_sm.png) + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow a shared Books folder +- **GP name:** UseSharedFolderForBooks +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Value name:** UseSharedFolderForBooks +- **Value type:** REG_DWORD + +### Related policies + +**Allow a Windows app to share application data between users:** [!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] + +

diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md index 0c1108d2d5..987387dbe6 100644 --- a/browsers/edge/includes/allow-sideloading-extensions-include.md +++ b/browsers/edge/includes/allow-sideloading-extensions-include.md @@ -1,55 +1,55 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled (Allowed)* - -[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | 1 | Allowed. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow sideloading of Extensions -- **GP name:** AllowSideloadingOfExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSideloadingExtensions -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions -- **Value name:** AllowSideloadingOfExtensions -- **Value type:** REG_DWORD - -### Related policies - -- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE. - -- [Allow all trusted apps to install](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. - -### Related topics - -[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | 1 | Allowed. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow sideloading of Extensions +- **GP name:** AllowSideloadingOfExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSideloadingExtensions +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Value name:** AllowSideloadingOfExtensions +- **Value type:** REG_DWORD + +### Related policies + +- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE. + +- [Allow all trusted apps to install](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. + +### Related topics + +[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. + +

diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md index b6ba4f0e8e..2083558b86 100644 --- a/browsers/edge/includes/allow-tab-preloading-include.md +++ b/browsers/edge/includes/allow-tab-preloading-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1802*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Preload Start and New Tab pages. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Microsoft Edge to load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed -- **GP name:** AllowTabPreloading -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading -- **Data type:** Integer - -#### Registry settings -- **Path:** HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader -- **Create Value name:** AllowTabPreloading -- **Value type:** REG_DWORD -- **DWORD Value:** 1 - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1802*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Preload Start and New Tab pages. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Edge to load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed +- **GP name:** AllowTabPreloading +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading +- **Data type:** Integer + +#### Registry settings +- **Path:** HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader +- **Create Value name:** AllowTabPreloading +- **Value type:** REG_DWORD +- **DWORD Value:** 1 + +
diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md index ece2371a32..88e91371ac 100644 --- a/browsers/edge/includes/allow-web-content-new-tab-page-include.md +++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md @@ -1,50 +1,50 @@ ---- -author: eavena -ms.author: eravena -ms.date: 11/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (the default New Tab page loads)* - - -[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | -|-----------------------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------| -| Disabled | 0 | 0 | Load a blank page instead of the default New Tab page and prevent users from making changes. | -| Enabled or not configured **(default)** | 1 | 1 | Load the default New Tab page and the users make changes. | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow web content on New Tab page -- **GP name:** AllowWebContentOnNewTabPage -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI -- **Value name:** AllowWebContentOnNewTabPage -- **Value type:** REG_DWORD - -### Related policies -[Set New Tab page URL](../available-policies.md#set-new-tab-page-url): [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 11/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (the default New Tab page loads)* + + +[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | +|-----------------------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------| +| Disabled | 0 | 0 | Load a blank page instead of the default New Tab page and prevent users from making changes. | +| Enabled or not configured **(default)** | 1 | 1 | Load the default New Tab page and the users make changes. | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow web content on New Tab page +- **GP name:** AllowWebContentOnNewTabPage +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI +- **Value name:** AllowWebContentOnNewTabPage +- **Value type:** REG_DWORD + +### Related policies +[Set New Tab page URL](../available-policies.md#set-new-tab-page-url): [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] + +
diff --git a/browsers/edge/includes/always-enable-book-library-include.md b/browsers/edge/includes/always-enable-book-library-include.md index 5edf01302b..7cb4f04653 100644 --- a/browsers/edge/includes/always-enable-book-library-include.md +++ b/browsers/edge/includes/always-enable-book-library-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
->*Default setting: Disabled or not configured* - - -[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Always show the Books Library in Microsoft Edge -- **GP name:** AlwaysEnableBooksLibrary -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AlwaysEnableBooksLibrary -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured* + + +[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Always show the Books Library in Microsoft Edge +- **GP name:** AlwaysEnableBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AlwaysEnableBooksLibrary +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-additional-search-engines-include.md b/browsers/edge/includes/configure-additional-search-engines-include.md index be90043b57..e1ff2e9999 100644 --- a/browsers/edge/includes/configure-additional-search-engines-include.md +++ b/browsers/edge/includes/configure-additional-search-engines-include.md @@ -1,58 +1,58 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented)* - -[!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.

If you enabled this policy and now want to disable it, all previously configured search engines get removed. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure additional search engines -- **GP name:** ConfigureAdditionalSearchEngines -- **GP element:** ConfigureAdditionalSearchEngines_Prompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch -- **Value name:** ConfigureAdditionalSearchEngines -- **Value type:** REG_SZ - -### Related policies - -- [Set default search engine](../available-policies.md\#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] - -- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] - - -### Related topics - -- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Prevented)* + +[!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.

If you enabled this policy and now want to disable it, all previously configured search engines get removed. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure additional search engines +- **GP name:** ConfigureAdditionalSearchEngines +- **GP element:** ConfigureAdditionalSearchEngines_Prompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Value name:** ConfigureAdditionalSearchEngines +- **Value type:** REG_SZ + +### Related policies + +- [Set default search engine](../available-policies.md\#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + + +### Related topics + +- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] + +- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. + +

diff --git a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md index a1ee2cc569..852be617a5 100644 --- a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md +++ b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Enabled or not configured (Does not load content automatically)* - -[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Load and run Adobe Flash content automatically. | | -| Enabled or not configured
**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Configure the Adobe Flash Click-to-Run setting -- **GP name:** AllowFlashClickToRun -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Security -- **Value name:** FlashClickToRunMode -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Does not load content automatically)* + +[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Load and run Adobe Flash content automatically. | | +| Enabled or not configured
**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Configure the Adobe Flash Click-to-Run setting +- **GP name:** AllowFlashClickToRun +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Security +- **Value name:** FlashClickToRunMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md index 18e02058ad..1ef991e263 100644 --- a/browsers/edge/includes/configure-autofill-include.md +++ b/browsers/edge/includes/configure-autofill-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured (Blank)* - -[!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Users can choose to use Autofill. | | -| Disabled | 0 | no | Prevented. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | yes | Allowed. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Autofill -- **GP name:** AllowAutofill -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowautofill) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** Use FormSuggest -- **Value type:** REG_SZ - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured (Blank)* + +[!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Users can choose to use Autofill. | | +| Disabled | 0 | no | Prevented. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | yes | Allowed. | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Autofill +- **GP name:** AllowAutofill +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowautofill) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** Use FormSuggest +- **Value type:** REG_SZ + +
diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md index 1f55150328..1525399652 100644 --- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md +++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md @@ -1,65 +1,65 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (No data collected or sent)* - -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] - - -> [!IMPORTANT] -> For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID. -> -> You can find these policies in the following location of the Group Policy Editor: -> -> **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\** -> - - -### Supported values - - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | No data collected or sent | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Send intranet history only | | -| Enabled | 2 | 2 | Send Internet history only | | -| Enabled | 3 | 3 | Send both intranet and Internet history | | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure collection of browsing data for Microsoft 365 Analytics -- **GP name:** ConfigureTelemetryForMicrosoft365Analytics -- **GP element:** ZonesListBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - - -#### MDM settings -- **MDM name:** Browser/[ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection -- **Value name:** MicrosoftEdgeDataOptIn -- **Value type:** REG_DWORD - -### Related policies -- Allow Telemetry: Allows Microsoft to run diagnostics on the device and troubleshoot. The default setting for Allow Telemetry is set to _Enhanced_ (2 for MDM). - -- Configure the Commercial ID: Define the Commercial ID used to associate the device's telemetry data as belonging to a given organization. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (No data collected or sent)* + +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] + + +> [!IMPORTANT] +> For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID. +> +> You can find these policies in the following location of the Group Policy Editor: +> +> **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\** +> + + +### Supported values + + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | No data collected or sent | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Send intranet history only | | +| Enabled | 2 | 2 | Send Internet history only | | +| Enabled | 3 | 3 | Send both intranet and Internet history | | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure collection of browsing data for Microsoft 365 Analytics +- **GP name:** ConfigureTelemetryForMicrosoft365Analytics +- **GP element:** ZonesListBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + + +#### MDM settings +- **MDM name:** Browser/[ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection +- **Value name:** MicrosoftEdgeDataOptIn +- **Value type:** REG_DWORD + +### Related policies +- Allow Telemetry: Allows Microsoft to run diagnostics on the device and troubleshoot. The default setting for Allow Telemetry is set to _Enhanced_ (2 for MDM). + +- Configure the Commercial ID: Define the Commercial ID used to associate the device's telemetry data as belonging to a given organization. + +
diff --git a/browsers/edge/includes/configure-cookies-include.md b/browsers/edge/includes/configure-cookies-include.md index a8a8fd2d5f..36922a6177 100644 --- a/browsers/edge/includes/configure-cookies-include.md +++ b/browsers/edge/includes/configure-cookies-include.md @@ -1,46 +1,46 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Allow all cookies from all sites)* - -[!INCLUDE [configure-cookies-shortdesc](../shortdesc/configure-cookies-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------|:------------------------------------------------:| -| Enabled | 0 | 0 | Block all cookies from all sites. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Block only cookies from third party websites. | | -| Disabled or not configured
**(default)** | 2 | 2 | Allow all cookies from all sites. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure cookies -- **GP name:** Cookies -- **GP element:** CookiesListBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowcookies) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** Cookies -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allow all cookies from all sites)* + +[!INCLUDE [configure-cookies-shortdesc](../shortdesc/configure-cookies-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------|:------------------------------------------------:| +| Enabled | 0 | 0 | Block all cookies from all sites. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Block only cookies from third party websites. | | +| Disabled or not configured
**(default)** | 2 | 2 | Allow all cookies from all sites. | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure cookies +- **GP name:** Cookies +- **GP element:** CookiesListBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowcookies) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** Cookies +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md index 7e0f59943e..f4868357b9 100644 --- a/browsers/edge/includes/configure-do-not-track-include.md +++ b/browsers/edge/includes/configure-do-not-track-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured (Do not send tracking information)* - -[!INCLUDE [configure-do-not-track-shortdesc](../shortdesc/configure-do-not-track-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Do not send tracking information but let users choose to send tracking information to sites they visit. | | -| Disabled | 0 | 0 | Never send tracking information. | | -| Enabled | 1 | 1 | Send tracking information. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Do Not Track -- **GP name:** AllowDoNotTrack -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** DoNotTrack -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured (Do not send tracking information)* + +[!INCLUDE [configure-do-not-track-shortdesc](../shortdesc/configure-do-not-track-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Do not send tracking information but let users choose to send tracking information to sites they visit. | | +| Disabled | 0 | 0 | Never send tracking information. | | +| Enabled | 1 | 1 | Send tracking information. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Do Not Track +- **GP name:** AllowDoNotTrack +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** DoNotTrack +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md index 4d4aea6068..ccdd275e01 100644 --- a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md +++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md @@ -1,56 +1,56 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: 5 minutes* - -[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] - -You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). - -### Supported values - -- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. - -- **0** – No idle timer. - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure kiosk reset after idle timeout -- **GP name:** ConfigureKioskResetAfterIdleTimeout -- **GP element:** ConfigureKioskResetAfterIdleTimeout_TextBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode -- Value name:ConfigureKioskResetAfterIdleTimeout -- **Value type:** REG_DWORD - - - -### Related policies - -[Configure kiosk mode](../available-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] - - - -### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: 5 minutes* + +[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + +You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). + +### Supported values + +- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. + +- **0** – No idle timer. + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure kiosk reset after idle timeout +- **GP name:** ConfigureKioskResetAfterIdleTimeout +- **GP element:** ConfigureKioskResetAfterIdleTimeout_TextBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- Value name:ConfigureKioskResetAfterIdleTimeout +- **Value type:** REG_DWORD + + + +### Related policies + +[Configure kiosk mode](../available-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] + + + +### Related topics +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. + +
diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md index 65c68c67e1..0c02984f58 100644 --- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md +++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md @@ -38,8 +38,9 @@ ### Related Policies -[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE -[show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] +[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer) + +[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] ### Related topics @@ -55,4 +56,4 @@ -
\ No newline at end of file +
diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md index 6fdeb3ee83..e4e4ae2cb6 100644 --- a/browsers/edge/includes/configure-favorites-bar-include.md +++ b/browsers/edge/includes/configure-favorites-bar-include.md @@ -1,48 +1,48 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Not configured (Hidden but shown on the Start and New Tab pages)* - - -[!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)] - - -### Supported values - - -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Not configured **(default)** |Blank |Blank |Hidden but shown on the Start and New Tab pages.

Favorites Bar toggle (in Settings) = **Off** and enabled letting users make changes. | -|Disabled |0 |0 |Hidden on all pages.

| -|Enabled |1 |1 |Shown on all pages. | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Favorites Bar -- **GP name:** ConfigureFavoritesBar -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** ConfigureFavoritesBar -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Not configured (Hidden but shown on the Start and New Tab pages)* + + +[!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)] + + +### Supported values + + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Not configured **(default)** |Blank |Blank |Hidden but shown on the Start and New Tab pages.

Favorites Bar toggle (in Settings) = **Off** and enabled letting users make changes. | +|Disabled |0 |0 |Hidden on all pages.

| +|Enabled |1 |1 |Shown on all pages. | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Favorites Bar +- **GP name:** ConfigureFavoritesBar +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** ConfigureFavoritesBar +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-favorites-include.md b/browsers/edge/includes/configure-favorites-include.md index 4c2ab722f9..500c9acc12 100644 --- a/browsers/edge/includes/configure-favorites-include.md +++ b/browsers/edge/includes/configure-favorites-include.md @@ -1,14 +1,14 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->Discontinued in the Windows 10 October 2018 Update. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** group policy instead. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>Discontinued in the Windows 10 October 2018 Update. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** group policy instead. + +
diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md index 2535093959..3082d3014b 100644 --- a/browsers/edge/includes/configure-home-button-include.md +++ b/browsers/edge/includes/configure-home-button-include.md @@ -1,61 +1,61 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/28/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Show home button and load the Start page)* - - -[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | -| Enabled | 3 | 3 | Hide the home button. | - ---- - - ->[!TIP] ->If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Home Button -- **GP name:** ConfigureHomeButton -- **GP element:** ConfigureHomeButtonDropdown -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureHomeButton -- **Value type:** REG_DWORD - -### Related policies - -- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - -- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/28/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Show home button and load the Start page)* + + +[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | +| Enabled | 3 | 3 | Hide the home button. | + +--- + + +>[!TIP] +>If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
+ + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Home Button +- **GP name:** ConfigureHomeButton +- **GP element:** ConfigureHomeButtonDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + + +
diff --git a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md index e5a7ff9155..bda51bb3e5 100644 --- a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md +++ b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md @@ -1,17 +1,16 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/27/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -| | | -|----------|------| -|**Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

Public browsing

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an End session button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | -| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

Public browsing

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | - ---- +--- +author: eavena +ms.author: eravena +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +| | | +|----------|------| +|**Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

Public browsing

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an End session button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | +| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

Public browsing

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | + +--- diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md index adc3dbf183..1c08a3d745 100644 --- a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md +++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md @@ -1,51 +1,51 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/27/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Not configured* - -[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] - -For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). - -### Supported values - -[!INCLUDE [configure-kiosk-mode-supported-values-include](configure-kiosk-mode-supported-values-include.md)] - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure kiosk mode -- **GP name:** ConfigureKioskMode -- **GP element:** ConfigureKioskMode_TextBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode -- **Value name:** ConfigureKioskMode -- **Value type:** REG_SZ - -### Related policies -[Configure kiosk reset after idle timeout](../available-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] - - -### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/27/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Not configured* + +[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] + +For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). + +### Supported values + +[!INCLUDE [configure-kiosk-mode-supported-values-include](configure-kiosk-mode-supported-values-include.md)] + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure kiosk mode +- **GP name:** ConfigureKioskMode +- **GP element:** ConfigureKioskMode_TextBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- **Value name:** ConfigureKioskMode +- **Value type:** REG_SZ + +### Related policies +[Configure kiosk reset after idle timeout](../available-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + + +### Related topics +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. + +
diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md index 02f0daa65a..a86cf568ce 100644 --- a/browsers/edge/includes/configure-open-edge-with-include.md +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -1,68 +1,68 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled (A specific page or pages)* - -[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - -**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. - -**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

- -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| -| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | -| Enabled | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the previous pages. | -| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | - ---- - - ->[!TIP] ->If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Open Microsoft Edge With -- **GP name:** ConfigureOpenMicrosoftEdgeWith -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureOpenEdgeWith -- **Value type:** REG_DWORD - -### Related policies - -- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - -- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - - - - - ---- +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled (A specific page or pages)* + +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. + +**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

+ +### Supported values + +| Group Policy | MDM | Registry | Description | +|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| +| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | +| Enabled | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the previous pages. | +| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | + +--- + + +>[!TIP] +>If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
+ + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Open Microsoft Edge With +- **GP name:** ConfigureOpenMicrosoftEdgeWith +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureOpenEdgeWith +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + + + + + +--- diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md index 4b6365e007..5f075480ea 100644 --- a/browsers/edge/includes/configure-password-manager-include.md +++ b/browsers/edge/includes/configure-password-manager-include.md @@ -1,49 +1,49 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Allowed/users can change the setting)* - -[!INCLUDE [configure-password-manager-shortdesc](../shortdesc/configure-password-manager-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------|:-----:|:--------:|--------------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | | -| Disabled | 0 | no | Not allowed. | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | yes | Allowed. | | - ---- - -Verify not allowed/disabled settings: -1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the settings **Save Password** is toggled off or on and is greyed out. - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Password Manager -- **GP name:** AllowPasswordManager -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** FormSuggest Passwords -- **Value type:** REG_SZ - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Allowed/users can change the setting)* + +[!INCLUDE [configure-password-manager-shortdesc](../shortdesc/configure-password-manager-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------|:-----:|:--------:|--------------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | | +| Disabled | 0 | no | Not allowed. | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | yes | Allowed. | | + +--- + +Verify not allowed/disabled settings: +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the settings **Save Password** is toggled off or on and is greyed out. + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Password Manager +- **GP name:** AllowPasswordManager +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** FormSuggest Passwords +- **Value type:** REG_SZ + +
diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md index 69b8c53e36..43374d7ccd 100644 --- a/browsers/edge/includes/configure-pop-up-blocker-include.md +++ b/browsers/edge/includes/configure-pop-up-blocker-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled (Turned off)* - -[!INCLUDE [configure-pop-up-blocker-shortdesc](../shortdesc/configure-pop-up-blocker-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------|:-----:|:--------:|-------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to use Pop-up Blocker. | | -| Disabled
**(default)** | 0 | 0 | Turned off. Allow pop-up windows to open. | | -| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Pop-up Blocker -- **GP name:** AllowPopups -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups -- **Data type:** Integer - -### Registry -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowPopups -- **Value type:** REG_SZ - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled (Turned off)* + +[!INCLUDE [configure-pop-up-blocker-shortdesc](../shortdesc/configure-pop-up-blocker-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------|:-----:|:--------:|-------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to use Pop-up Blocker. | | +| Disabled
**(default)** | 0 | 0 | Turned off. Allow pop-up windows to open. | | +| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Pop-up Blocker +- **GP name:** AllowPopups +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups +- **Data type:** Integer + +### Registry +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowPopups +- **Value type:** REG_SZ + +
diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md index a3510a557c..5e74e11ac7 100644 --- a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md +++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md @@ -1,45 +1,45 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured (Blank)* - -[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|---------------------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Users can choose to see search suggestions. | | -| Disabled | 0 | 0 | Prevented. Hide the search suggestions. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. Show the search suggestions. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure search suggestions in Address bar -- **GP name:** AllowSearchSuggestionsinAddressBar -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes -- **Value name:** ShowSearchSuggestionsGlobal -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured (Blank)* + +[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|---------------------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Users can choose to see search suggestions. | | +| Disabled | 0 | 0 | Prevented. Hide the search suggestions. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed. Show the search suggestions. | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure search suggestions in Address bar +- **GP name:** AllowSearchSuggestionsinAddressBar +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes +- **Value name:** ShowSearchSuggestionsGlobal +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md index 6a64d182d4..911d1b11c9 100644 --- a/browsers/edge/includes/configure-start-pages-include.md +++ b/browsers/edge/includes/configure-start-pages-include.md @@ -1,54 +1,54 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Blank or not configured (Load pages specified in App settings)* - -[!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|----------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Not configured | Blank | Blank | Load the pages specified in App settings as the default Start pages. | -| Enabled | String | String | Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1809:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Start pages -- **GP name:** HomePages -- **GP element:** HomePagesPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ProvisionedHomePages -- **Value type:** REG_SZ - - -### Related policies - -- [Disable Lockdown of Start Pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - -- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - - - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Blank or not configured (Load pages specified in App settings)* + +[!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|----------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Not configured | Blank | Blank | Load the pages specified in App settings as the default Start pages. | +| Enabled | String | String | Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1809:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Start pages +- **GP name:** HomePages +- **GP element:** HomePagesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ProvisionedHomePages +- **Value type:** REG_SZ + + +### Related policies + +- [Disable Lockdown of Start Pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + +- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + + + +

diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index f842745478..d86492ba81 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -1,50 +1,50 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Turned on)* - -[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | -| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | -| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | - ---- - -To verify Windows Defender SmartScreen is turned off (disabled): -1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Windows Defender SmartScreen -- **GP name:** AllowSmartScreen -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** EnabledV9 -- **Value type:** REG_DWORD - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Turned on)* + +[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | +| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | +| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | + +--- + +To verify Windows Defender SmartScreen is turned off (disabled): +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Windows Defender SmartScreen +- **GP name:** AllowSmartScreen +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** EnabledV9 +- **Value type:** REG_DWORD + +

diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md index c95b9faf73..d2ae261042 100644 --- a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md +++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md @@ -1,58 +1,58 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Start pages are not editable)* - -[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Disable lockdown of Start pages -- **GP name:** DisableLockdownOfStartPages -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** DisableLockdownOfStartPages -- **Value type:** REG_SZ - - - - - -### Related Policies -- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - -- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - -### Related topics - -[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Start pages are not editable)* + +[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Disable lockdown of Start pages +- **GP name:** DisableLockdownOfStartPages +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** DisableLockdownOfStartPages +- **Value type:** REG_SZ + + + + + +### Related Policies +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +### Related topics + +[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] + +

diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md index 97cbb929bd..c20bdd6781 100644 --- a/browsers/edge/includes/do-not-sync-browser-settings-include.md +++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md @@ -1,55 +1,55 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Allowed/turned on)* - -[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | -| Enabled | 2 | 2 | Prevented/turned off. The “browser” group does not use the *Sync your Settings* option. | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Do not sync browser settings -- **GP name:** DisableWebBrowserSettingSync -- **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** SettingSync.admx - -#### MDM settings -- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\Policies\Microsoft\Windows\SettingSync -- **Value name:** DisableWebBrowserSettingSyncUserOverride -- **Value - -### Related policies - -[Prevent users from turning on browser syncing](../available-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] - - - -### Related topics - -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) -

-

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allowed/turned on)* + +[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | +| Enabled | 2 | 2 | Prevented/turned off. The “browser” group does not use the *Sync your Settings* option. | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Do not sync browser settings +- **GP name:** DisableWebBrowserSettingSync +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** SettingSync.admx + +#### MDM settings +- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\Policies\Microsoft\Windows\SettingSync +- **Value name:** DisableWebBrowserSettingSyncUserOverride +- **Value + +### Related policies + +[Prevent users from turning on browser syncing](../available-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + + + +### Related topics + +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) +

+

diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md index 0adc074785..e959162f90 100644 --- a/browsers/edge/includes/do-not-sync-include.md +++ b/browsers/edge/includes/do-not-sync-include.md @@ -1,48 +1,48 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Allowed/turned on)* - -[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Users can choose what to sync to their device. | | -| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Do not sync -- **GP name:** AllowSyncMySettings -- **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** SettingSync.admx - -#### MDM settings -- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\Windows\SettingSync -- **Value name:** DisableSettingSyn -- **Value type:** REG_DWORD - -### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are synced. - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allowed/turned on)* + +[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Users can choose what to sync to their device. | | +| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Do not sync +- **GP name:** AllowSyncMySettings +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** SettingSync.admx + +#### MDM settings +- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\Windows\SettingSync +- **Value name:** DisableSettingSyn +- **Value type:** REG_DWORD + +### Related topics +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are synced. + + +
diff --git a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md index 724125788a..afb78c58e3 100644 --- a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md +++ b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md index 539b1cd2fd..d64fe44479 100644 --- a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md +++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md @@ -1,21 +1,21 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - ->*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
->*Default setting: Disabled or not configured* - -By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List. - ->[!NOTE] ->If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. - -You can find the group policy settings in the following location of the Group Policy Editor: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Internet Explorer\\** +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +>*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured* + +By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List. + +>[!NOTE] +>If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. + +You can find the group policy settings in the following location of the Group Policy Editor: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Internet Explorer\\** diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md index a7ff412c85..eb790351a1 100644 --- a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md +++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Turned off/not syncing)* - -[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Turned off/not syncing | | -| Enabled | 1 | 1 | Turned on/syncing | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -### ADMX info -- **GP English name:** Keep favorites in sync between Internet Explorer and Microsoft Edge -- **GP name:** SyncFavoritesBetweenIEAndMicrosoftEdge -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** SyncFavoritesBetweenIEAndMicrosoftEdge -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Turned off/not syncing)* + +[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Turned off/not syncing | | +| Enabled | 1 | 1 | Turned on/syncing | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +### ADMX info +- **GP English name:** Keep favorites in sync between Internet Explorer and Microsoft Edge +- **GP name:** SyncFavoritesBetweenIEAndMicrosoftEdge +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** SyncFavoritesBetweenIEAndMicrosoftEdge +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md index 4b65a2458c..211b16465b 100644 --- a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md +++ b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows and evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows and evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md index 31f94d4c49..144451edb0 100644 --- a/browsers/edge/includes/prevent-access-about-flag-include.md +++ b/browsers/edge/includes/prevent-access-about-flag-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
->*Default setting: Disabled or not configured (Allowed)* - -[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed | | -| Enabled | 1 | 1 | Prevented | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent access to the about:flags page in Microsoft Edge -- **GP name:** PreventAccessToAboutFlagsInMicrosoftEdge -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** PreventAccessToAboutFlagsInMicrosoftEdge -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed | | +| Enabled | 1 | 1 | Prevented | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent access to the about:flags page in Microsoft Edge +- **GP name:** PreventAccessToAboutFlagsInMicrosoftEdge +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventAccessToAboutFlagsInMicrosoftEdge +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md index 301dd68424..1c3c2ebf02 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Allowed/turned off)* - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | | -| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for files -- **GP name:** PreventSmartScreenPromptOverrideForFiles -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** PreventOverrideAppRepUnknown -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | | +| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for files +- **GP name:** PreventSmartScreenPromptOverrideForFiles +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** PreventOverrideAppRepUnknown +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md index 04339b930a..a6b5e9dde9 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Allowed/turned off)* - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | | -| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for sites -- **GP name:** PreventSmartscreenPromptOverride -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventSmartscreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** PreventOverride -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | | +| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for sites +- **GP name:** PreventSmartscreenPromptOverride +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventSmartscreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** PreventOverride +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md index a776bb08b6..ab20b1ca5b 100644 --- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md +++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md @@ -1,43 +1,43 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Allowed/turned off)* - -[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | | -| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent certificate error overrides -- **GP name:** PreventCertErrorOverrides -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Setting -- **Value name:** PreventCertErrorOverrides -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | | +| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent certificate error overrides +- **GP name:** PreventCertErrorOverrides +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Setting +- **Value name:** PreventCertErrorOverrides +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md index de0f5e7ac7..0b6691b746 100644 --- a/browsers/edge/includes/prevent-changes-to-favorites-include.md +++ b/browsers/edge/includes/prevent-changes-to-favorites-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
->*Default setting: Disabled or not configured (Allowed/not locked down)* - -[!INCLUDE [prevent-changes-to-favorites-shortdesc](../shortdesc/prevent-changes-to-favorites-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | | -| Enabled | 1 | 1 | Prevented/locked down. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent changes to Favorites on Microsoft Edge -- **GP name:** LockdownFavorites -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Favorites -- **Value name:** LockdownFavorites -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured (Allowed/not locked down)* + +[!INCLUDE [prevent-changes-to-favorites-shortdesc](../shortdesc/prevent-changes-to-favorites-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | | +| Enabled | 1 | 1 | Prevented/locked down. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent changes to Favorites on Microsoft Edge +- **GP name:** LockdownFavorites +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** LockdownFavorites +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md index 0e3e9fa8b1..be8eec24b9 100644 --- a/browsers/edge/includes/prevent-first-run-webpage-open-include.md +++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Allowed)* - -[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Load the First Run webpage. | | -| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent the First Run webpage from opening on Microsoft Edge -- **GP name:** PreventFirstRunPage -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage -- **Data type:** Integer - -#### Registry -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** PreventFirstRunPage -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Load the First Run webpage. | | +| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent the First Run webpage from opening on Microsoft Edge +- **GP name:** PreventFirstRunPage +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage +- **Data type:** Integer + +#### Registry +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventFirstRunPage +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md index bfc0e23f6b..ea8f458f04 100644 --- a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md +++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Collect and send)* - -[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Collect and send Live Tile metadata. | | -| Enabled | 1 | 1 | Do not collect data. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -- **GP name:** PreventLiveTileDataCollection -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** PreventLiveTileDataCollection -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Collect and send)* + +[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Collect and send Live Tile metadata. | | +| Enabled | 1 | 1 | Do not collect data. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +- **GP name:** PreventLiveTileDataCollection +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventLiveTileDataCollection +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md index 407dd4c596..0bc6ba7764 100644 --- a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md +++ b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md @@ -1,44 +1,44 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)* - -[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Show localhost IP addresses. | | -| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent using Localhost IP address for WebRTC -- **GP name:** HideLocalHostIPAddress -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** HideLocalHostIPAddress -- **Value type:** REG_DWORD - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)* + +[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Show localhost IP addresses. | | +| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent using Localhost IP address for WebRTC +- **GP name:** HideLocalHostIPAddress +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** HideLocalHostIPAddress +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md index 6257f4e2fb..e1a4a50a05 100644 --- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md +++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md @@ -1,59 +1,59 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Allowed)* - -[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] - -### Supported values - -| Group Policy | Description | -|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | -| Enabled | Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office extension prevents users from turning it off:

*Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe*

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | - ---- - - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent turning off required extensions -- **GP name:** PreventTurningOffRequiredExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions -- **Value name:** PreventTurningOffRequiredExtensions -- **Value type:** REG_SZ - -### Related policies -[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] - - -### Related topics - -- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. -- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. -- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them. -- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. -- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] + +### Supported values + +| Group Policy | Description | +|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | +| Enabled | Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office extension prevents users from turning it off:

*Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe*

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | + +--- + + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent turning off required extensions +- **GP name:** PreventTurningOffRequiredExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Value name:** PreventTurningOffRequiredExtensions +- **Value type:** REG_SZ + +### Related policies +[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] + + +### Related topics + +- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. +- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. +- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them. +- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. +- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house. + +

diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md index e7f4651365..d04f548fca 100644 --- a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md +++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md @@ -1,48 +1,48 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Prevented/turned off)* - -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------------------------|:---:|:--------:|---------------------------------------------------------| -| Disabled | 0 | 0 | Allowed/turned on. Users can sync the browser settings. | -| Enabled or not configured
**(default)** | 1 | 1 | Prevented/turned off. | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent users from turning on browser syncing -- **GP name:** PreventUsersFromTurningOnBrowserSyncing -- **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** SettingSync.admx - -#### MDM settings -- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing -- **Data type:** String - - -### Related policies -[Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]. - -### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Enabled or not configured (Prevented/turned off)* + +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|--------------------------------------------|:---:|:--------:|---------------------------------------------------------| +| Disabled | 0 | 0 | Allowed/turned on. Users can sync the browser settings. | +| Enabled or not configured
**(default)** | 1 | 1 | Prevented/turned off. | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent users from turning on browser syncing +- **GP name:** PreventUsersFromTurningOnBrowserSyncing +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** SettingSync.admx + +#### MDM settings +- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing +- **Data type:** String + + +### Related policies +[Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]. + +### Related topics +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) + + +
diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index 0df09c2d46..fdb0016715 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -1,52 +1,52 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Customizable)* - -[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] - - ->[!IMPORTANT] ->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. - -### Supported values - -| Group Policy | Description | Most restricted | -|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
| ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Provision Favorites -- **GP name:** ConfiguredFavorites -- **GP element:** ConfiguredFavoritesPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites -- **Value name:** ConfiguredFavorites -- **Value type:** REG_SZ - -### Related policies -[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Customizable)* + +[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] + + +>[!IMPORTANT] +>Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. + +### Supported values + +| Group Policy | Description | Most restricted | +|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | +| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
| ![Most restricted value](../images/check-gn.png) | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Provision Favorites +- **GP name:** ConfiguredFavorites +- **GP element:** ConfiguredFavoritesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** ConfiguredFavorites +- **Value type:** REG_SZ + +### Related policies +[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +
diff --git a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md index a09dedbcc5..ef83bc4778 100644 --- a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md +++ b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +[Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index af93dd7bba..2d8195f03e 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -1,62 +1,62 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured* - -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] - ->[!TIP] ->Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Send all intranet sites to Internet Explorer 11 -- **GP name:** SendIntranetTraffictoInternetExplorer -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** SendIntranetTraffictoInternetExplorer -- **Value type:** REG_DWORD - -### Related Policies -- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] - -- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] - - -### Related topics -- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. - -- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. - -- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured* + +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + +>[!TIP] +>Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Send all intranet sites to Internet Explorer 11 +- **GP name:** SendIntranetTraffictoInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** SendIntranetTraffictoInternetExplorer +- **Value type:** REG_DWORD + +### Related Policies +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + +### Related topics +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. + +- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +
diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md index f42c5e8873..104cb3ebdd 100644 --- a/browsers/edge/includes/set-default-search-engine-include.md +++ b/browsers/edge/includes/set-default-search-engine-include.md @@ -1,60 +1,60 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Not configured (Defined in App settings)* - -[!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | -| Disabled | 0 | 0 | Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | -| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.

If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. | ![Most restricted value](../images/check-gn.png) | - ---- - - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Set default search engine -- **GP name:** SetDefaultSearchEngine -- **GP element:** SetDefaultSearchEngine_Prompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch -- **Value name:** SetDefaultSearchEngine -- **Value type:** REG_SZ - -### Related policies - -- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] - -### Related topics - -- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): The Microsoft Edge address bar uses rich search integration, including search suggestions, results from the web, your browsing history, and favorites. - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Not configured (Defined in App settings)* + +[!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | +| Disabled | 0 | 0 | Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | +| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.

If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. | ![Most restricted value](../images/check-gn.png) | + +--- + + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set default search engine +- **GP name:** SetDefaultSearchEngine +- **GP element:** SetDefaultSearchEngine_Prompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Value name:** SetDefaultSearchEngine +- **Value type:** REG_SZ + +### Related policies + +- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + +### Related topics + +- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] + +- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): The Microsoft Edge address bar uses rich search integration, including search suggestions, results from the web, your browsing history, and favorites. + +

diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md index 5d3549e402..3cf0692dbb 100644 --- a/browsers/edge/includes/set-home-button-url-include.md +++ b/browsers/edge/includes/set-home-button-url-include.md @@ -1,52 +1,52 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Blank)* - -[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | Blank | Blank | Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. | -| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the *Show home button & set a specific page* option. | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Set Home Button URL -- **GP name:** SetHomeButtonURL -- **GP element:** SetHomeButtonURLPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureHomeButtonURL -- **Value type:** REG_SZ - -### Related policies - -- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - -- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Blank)* + +[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | Blank | Blank | Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. | +| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the *Show home button & set a specific page* option. | + +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set Home Button URL +- **GP name:** SetHomeButtonURL +- **GP element:** SetHomeButtonURLPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButtonURL +- **Value type:** REG_SZ + +### Related policies + +- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +

diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md index b8521a3c98..58536ae480 100644 --- a/browsers/edge/includes/set-new-tab-url-include.md +++ b/browsers/edge/includes/set-new-tab-url-include.md @@ -1,51 +1,51 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Blank)* - -[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:------:|:--------:|----------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | Blank | Blank | Load the default New Tab page. | -| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

Enabling this policy prevents users from making changes.

| - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Set New Tab page URL -- **GP name:** SetNewTabPageURL -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** NewTabPageUR -- **Value type:** REG_SZ - - -### Related policies - -[Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] - - - -

+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Blank)* + +[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:------:|:--------:|----------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | Blank | Blank | Load the default New Tab page. | +| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

Enabling this policy prevents users from making changes.

| + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set New Tab page URL +- **GP name:** SetNewTabPageURL +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** NewTabPageUR +- **Value type:** REG_SZ + + +### Related policies + +[Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + + +

diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md index 418034e68a..024279e776 100644 --- a/browsers/edge/includes/show-message-opening-sites-ie-include.md +++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md @@ -1,55 +1,55 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
->*Default setting: Disabled or not configured (No additional message)* - - -[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | No additional message displays. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Show an additional message stating that a site has opened in IE11. | | -| Enabled | 2 | 2 | Show an additional message with a *Keep going in Microsoft Edge* link to allow users to open the site in Microsoft Edge. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Show message when opening sites in Internet Explorer -- **GP name:** ShowMessageWhenOpeningSitesInInternetExplorer -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** ShowMessageWhenOpeningSitesInInternetExplorer -- **Value type:** REG_DWORD - -### Related policies - -- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] - -- [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11): [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
+>*Default setting: Disabled or not configured (No additional message)* + + +[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | No additional message displays. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Show an additional message stating that a site has opened in IE11. | | +| Enabled | 2 | 2 | Show an additional message with a *Keep going in Microsoft Edge* link to allow users to open the site in Microsoft Edge. | | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Show message when opening sites in Internet Explorer +- **GP name:** ShowMessageWhenOpeningSitesInInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** ShowMessageWhenOpeningSitesInInternetExplorer +- **Value type:** REG_DWORD + +### Related policies + +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11): [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + + +
diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md index 022ba40f20..c7dae69002 100644 --- a/browsers/edge/includes/unlock-home-button-include.md +++ b/browsers/edge/includes/unlock-home-button-include.md @@ -1,51 +1,51 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Home button is locked)* - -[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Locked, preventing users from making changes. | -| Enabled | 1 | 1 | Unlocked, letting users make changes. | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Unlock Home Button -- **GP name:** UnlockHomeButton -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** UnlockHomeButton -- **Value type:** REG_DWORD - -### Related policies - -- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - -- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - - -
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Home button is locked)* + +[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +### Supported values + +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Locked, preventing users from making changes. | +| Enabled | 1 | 1 | Unlocked, letting users make changes. | + +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Unlock Home Button +- **GP name:** UnlockHomeButton +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** UnlockHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + + +
diff --git a/browsers/edge/managing-group-policy-admx-files.md b/browsers/edge/managing-group-policy-admx-files.md index ff853cd179..f749992d29 100644 --- a/browsers/edge/managing-group-policy-admx-files.md +++ b/browsers/edge/managing-group-policy-admx-files.md @@ -1,26 +1,26 @@ ---- -title: Managing group policy ADMX files -description: Learn how to centrally administer and incorporate ADMX files when editing the administrative template policy settings inside a local or domain-based Group Policy object. -ms.assetid: -ms.reviewer: -manager: dansimp -author: eavena -ms.author: eravena -ms.prod: edge -ms.sitesec: library -ms.localizationpriority: medium -ms.date: 10/19/2018 ---- - -# Managing group policy ADMX files - ->Applies to: Microsoft Edge on Windows 10 - -ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language. - ->[!NOTE] ->The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks. - -Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files. - -Some situations require a better understanding of how ADMX files are structured and the location of the files. In this article, we show you how ADMX files are incorporated when editing Administrative Template policy settings in a local or domain-based Group Policy object (GPO). +--- +title: Managing group policy ADMX files +description: Learn how to centrally administer and incorporate ADMX files when editing the administrative template policy settings inside a local or domain-based Group Policy object. +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.prod: edge +ms.sitesec: library +ms.localizationpriority: medium +ms.date: 10/19/2018 +--- + +# Managing group policy ADMX files + +>Applies to: Microsoft Edge on Windows 10 + +ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language. + +>[!NOTE] +>The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks. + +Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files. + +Some situations require a better understanding of how ADMX files are structured and the location of the files. In this article, we show you how ADMX files are incorporated when editing Administrative Template policy settings in a local or domain-based Group Policy object (GPO). diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md index ac6e0b7224..e73d7bb1a6 100644 --- a/browsers/edge/microsoft-edge-faq.md +++ b/browsers/edge/microsoft-edge-faq.md @@ -1,54 +1,54 @@ ---- -title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros -ms.reviewer: -manager: dansimp -description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. -author: msdmaguire -ms.author: dmaguire -ms.prod: edge -ms.topic: article -ms.mktglfcycl: general -ms.sitesec: library -ms.localizationpriority: medium ---- - -# Frequently Asked Questions (FAQs) for IT Pros - ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -## How can I get the next major version of Microsoft Edge, based on Chromium? -In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). - -## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? -Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. - -For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). - -## Does Microsoft Edge work with Enterprise Mode? -[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. - -## How do I customize Microsoft Edge and related settings for my organization? -You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. - -## Is Adobe Flash supported in Microsoft Edge? -Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. - -To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - -## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? -No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support. - -## How often will Microsoft Edge be updated? -In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. - -## How can I provide feedback on Microsoft Edge? -Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. - -## Will Internet Explorer 11 continue to receive updates? -We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. - -## How do I find out what version of Microsoft Edge I have? -In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version. - -## What is Microsoft EdgeHTML? -Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.) +--- +title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros +ms.reviewer: +audience: itpro manager: dansimp +description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. +author: msdmaguire +ms.author: dmaguire +ms.prod: edge +ms.topic: article +ms.mktglfcycl: general +ms.sitesec: library +ms.localizationpriority: medium +--- + +# Frequently Asked Questions (FAQs) for IT Pros + +>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +## How can I get the next major version of Microsoft Edge, based on Chromium? +In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). + +## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? +Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. + +For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). + +## Does Microsoft Edge work with Enterprise Mode? +[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. + +## How do I customize Microsoft Edge and related settings for my organization? +You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. + +## Is Adobe Flash supported in Microsoft Edge? +Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. + +To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). + +## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? +No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support. + +## How often will Microsoft Edge be updated? +In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. + +## How can I provide feedback on Microsoft Edge? +Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. + +## Will Internet Explorer 11 continue to receive updates? +We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. + +## How do I find out what version of Microsoft Edge I have? +In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version. + +## What is Microsoft EdgeHTML? +Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.) diff --git a/browsers/edge/microsoft-edge-forrester.md b/browsers/edge/microsoft-edge-forrester.md index a68908bb52..2407ccef53 100644 --- a/browsers/edge/microsoft-edge-forrester.md +++ b/browsers/edge/microsoft-edge-forrester.md @@ -1,36 +1,36 @@ ---- -title: Forrester Total Economic Impact - Microsoft Edge -ms.reviewer: -manager: dansimp -description: Review the results of the Microsoft Edge study carried out by Forrester Research -ms.prod: edge -ms.topic: article -author: msdmaguire -ms.author: dmaguire -ms.localizationpriority: high ---- -# Measuring the impact of Microsoft Edge - Total Economic Impact (TEI) of Microsoft Edge - -Forrester Research measures the return on investment (ROI) of Microsoft Edge in its latest TEI report and survey. Browse and download these free resources to learn about the impact Microsoft Edge can have in your organization, including significant cost savings in reduced browser help desk tickets and improved browser security, to increased speed, performance, and user productivity. - -## Forrester report video summary -View a brief overview of the Forrester TEI case study that Microsoft commissioned to examine the value your organization can achieve by utilizing Microsoft Edge: - -> ![VIDEO ] - -## Forrester Study report - -Forrester interviewed several customers with more than six months of experience using Microsoft Edge – all customers reported improvements in browser security, increased user productivity, and efficiencies gained in supporting the software. - -[Download the full report](https://www.microsoft.com/download/details.aspx?id=55847) - -## Forrester Study report infographic -Get a graphical summary of the TEI of Microsoft Edge Forrester Study report and highlights of the three-year financial impact of Microsoft Edge. - -[Download the report infographic](https://www.microsoft.com/download/details.aspx?id=55956) - -## Forrester survey infographic - -Forrester surveyed 168 customers using Microsoft Edge form the US, Germany, UK, and Japan, ranging in size from 500 to over 100,000 employees. This document is an abridged version of this survey commissioned by Microsoft and delivery by Forrester consulting. - -[Download the survey infographic](https://www.microsoft.com/download/details.aspx?id=53892) +--- +title: Forrester Total Economic Impact - Microsoft Edge +ms.reviewer: +audience: itpro manager: dansimp +description: Review the results of the Microsoft Edge study carried out by Forrester Research +ms.prod: edge +ms.topic: article +author: msdmaguire +ms.author: dmaguire +ms.localizationpriority: high +--- +# Measuring the impact of Microsoft Edge - Total Economic Impact (TEI) of Microsoft Edge + +Forrester Research measures the return on investment (ROI) of Microsoft Edge in its latest TEI report and survey. Browse and download these free resources to learn about the impact Microsoft Edge can have in your organization, including significant cost savings in reduced browser help desk tickets and improved browser security, to increased speed, performance, and user productivity. + +## Forrester report video summary +View a brief overview of the Forrester TEI case study that Microsoft commissioned to examine the value your organization can achieve by utilizing Microsoft Edge: + +> ![VIDEO ] + +## Forrester Study report + +Forrester interviewed several customers with more than six months of experience using Microsoft Edge – all customers reported improvements in browser security, increased user productivity, and efficiencies gained in supporting the software. + +[Download the full report](https://www.microsoft.com/download/details.aspx?id=55847) + +## Forrester Study report infographic +Get a graphical summary of the TEI of Microsoft Edge Forrester Study report and highlights of the three-year financial impact of Microsoft Edge. + +[Download the report infographic](https://www.microsoft.com/download/details.aspx?id=55956) + +## Forrester survey infographic + +Forrester surveyed 168 customers using Microsoft Edge form the US, Germany, UK, and Japan, ranging in size from 500 to over 100,000 employees. This document is an abridged version of this survey commissioned by Microsoft and delivery by Forrester consulting. + +[Download the survey infographic](https://www.microsoft.com/download/details.aspx?id=53892) diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index b1d69471cd..9781a1de92 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -3,12 +3,13 @@ title: Deploy Microsoft Edge kiosk mode description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. ms.assetid: ms.reviewer: +audience: itpro manager: dansimp author: eavena ms.author: eravena ms.prod: edge ms.sitesec: library -ms.topic: get-started-article +ms.topic: article ms.localizationpriority: medium ms.date: 10/29/2018 --- diff --git a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md index 00da0e5de3..6ca44ca392 100644 --- a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md +++ b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. diff --git a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md index 2e877de455..4b4897683a 100644 --- a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md +++ b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. diff --git a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md index c3aa88d8c1..bd2d105ef2 100644 --- a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md +++ b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. diff --git a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md index 5515b7a283..373cac8619 100644 --- a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md +++ b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md index 329f024f3f..4775e4ba3e 100644 --- a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md +++ b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. diff --git a/browsers/edge/shortdesc/allow-cortana-shortdesc.md b/browsers/edge/shortdesc/allow-cortana-shortdesc.md index 035f849a7f..5975b2b148 100644 --- a/browsers/edge/shortdesc/allow-cortana-shortdesc.md +++ b/browsers/edge/shortdesc/allow-cortana-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device. diff --git a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md index 43fb795cdd..4084a7dfde 100644 --- a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md +++ b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. diff --git a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md index 56e23ae4da..9d39c7e091 100644 --- a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md +++ b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. diff --git a/browsers/edge/shortdesc/allow-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-extensions-shortdesc.md index 8276b06760..ca5e422178 100644 --- a/browsers/edge/shortdesc/allow-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/allow-extensions-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. diff --git a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md index cb47a5d149..1aca979b7e 100644 --- a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md +++ b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. diff --git a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md index 1340e13406..4e15608ff7 100644 --- a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md +++ b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. diff --git a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md index 35a86bfd85..46d2b5f57e 100644 --- a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md +++ b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. diff --git a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md index a8437f2035..fcaf11e3ef 100644 --- a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md +++ b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. diff --git a/browsers/edge/shortdesc/allow-printing-shortdesc.md b/browsers/edge/shortdesc/allow-printing-shortdesc.md index 288599efdd..f03766176c 100644 --- a/browsers/edge/shortdesc/allow-printing-shortdesc.md +++ b/browsers/edge/shortdesc/allow-printing-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. diff --git a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md index 00be5b8c4d..9acffb1e18 100644 --- a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md +++ b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. diff --git a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md index fab9a56cff..4992a19eab 100644 --- a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md +++ b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. diff --git a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md index 588e9f64f9..e16dbdc2db 100644 --- a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). diff --git a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md index ec10c36e78..783d8517ed 100644 --- a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md +++ b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md index 5d9a75ed5a..eb2a40f269 100644 --- a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md +++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 11/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it. +--- +author: dansimp +ms.author: dansimp +ms.date: 11/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it. diff --git a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md index 2c63762356..51e769d22c 100644 --- a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md +++ b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. diff --git a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md index a9e0bdb003..264f64a898 100644 --- a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md +++ b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. diff --git a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md index 57fc82b0a1..f4a61c024c 100644 --- a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md +++ b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. diff --git a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md index d409c6374c..0f73c32d5f 100644 --- a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md +++ b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. diff --git a/browsers/edge/shortdesc/configure-autofill-shortdesc.md b/browsers/edge/shortdesc/configure-autofill-shortdesc.md index 74af7970c6..94441080d8 100644 --- a/browsers/edge/shortdesc/configure-autofill-shortdesc.md +++ b/browsers/edge/shortdesc/configure-autofill-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. diff --git a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md index 3f8d400ca5..75a3631a95 100644 --- a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md +++ b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/browsers/edge/shortdesc/configure-cookies-shortdesc.md index eeb223000b..93152d2e3d 100644 --- a/browsers/edge/shortdesc/configure-cookies-shortdesc.md +++ b/browsers/edge/shortdesc/configure-cookies-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. diff --git a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md index 68e1b83ac2..dd27fad917 100644 --- a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md +++ b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md index f98aa94435..d13febee60 100644 --- a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md +++ b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. diff --git a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md index 661818a582..8f16c20242 100644 --- a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md +++ b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages. diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-shortdesc.md index 34e0cded8f..9317df97f3 100644 --- a/browsers/edge/shortdesc/configure-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead. diff --git a/browsers/edge/shortdesc/configure-home-button-shortdesc.md b/browsers/edge/shortdesc/configure-home-button-shortdesc.md index 17d1b68784..c02a0dcee9 100644 --- a/browsers/edge/shortdesc/configure-home-button-shortdesc.md +++ b/browsers/edge/shortdesc/configure-home-button-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. diff --git a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md index 37ca79a2c7..0247b490e6 100644 --- a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md +++ b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge. diff --git a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md index 767c933e7c..3a7657e544 100644 --- a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md +++ b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. diff --git a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md index cf69dd8af8..8d1cc4f603 100644 --- a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md +++ b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. diff --git a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md index f0b41c5b0f..0d3bd9b655 100644 --- a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md +++ b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. diff --git a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md index a34c788e1e..d15347179d 100644 --- a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md +++ b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md @@ -1,12 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy. - +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy. + diff --git a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md index 71b3e06d0d..2bdf42c6d3 100644 --- a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md +++ b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. diff --git a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md index 6cf35edc0e..146511b737 100644 --- a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md +++ b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md index 600d2e2986..62547e8955 100644 --- a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md +++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. diff --git a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md index 3f0ebb72c4..37ff4011ad 100644 --- a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md +++ b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. diff --git a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md index b269a7f3e3..f0cb07d514 100644 --- a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md +++ b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. diff --git a/browsers/edge/shortdesc/do-not-sync-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-shortdesc.md index 2fe09c0260..f61cc11548 100644 --- a/browsers/edge/shortdesc/do-not-sync-shortdesc.md +++ b/browsers/edge/shortdesc/do-not-sync-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. diff --git a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md index 0b377e56b6..3bd062d263 100644 --- a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md +++ b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md index 4b4a459339..91065aa687 100644 --- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -1,12 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy): -This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +[Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy): +This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. diff --git a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md index 7bf20983de..5bf46ea949 100644 --- a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md index f6b222fde2..3676adbc89 100644 --- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s). +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s). diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md index d04429bef8..05bae5dac6 100644 --- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. diff --git a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md index c73e676517..675180c666 100644 --- a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. diff --git a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md index b635ee64e8..33db87a522 100644 --- a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. diff --git a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md index bba9ec1ad5..30d9a48e8d 100644 --- a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience. diff --git a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md index c156c94126..9ed6170971 100644 --- a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. diff --git a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md index 35b0859dc6..7264330137 100644 --- a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. diff --git a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md index 037c535aa8..e624de62e6 100644 --- a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. diff --git a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md index 3a25de844f..5ef4bbdeca 100644 --- a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. diff --git a/browsers/edge/shortdesc/provision-favorites-shortdesc.md b/browsers/edge/shortdesc/provision-favorites-shortdesc.md index 0d84ac76c1..30b9677f92 100644 --- a/browsers/edge/shortdesc/provision-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/provision-favorites-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. diff --git a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md index 8524933996..8f54c4b93a 100644 --- a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md +++ b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. diff --git a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md index 3b17cd7e5f..787f96dd9b 100644 --- a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md +++ b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. diff --git a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md index 958dd67138..39b408d1b4 100644 --- a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md +++ b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes. diff --git a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md index 67e62738a6..863cfdf84a 100644 --- a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md +++ b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. diff --git a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md index a909cbbdc7..5062d322e4 100644 --- a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md +++ b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. diff --git a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md index 5ae8a12782..1dc59094fd 100644 --- a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md +++ b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md @@ -1,10 +1,10 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- -Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- +Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. diff --git a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md index 722998c5bf..0dd37009b6 100644 --- a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md +++ b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md @@ -1,11 +1,11 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies. diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md index 4adc94fcf4..ba351d8b48 100644 --- a/browsers/edge/troubleshooting-microsoft-edge.md +++ b/browsers/edge/troubleshooting-microsoft-edge.md @@ -1,37 +1,37 @@ ---- -title: Troubleshoot Microsoft Edge -description: -ms.assetid: -ms.reviewer: -manager: dansimp -author: eavena -ms.author: eravena -ms.prod: edge -ms.sitesec: library -title: Deploy Microsoft Edge kiosk mode -ms.localizationpriority: medium -ms.date: 10/15/2018 ---- - -# Troubleshoot Microsoft Edge - - -## Microsoft Edge and IPv6 -We are aware of the known issue with Microsoft Edge and all UWP-based apps, such as Store, Mail, Feedback Hub, and so on. It only happens if you have disabled IPv6 (not recommended), so a temporary workaround is to enable it. - -## Microsoft Edge hijacks .PDF and .HTM files - - - -## Citrix Receiver in Microsoft Edge kiosk mode -If you want to deliver applications to users via Citrix through Microsoft Edge, you must create the kiosk user account and then log into the account to install Citrix Receiver BEFORE setting up assigned access. - -1. Create the kiosk user account. -2. Log into the account. -3. Install Citrix Receiver. -4. Set up assigned access. - - -## Missing SettingSync.admx and SettingSync.adml files - -Make sure to [download](https://www.microsoft.com/en-us/download/windows.aspx) the latest templates to C:\windows\policydefinitions\. +--- +title: Troubleshoot Microsoft Edge +description: +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +author: eavena +ms.author: eravena +ms.prod: edge +ms.sitesec: library +title: Deploy Microsoft Edge kiosk mode +ms.localizationpriority: medium +ms.date: 10/15/2018 +--- + +# Troubleshoot Microsoft Edge + + +## Microsoft Edge and IPv6 +We are aware of the known issue with Microsoft Edge and all UWP-based apps, such as Store, Mail, Feedback Hub, and so on. It only happens if you have disabled IPv6 (not recommended), so a temporary workaround is to enable it. + +## Microsoft Edge hijacks .PDF and .HTM files + + + +## Citrix Receiver in Microsoft Edge kiosk mode +If you want to deliver applications to users via Citrix through Microsoft Edge, you must create the kiosk user account and then log into the account to install Citrix Receiver BEFORE setting up assigned access. + +1. Create the kiosk user account. +2. Log into the account. +3. Install Citrix Receiver. +4. Set up assigned access. + + +## Missing SettingSync.admx and SettingSync.adml files + +Make sure to [download](https://www.microsoft.com/en-us/download/windows.aspx) the latest templates to C:\windows\policydefinitions\. diff --git a/browsers/edge/use-powershell-to manage-group-policy.md b/browsers/edge/use-powershell-to manage-group-policy.md index 58ce9b4d8c..4427c17e84 100644 --- a/browsers/edge/use-powershell-to manage-group-policy.md +++ b/browsers/edge/use-powershell-to manage-group-policy.md @@ -1,29 +1,29 @@ ---- -title: Use Windows PowerShell to manage group policy -description: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) -ms.localizationpriority: medium -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.author: eravena -author: eavena ---- - -# Use Windows PowerShell to manage group policy - -Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs): - -- Maintain GPOs (GPO creation, removal, backup, and import) -- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal) -- Set permissions on GPOs -- Modify inheritance flags on Active Directory organization units (OUs) and domains -- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal) -- Create starter GPOs - - - +--- +title: Use Windows PowerShell to manage group policy +description: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) +ms.localizationpriority: medium +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: eravena +author: eavena +--- + +# Use Windows PowerShell to manage group policy + +Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs): + +- Maintain GPOs (GPO creation, removal, backup, and import) +- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal) +- Set permissions on GPOs +- Modify inheritance flags on Active Directory organization units (OUs) and domains +- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal) +- Create starter GPOs + + + diff --git a/browsers/edge/web-app-compat-toolkit.md b/browsers/edge/web-app-compat-toolkit.md index 29b12ada64..b502df7292 100644 --- a/browsers/edge/web-app-compat-toolkit.md +++ b/browsers/edge/web-app-compat-toolkit.md @@ -1,57 +1,57 @@ ---- -title: Web Application Compatibility lab kit -ms.reviewer: -manager: dansimp -description: Learn how to use the web application compatibility toolkit for Microsoft Edge. -ms.prod: edge -ms.topic: article -ms.manager: elizapo -author: eavena -ms.author: eravena -ms.localizationpriority: high ---- - -# Web Application Compatibility lab kit - ->Updated: October, 2017 - -Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility. - -The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge. It walks you through how to configure and set up Enterprise Mode, leverage Enterprise Site Discovery, test web apps using the F12 developer tools, and manage the Enterprise Mode Site List. - -The Web Application Compatibility Lab Kit includes: - -- A pre-configured Windows 7 and Windows 10 virtual lab environment with: - - Windows 7 Enterprise Evaluation - - Windows 10 Enterprise Evaluation (version 1607) - - Enterprise Mode Site List Manager - - Enterprise Site Discovery Toolkit -- A "lite" lab option to run the lab on your own Windows 7 or Windows 10 operating system -- A step-by-step lab guide -- A web application compatibility overview video -- A white paper and IT Showcase studies - -Depending on your environment, your web apps may "just work” using the methods described below. Visit [Microsoft Edge Dev](https://developer.microsoft.com/microsoft-edge/) for tools and guidance for web developers. - -There are two versions of the lab kit available: - -- Full version (8 GB) - includes a complete virtual lab environment -- Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system - -The Web Application Compatibility Lab Kit is also available in the following languages: - -- Chinese (Simplified) -- Chinese (Traditional) -- French -- German -- Italian -- Japanese -- Korean -- Portuguese (Brazil) -- Russian -- Spanish - -[DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab) - ->[!TIP] ->Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. +--- +title: Web Application Compatibility lab kit +ms.reviewer: +audience: itpro manager: dansimp +description: Learn how to use the web application compatibility toolkit for Microsoft Edge. +ms.prod: edge +ms.topic: article +ms.manager: elizapo +author: eavena +ms.author: eravena +ms.localizationpriority: high +--- + +# Web Application Compatibility lab kit + +>Updated: October, 2017 + +Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility. + +The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge. It walks you through how to configure and set up Enterprise Mode, leverage Enterprise Site Discovery, test web apps using the F12 developer tools, and manage the Enterprise Mode Site List. + +The Web Application Compatibility Lab Kit includes: + +- A pre-configured Windows 7 and Windows 10 virtual lab environment with: + - Windows 7 Enterprise Evaluation + - Windows 10 Enterprise Evaluation (version 1607) + - Enterprise Mode Site List Manager + - Enterprise Site Discovery Toolkit +- A "lite" lab option to run the lab on your own Windows 7 or Windows 10 operating system +- A step-by-step lab guide +- A web application compatibility overview video +- A white paper and IT Showcase studies + +Depending on your environment, your web apps may "just work” using the methods described below. Visit [Microsoft Edge Dev](https://developer.microsoft.com/microsoft-edge/) for tools and guidance for web developers. + +There are two versions of the lab kit available: + +- Full version (8 GB) - includes a complete virtual lab environment +- Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system + +The Web Application Compatibility Lab Kit is also available in the following languages: + +- Chinese (Simplified) +- Chinese (Traditional) +- French +- German +- Italian +- Japanese +- Korean +- Portuguese (Brazil) +- Russian +- Spanish + +[DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab) + +>[!TIP] +>Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md index 3e22df673d..9e9f2933fe 100644 --- a/browsers/enterprise-mode/enterprise-mode.md +++ b/browsers/enterprise-mode/enterprise-mode.md @@ -5,7 +5,7 @@ ms.pagetype: security description: Use this section to learn about how to turn on Enterprise Mode. author: eavena ms.author: eravena -ms.prod: edge, ie11 +ms.prod: edge ms.assetid: ms.reviewer: manager: dansimp diff --git a/browsers/includes/available-duel-browser-experiences-include.md b/browsers/includes/available-duel-browser-experiences-include.md index 03e5488335..e506d779b2 100644 --- a/browsers/includes/available-duel-browser-experiences-include.md +++ b/browsers/includes/available-duel-browser-experiences-include.md @@ -1,22 +1,22 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -## Available dual-browser experiences -Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: - -- Use Microsoft Edge as your primary browser. - -- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies. - -- Use Microsoft Edge as your primary browser and open all intranet sites in IE11. - -- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies. - -For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +## Available dual-browser experiences +Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: + +- Use Microsoft Edge as your primary browser. + +- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies. + +- Use Microsoft Edge as your primary browser and open all intranet sites in IE11. + +- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies. + +For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog. diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md index e4a5e68376..9d4ab636ca 100644 --- a/browsers/includes/helpful-topics-include.md +++ b/browsers/includes/helpful-topics-include.md @@ -1,38 +1,38 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -## Helpful information and additional resources -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) - -- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) - -- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) - -- [Use the Enterprise Mode Site List Manager](../enterprise-mode/use-the-enterprise-mode-site-list-manager.md) - -- [Collect data using Enterprise Site Discovery](../enterprise-mode/collect-data-using-enterprise-site-discovery.md) - -- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) - -- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) - -- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) - - - - - -- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) -- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) -- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +## Helpful information and additional resources +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) + +- [Use the Enterprise Mode Site List Manager](../enterprise-mode/use-the-enterprise-mode-site-list-manager.md) + +- [Collect data using Enterprise Site Discovery](../enterprise-mode/collect-data-using-enterprise-site-discovery.md) + +- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) + +- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) + +- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) + + + + + +- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) +- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) +- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md index 1954c6ad4e..22464cc569 100644 --- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -1,22 +1,22 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. - ->[!IMPORTANT] ->Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. - -1. In the Enterprise Mode Site List Manager, click **File \> Import**. - -2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` - -1. Click **Open**. - -2. Review the alert message about all of your entries being overwritten and click **Yes**. +--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. + +>[!IMPORTANT] +>Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. + +1. In the Enterprise Mode Site List Manager, click **File \> Import**. + +2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` + +1. Click **Open**. + +2. Review the alert message about all of your entries being overwritten and click **Yes**. diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md index fffc2e5480..04470d33af 100644 --- a/browsers/includes/interoperability-goals-enterprise-guidance.md +++ b/browsers/includes/interoperability-goals-enterprise-guidance.md @@ -1,41 +1,41 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/15/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -## Interoperability goals and enterprise guidance - -Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. - -You must continue using IE11 if web apps use any of the following: - -* ActiveX controls - -* x-ua-compatible headers - -* <meta> tags with an http-equivalent value of X-UA-Compatible header - -* Enterprise mode or compatibility view to addressing compatibility issues - -* legacy document modes - -If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. - ->[!TIP] ->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). - - -|Technology |Why it existed |Why we don't need it anymore | -|---------|---------|---------| -|ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | | -|Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | | -|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge has a single “living” document mode. To minimize the compatibility burden, we test features behind switches in about:flags until stable and ready to be turned on by default. | - - ---- - +--- +author: eavena +ms.author: eravena +ms.date: 10/15/2018 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: edge +ms.topic: include +--- + +## Interoperability goals and enterprise guidance + +Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. + +You must continue using IE11 if web apps use any of the following: + +* ActiveX controls + +* x-ua-compatible headers + +* <meta> tags with an http-equivalent value of X-UA-Compatible header + +* Enterprise mode or compatibility view to addressing compatibility issues + +* legacy document modes + +If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. + +>[!TIP] +>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). + + +|Technology |Why it existed |Why we don't need it anymore | +|---------|---------|---------| +|ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | | +|Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | | +|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge has a single “living” document mode. To minimize the compatibility burden, we test features behind switches in about:flags until stable and ready to be turned on by default. | + + +--- + diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 153f4be5f1..934ad0e5f6 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -24,10 +24,11 @@ "globalMetadata": { "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", - "ms.author": "shortpatti", - "author": "eross-msft", + "audience": "ITPro", "ms.technology": "internet-explorer", + "ms.prod": "ie11", "ms.topic": "article", + "manager": "laurawi", "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md index a9b94e0990..8fe62f2f79 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md @@ -1,49 +1,49 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: How to use Group Policy to install ActiveX controls. -author: dansimp -ms.prod: ie11 -ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy and ActiveX installation - -ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer: - -- Get the ActiveX control if it's not already installed. - -- Download the installation package. - -- Perform trust verification on the object. - -- Prompt for installation permission, using the IE Information Bar. - -During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control. - -**Important**
ActiveX control installation requires administrator-level permissions. - -## Group Policy for the ActiveX Installer Service - -You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include: - -- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control. - -- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed. - -For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: How to use Group Policy to install ActiveX controls. +author: dansimp +ms.prod: ie11 +ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy and ActiveX installation + +ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer: + +- Get the ActiveX control if it's not already installed. + +- Download the installation package. + +- Perform trust verification on the object. + +- Prompt for installation permission, using the IE Information Bar. + +During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control. + +**Important**
ActiveX control installation requires administrator-level permissions. + +## Group Policy for the ActiveX Installer Service + +You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include: + +- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control. + +- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed. + +For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md index da48e06a3b..664bc596e1 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md @@ -1,68 +1,68 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to add employees to the Enterprise Mode Site List Portal. -author: dansimp -ms.prod: ie11 -title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp ---- - -# Add employees to the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups. - -The available roles are: - -- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests. - -- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. - -- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. - -- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page. - -**To add an employee to the Enterprise Mode Site List Portal** -1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page. - - The **Employee management** page appears. - -2. Click **Add a new employee**. - - The **Add a new employee** page appears. - -3. Fill out the fields for each employee, including: - - - **Email.** Add the employee's email address. - - - **Name.** This box autofills based on the email address. - - - **Role.** Pick a single role for the employee, based on the list above. - - - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers. - - - **Comments.** Add optional comments about the employee. - - - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box. - -4. Click **Save**. - -**To export all employees to an Excel spreadsheet** -1. On the **Employee management** page, click **Export to Excel**. - -2. Save the EnterpriseModeUsersList.xlsx file. - - The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to add employees to the Enterprise Mode Site List Portal. +author: dansimp +ms.prod: ie11 +title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +--- + +# Add employees to the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups. + +The available roles are: + +- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests. + +- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page. + +**To add an employee to the Enterprise Mode Site List Portal** +1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page. + + The **Employee management** page appears. + +2. Click **Add a new employee**. + + The **Add a new employee** page appears. + +3. Fill out the fields for each employee, including: + + - **Email.** Add the employee's email address. + + - **Name.** This box autofills based on the email address. + + - **Role.** Pick a single role for the employee, based on the list above. + + - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers. + + - **Comments.** Add optional comments about the employee. + + - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + +**To export all employees to an Excel spreadsheet** +1. On the **Employee management** page, click **Export to Excel**. + +2. Save the EnterpriseModeUsersList.xlsx file. + + The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name. diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md index ab6bed0da5..8ead60630e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md @@ -1,112 +1,112 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager. -author: dansimp -ms.prod: ie11 -ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) - -**Applies to:** - -- Windows 8.1 -- Windows 7 - -You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones. - -If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). - -## Create an Enterprise Mode site list (TXT) file -You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.

**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. - -You must separate each site using commas or carriage returns. For example: - -``` -microsoft.com, bing.com, bing.com/images -``` -**-OR-** - -``` -microsoft.com -bing.com -bing.com/images -``` - -## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema -You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). - -Each XML file must include: - -- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser. - -- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.

**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5. - -- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -### Enterprise Mode v.1 XML schema example -The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). - -``` - - - www.cpandl.com - www.woodgrovebank.com - adatum.com - contoso.com - relecloud.com - /about - - fabrikam.com - /products - - - - contoso.com - /travel - - fabrikam.com - /products - - - -``` - -To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (. - -## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1) -After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1). - - **To add multiple sites** - -1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**. - -2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -3. Click **OK** to close the **Bulk add sites to the list** menu. - -4. On the **File** menu, click **Save to XML**, and save your file.

-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager. +author: dansimp +ms.prod: ie11 +ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) + +**Applies to:** + +- Windows 8.1 +- Windows 7 + +You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones. + +If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). + +## Create an Enterprise Mode site list (TXT) file +You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.

**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. + +You must separate each site using commas or carriage returns. For example: + +``` +microsoft.com, bing.com, bing.com/images +``` +**-OR-** + +``` +microsoft.com +bing.com +bing.com/images +``` + +## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema +You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +Each XML file must include: + +- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser. + +- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.

**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5. + +- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +### Enterprise Mode v.1 XML schema example +The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +``` + + + www.cpandl.com + www.woodgrovebank.com + adatum.com + contoso.com + relecloud.com + /about + + fabrikam.com + /products + + + + contoso.com + /travel + + fabrikam.com + /products + + + +``` + +To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (. + +## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1) +After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1). + + **To add multiple sites** + +1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**. + +2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +4. On the **File** menu, click **Save to XML**, and save your file.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md index 6286b356ea..f351c57bb9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -1,122 +1,122 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2). -author: dansimp -ms.prod: ie11 -ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/24/2017 ---- - - -# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 - -You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones. - -To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md). - -## Create an Enterprise Mode site list (TXT) file - -You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. - ->**Important:**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. - -You must separate each site using commas or carriage returns. For example: - -``` -microsoft.com, bing.com, bing.com/images -``` -**-OR-** - -``` -microsoft.com -bing.com -bing.com/images -``` - -## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema - -You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. - -Each XML file must include: - -- **site-list version number**. This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.  - -- **<compat-mode> tag.** This tag specifies what compatibility setting are used for specific sites or domains. - -- **<open-in> tag.** This tag specifies what browser opens for each sites or domain. - -### Enterprise Mode v.2 XML schema example - -The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). - -``` - - - - EnterpriseSitelistManager - 10240 - 20150728.135021 - - - - IE8Enterprise - MSEdge - - - IE7Enterprise - IE11 - - - default - IE11 - - -``` -In the above example, the following is true: - -- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. - -- contoso.com, and all of its domain paths, can use the default compatibility mode for the site. - -To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2). - -## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2) -After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2). - - **To add multiple sites** - -1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**. - -2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). - -3. Click **OK** to close the **Bulk add sites to the list** menu. - -4. On the **File** menu, click **Save to XML**, and save your file.

-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2). +author: dansimp +ms.prod: ie11 +ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/24/2017 +--- + + +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones. + +To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md). + +## Create an Enterprise Mode site list (TXT) file + +You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. + +>**Important:**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. + +You must separate each site using commas or carriage returns. For example: + +``` +microsoft.com, bing.com, bing.com/images +``` +**-OR-** + +``` +microsoft.com +bing.com +bing.com/images +``` + +## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema + +You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. + +Each XML file must include: + +- **site-list version number**. This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.  + +- **<compat-mode> tag.** This tag specifies what compatibility setting are used for specific sites or domains. + +- **<open-in> tag.** This tag specifies what browser opens for each sites or domain. + +### Enterprise Mode v.2 XML schema example + +The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +``` + + + + EnterpriseSitelistManager + 10240 + 20150728.135021 + + + + IE8Enterprise + MSEdge + + + IE7Enterprise + IE11 + + + default + IE11 + + +``` +In the above example, the following is true: + +- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. + +- contoso.com, and all of its domain paths, can use the default compatibility mode for the site. + +To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2). + +## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2) +After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2). + + **To add multiple sites** + +1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**. + +2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +4. On the **File** menu, click **Save to XML**, and save your file.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md index 06f0afe48d..8b8435daff 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -1,66 +1,66 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: dansimp -ms.prod: ie11 -ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) - -**Applies to:** - -- Windows 8.1 -- Windows 7 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. - -

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager. - -## Adding a site to your compatibility list -You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager. -

Note
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2). - - **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)** - -1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. - -2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. - -3. Type any comments about the website into the **Notes about URL** box.

-Administrators can only see comments while they’re in this tool. - -4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE. - -The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. - -Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -5. Click **Save** to validate your website and to add it to the site list for your enterprise.

- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. - -6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +author: dansimp +ms.prod: ie11 +ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) + +**Applies to:** + +- Windows 8.1 +- Windows 7 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. + +

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager. + +## Adding a site to your compatibility list +You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager. +

Note
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2). + + **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)** + +1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. + +2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

+Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. + +3. Type any comments about the website into the **Notes about URL** box.

+Administrators can only see comments while they’re in this tool. + +4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE. + +The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. + +Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +5. Click **Save** to validate your website and to add it to the site list for your enterprise.

+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. + +6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index 481ddaa91a..46a8edef5e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -1,82 +1,82 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: dansimp -ms.prod: ie11 -ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. - -

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) or the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) topic, based on your operating system. - -## Adding a site to your compatibility list -You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.

-**Note**
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). - - **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)** - -1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. - -2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

- Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. - -3. Type any comments about the website into the **Notes about URL** box.

- Administrators can only see comments while they’re in this tool. - -4. In the **Compat Mode** box, choose one of the following: - - - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode. - - - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode. - - - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode. - - - **Default Mode**. Loads the site using the default compatibility mode for the page. - - The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. - - Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. - - - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. - - - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. - - - **None**. Opens in whatever browser the employee chooses. - -6. Click **Save** to validate your website and to add it to the site list for your enterprise.

- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. - -7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Next steps -After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +author: dansimp +ms.prod: ie11 +ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. + +

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) or the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) topic, based on your operating system. + +## Adding a site to your compatibility list +You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.

+**Note**
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). + + **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)** + +1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. + +2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

+ Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. + +3. Type any comments about the website into the **Notes about URL** box.

+ Administrators can only see comments while they’re in this tool. + +4. In the **Compat Mode** box, choose one of the following: + + - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode. + + - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode. + + - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode. + + - **Default Mode**. Loads the site using the default compatibility mode for the page. + + The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. + + Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. + + - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. + + - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. + + - **None**. Opens in whatever browser the employee chooses. + +6. Click **Save** to validate your website and to add it to the site list for your enterprise.

+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. + +7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md index 4ad92662d8..f08c08fcdb 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md @@ -1,82 +1,82 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Administrative templates and Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Administrative templates and Internet Explorer 11 - -Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including: - -- What registry locations correspond to each setting. - -- What value options or restrictions are associated with each setting. - -- The default value for many settings. - -- Text explanations about each setting and the supported version of Internet Explorer. - -For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519). - -## What are Administrative Templates? -Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates: - -- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor. - -- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language. - -## How do I store Administrative Templates? -As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs). -

Important
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files. - -## Administrative Templates-related Group Policy settings -When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder. -

Note
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer. - -IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths: - -- Computer Configuration\\Administrative Templates\\Windows Components\\ - -- User Configuration\\Administrative Templates\\Windows Components\\ - - -|Catalog |Description | -| ------------------------------------------------ | --------------------------------------------| -|IE |Turns standard IE configuration on and off. | -|Internet Explorer\Accelerators |Sets up and manages Accelerators. | -|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. | -|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. | -|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.| -|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. | -|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. | -|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. | -|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. | -|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. | -|Internet Explorer\Privacy |Turns various privacy-related features on and off. | -|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. | -|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. | -|RSS Feeds |Sets up and manages RSS feeds in the browser. | - - -## Editing Group Policy settings -Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions: - -- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates. - -- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment. - -## Related topics -- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880) -- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576) -- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Administrative templates and Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Administrative templates and Internet Explorer 11 + +Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including: + +- What registry locations correspond to each setting. + +- What value options or restrictions are associated with each setting. + +- The default value for many settings. + +- Text explanations about each setting and the supported version of Internet Explorer. + +For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519). + +## What are Administrative Templates? +Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates: + +- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor. + +- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language. + +## How do I store Administrative Templates? +As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs). +

Important
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files. + +## Administrative Templates-related Group Policy settings +When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder. +

Note
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer. + +IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths: + +- Computer Configuration\\Administrative Templates\\Windows Components\\ + +- User Configuration\\Administrative Templates\\Windows Components\\ + + +|Catalog |Description | +| ------------------------------------------------ | --------------------------------------------| +|IE |Turns standard IE configuration on and off. | +|Internet Explorer\Accelerators |Sets up and manages Accelerators. | +|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. | +|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. | +|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.| +|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. | +|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. | +|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. | +|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. | +|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. | +|Internet Explorer\Privacy |Turns various privacy-related features on and off. | +|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. | +|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. | +|RSS Feeds |Sets up and manages RSS feeds in the browser. | + + +## Editing Group Policy settings +Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions: + +- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates. + +- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment. + +## Related topics +- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880) +- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576) +- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md index 6ed6595c40..977e17394e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md @@ -1,62 +1,62 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. -author: dansimp -ms.prod: ie11 -title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp ---- - -# Approve a change request using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes. - -## Approve or reject a change request -The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request. - -**To approve or reject a change request** -1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page. - - The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane. - -2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons. - -3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**. - - An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request. - - -## Send a reminder to the Approver(s) group -If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group. - -- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**. - - An email is sent to the selected Approver(s). - - -## View rejected change requests -The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request. - -**To view the rejected change request** - -- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane. - - All rejected change requests appear, with role assignment determining which ones are visible. - - -## Next steps -After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. +author: dansimp +ms.prod: ie11 +title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +--- + +# Approve a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes. + +## Approve or reject a change request +The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request. + +**To approve or reject a change request** +1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page. + + The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane. + +2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons. + +3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**. + + An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request. + + +## Send a reminder to the Approver(s) group +If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group. + +- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**. + + An email is sent to the selected Approver(s). + + +## View rejected change requests +The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request. + +**To view the rejected change request** + +- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane. + + All rejected change requests appear, with role assignment determining which ones are visible. + + +## Next steps +After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md index d109a8971f..d45374e404 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md @@ -1,62 +1,62 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: networking -description: Auto configuration and auto proxy problems with Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Auto configuration and auto proxy problems with Internet Explorer 11 -You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11. - -## Branding changes aren't distributed using automatic configuration -If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md). - -## Proxy server setup issues -If you experience issues while setting up your proxy server, you can try these troubleshooting steps: - -- Check to make sure the proxy server address is right. - -- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser. - -- Check that the browser is pointing to the right automatic configuration script location. - - **To check your proxy server address** - -1. On the **Tools** menu, click **Internet Options**, and then **Connections**. - -2. Click **Settings** or **LAN Settings**, and then look at your proxy server address. - -3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.

**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652). - - **To check that you've turned on the correct settings** - -4. On the **Tools** menu, click **Internet Options**, and then click **Connections**. - -5. Click **Settings** or **LAN Settings**. - -6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.

**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again. - - **To check that you're pointing to the correct automatic configuration script location** - -7. On the **Tools** menu, click **Internet Options**, and then click **Connections**. - -8. Click **Settings** or **LAN Settings**. - -9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: networking +description: Auto configuration and auto proxy problems with Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Auto configuration and auto proxy problems with Internet Explorer 11 +You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11. + +## Branding changes aren't distributed using automatic configuration +If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md). + +## Proxy server setup issues +If you experience issues while setting up your proxy server, you can try these troubleshooting steps: + +- Check to make sure the proxy server address is right. + +- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser. + +- Check that the browser is pointing to the right automatic configuration script location. + + **To check your proxy server address** + +1. On the **Tools** menu, click **Internet Options**, and then **Connections**. + +2. Click **Settings** or **LAN Settings**, and then look at your proxy server address. + +3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.

**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652). + + **To check that you've turned on the correct settings** + +4. On the **Tools** menu, click **Internet Options**, and then click **Connections**. + +5. Click **Settings** or **LAN Settings**. + +6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.

**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again. + + **To check that you're pointing to the correct automatic configuration script location** + +7. On the **Tools** menu, click **Internet Options**, and then click **Connections**. + +8. Click **Settings** or **LAN Settings**. + +9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md index 1e912f54d0..1b9a0ba9c8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md @@ -1,74 +1,74 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: networking -description: Auto configuration settings for Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Auto configuration settings for Internet Explorer 11 -Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).

**Important**
You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). - -## Adding the automatic configuration registry key -For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.

**Important**
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs. - - **To add the registry key** - -1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**. - -2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**. - -3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter. - -4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**. - -5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter. - -6. Right-click **iexplore.exe**, and then click **Modify**. - -7. In the **Value data** box, enter **1**, and then click **OK**. - -8. Exit the registry editor. - -## Updating your automatic configuration settings -After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding. -

Important
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter. - - **To update your settings** - -1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. - -2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings. - -3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including: - - - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts. - - - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script. - - - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.

**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. - -If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md). - -## Locking your automatic configuration settings -You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. - -- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting. - -- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: networking +description: Auto configuration settings for Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Auto configuration settings for Internet Explorer 11 +Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).

**Important**
You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). + +## Adding the automatic configuration registry key +For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.

**Important**
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs. + + **To add the registry key** + +1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**. + +2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**. + +3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter. + +4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**. + +5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter. + +6. Right-click **iexplore.exe**, and then click **Modify**. + +7. In the **Value data** box, enter **1**, and then click **OK**. + +8. Exit the registry editor. + +## Updating your automatic configuration settings +After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding. +

Important
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter. + + **To update your settings** + +1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. + +2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings. + +3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including: + + - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts. + + - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script. + + - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.

**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. + +If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md). + +## Locking your automatic configuration settings +You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. + +- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting. + +- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md index 508da17224..6d58aac85b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: networking -description: Auto detect settings Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Auto detect settings Internet Explorer 11 -After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location. - -Automatic detection works even if the browser wasn't originally set up or installed by the administrator. - -- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts. - -- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.

**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen. - -## Updating your automatic detection settings -To use automatic detection, you have to set up your DHCP and DNS servers.

**Note**
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options. - - **To turn on automatic detection for DHCP servers** - -1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page. - -2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). - -3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). - - **To turn on automatic detection for DNS servers** - -4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. - -5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. - -6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

**-OR-**

Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651). - -7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: networking +description: Auto detect settings Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Auto detect settings Internet Explorer 11 +After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location. + +Automatic detection works even if the browser wasn't originally set up or installed by the administrator. + +- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts. + +- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.

**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen. + +## Updating your automatic detection settings +To use automatic detection, you have to set up your DHCP and DNS servers.

**Note**
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options. + + **To turn on automatic detection for DHCP servers** + +1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page. + +2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). + +3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). + + **To turn on automatic detection for DNS servers** + +4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. + +5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. + +6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

**-OR-**

Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651). + +7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md index 5784aff62d..bd7bd5c030 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md @@ -1,50 +1,50 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: networking -description: Auto proxy configuration settings for Internet Explorer 11 -author: dansimp -ms.prod: ie11 -ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Auto proxy configuration settings for Internet Explorer 11 -Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2. - -## Updating your auto-proxy settings -You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified. - - **To update your settings** - -1. Create a script file with your proxy information, copying it to a server location. - -2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. - -3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including: - - - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts. - - - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md). - - - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.

**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. - -## Locking your auto-proxy settings -You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. - -- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting. - -- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: networking +description: Auto proxy configuration settings for Internet Explorer 11 +author: dansimp +ms.prod: ie11 +ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Auto proxy configuration settings for Internet Explorer 11 +Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2. + +## Updating your auto-proxy settings +You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified. + + **To update your settings** + +1. Create a script file with your proxy information, copying it to a server location. + +2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. + +3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including: + + - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts. + + - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md). + + - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.

**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. + +## Locking your auto-proxy settings +You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. + +- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting. + +- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md index eee4b1425c..12bd5502e3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md +++ b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md @@ -1,43 +1,43 @@ ---- -title: Blocked out-of-date ActiveX controls -description: This page is periodically updated with new ActiveX controls blocked by this feature. -author: dansimp -ms.author: dansimp -manager: dansimp -ms.date: 05/10/2018 -ms.topic: article -ms.prod: ie11 -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -ms.assetid: '' -ms.reviewer: -ms.sitesec: library ---- - -# Blocked out-of-date ActiveX controls - -ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_. - -We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list. - -You will receive a notification if a webpage tries to load one of the following of ActiveX control versions: - -**Java** - -| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 | -|----------------------------------------------------------------------------------------------| -| J2SE 5.0, everything below (but not including) update 99 | -| Java SE 6, everything below (but not including) update 181 | -| Java SE 7, everything below (but not including) update 171 | -| Java SE 8, everything below (but not including) update 161 | -| Java SE 9, everything below (but not including) update 4 | - -**Silverlight** - - -| Everything below (but not including) Silverlight 5.1.50907.0 | -|--------------------------------------------------------------| -| | - -For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864). +--- +title: Blocked out-of-date ActiveX controls +description: This page is periodically updated with new ActiveX controls blocked by this feature. +author: dansimp +ms.author: dansimp +audience: itpro manager: dansimp +ms.date: 05/10/2018 +ms.topic: article +ms.prod: ie11 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +ms.assetid: '' +ms.reviewer: +ms.sitesec: library +--- + +# Blocked out-of-date ActiveX controls + +ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_. + +We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list. + +You will receive a notification if a webpage tries to load one of the following of ActiveX control versions: + +**Java** + +| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 | +|----------------------------------------------------------------------------------------------| +| J2SE 5.0, everything below (but not including) update 99 | +| Java SE 6, everything below (but not including) update 181 | +| Java SE 7, everything below (but not including) update 171 | +| Java SE 8, everything below (but not including) update 161 | +| Java SE 9, everything below (but not including) update 4 | + +**Silverlight** + + +| Everything below (but not including) Silverlight 5.1.50907.0 | +|--------------------------------------------------------------| +| | + +For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864). diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md index cbea60be67..fe61c67cf5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md +++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: performance -description: Browser cache changes and roaming profiles -author: dansimp -ms.prod: ie11 -ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/16/2017 ---- - - -# Browser cache changes and roaming profiles -We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity. - -You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.

**Note**
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545). - -To get the best results while using roaming profiles, we strongly recommend the following: - -- Create a separate roaming repository for each domain account that uses roaming. - -- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss. - -- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings. - -- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: performance +description: Browser cache changes and roaming profiles +author: dansimp +ms.prod: ie11 +ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/16/2017 +--- + + +# Browser cache changes and roaming profiles +We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity. + +You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.

**Note**
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545). + +To get the best results while using roaming profiles, we strongly recommend the following: + +- Create a separate roaming repository for each domain account that uses roaming. + +- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss. + +- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings. + +- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md index 02abe465ad..d3cae2a67a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md @@ -1,56 +1,56 @@ ---- -ms.localizationpriority: medium -title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros) -description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile. -ms.mktglfcycl: deploy -ms.prod: ie11 -ms.sitesec: library -author: dansimp -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: dansimp ---- - - -# Change history for Internet Explorer 11 -This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. - -## April 2017 -|New or changed topic | Description | -|----------------------|-------------| -|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. | - -## March 2017 -|New or changed topic | Description | -|----------------------|-------------| -|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. | - -## November 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.| - -## August 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. | -|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. | -|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. | - -## July 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. | - -## June 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. | - - -## May 2016 -|New or changed topic | Description | -|----------------------|-------------| -|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. | - +--- +ms.localizationpriority: medium +title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros) +description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile. +ms.mktglfcycl: deploy +ms.prod: ie11 +ms.sitesec: library +author: dansimp +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +--- + + +# Change history for Internet Explorer 11 +This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. + +## April 2017 +|New or changed topic | Description | +|----------------------|-------------| +|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. | + +## March 2017 +|New or changed topic | Description | +|----------------------|-------------| +|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. | + +## November 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.| + +## August 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. | +|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. | +|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. | + +## July 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. | + +## June 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. | + + +## May 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. | + diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md index 08d7c2f831..0b2d9ff141 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md +++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md @@ -1,51 +1,51 @@ ---- -title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros) -description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. -ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df -ms.reviewer: -manager: dansimp -ms.prod: ie11 -ms.mktglfcycl: deploy -ms.pagetype: appcompat -ms.sitesec: library -author: dansimp -ms.author: dansimp -ms.date: 08/14/2017 -ms.localizationpriority: medium ---- - - -# Check for a new Enterprise Mode site list xml file - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance. - -**How Internet Explorer 11 looks for an updated site list** - -1. Internet Explorer starts up and looks for an updated site list in the following places: - - 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list. - - 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list. - - 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry. - -2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. - -   - -  - -  - - - +--- +title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros) +description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. +ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: ie11 +ms.mktglfcycl: deploy +ms.pagetype: appcompat +ms.sitesec: library +author: dansimp +ms.author: dansimp +ms.date: 08/14/2017 +ms.localizationpriority: medium +--- + + +# Check for a new Enterprise Mode site list xml file + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance. + +**How Internet Explorer 11 looks for an updated site list** + +1. Internet Explorer starts up and looks for an updated site list in the following places: + + 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list. + + 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list. + + 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry. + +2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. + +   + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md index 4e6630b0f1..c35d115df7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md @@ -1,31 +1,31 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Choose how to deploy Internet Explorer 11 (IE11) -author: dansimp -ms.prod: ie11 -ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Choose how to deploy Internet Explorer 11 (IE11) -In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools. - -## In this section - -| Topic | Description | -|------------------------------------------------------------- | ------------------------------------------------------ | -|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). | -|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). | - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Choose how to deploy Internet Explorer 11 (IE11) +author: dansimp +ms.prod: ie11 +ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Choose how to deploy Internet Explorer 11 (IE11) +In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools. + +## In this section + +| Topic | Description | +|------------------------------------------------------------- | ------------------------------------------------------ | +|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). | +|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). | + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md index e66fa1ed2a..a430073e9d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Choose how to install Internet Explorer 11 (IE11) -author: dansimp -ms.prod: ie11 -ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Choose how to install Internet Explorer 11 (IE11) -Before you install Internet Explorer 11, you should: - -- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version. - -- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries. - -- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site. - -- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation. - - - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune). - - - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Choose how to install Internet Explorer 11 (IE11) +author: dansimp +ms.prod: ie11 +ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Choose how to install Internet Explorer 11 (IE11) +Before you install Internet Explorer 11, you should: + +- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version. + +- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries. + +- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site. + +- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation. + + - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune). + + - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 3a2826187a..aaabccc9ae 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -1,482 +1,482 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. -author: dansimp -ms.prod: ie11 -ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Collect data using Enterprise Site Discovery -ms.sitesec: library -ms.date: 07/27/2017 ---- - -# Collect data using Enterprise Site Discovery - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 with Service Pack 1 (SP1) - -Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. - ->**Upgrade Readiness and Windows upgrades**
->You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - - -## Before you begin -Before you start, you need to make sure you have the following: - -- Latest cumulative security update (for all supported versions of Internet Explorer): - - 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. - - ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) - - 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. - - ![affected software section](images/affectedsoftware.png) - - 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. - -- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including: - - - Configuration-related PowerShell scripts - - - IETelemetry.mof file - - - Sample System Center 2012 report templates - - You must use System Center 2012 R2 Configuration Manager or later for these samples to work. - -Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. - -## What data is collected? -Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. - -|Data point |IE11 |IE10 |IE9 |IE8 |Description | -|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| -|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | -|Domain | X | X | X | X |Top-level domain of the browsed site. | -|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | -|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | -|Document mode reason | X | X | | |The reason why a document mode was set by IE. | -|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | -|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | -|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | -|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | -|Number of visits | X | X | X | X |Number of times a site has been visited. | -|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | - - ->**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. - -### Understanding the returned reason codes -The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection. - -#### DocMode reason -The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. - -|Code |Description | -|-----|------------| -|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.| -|4 |Page is using an X-UA-compatible meta tag. | -|5 |Page is using an X-UA-compatible HTTP header. | -|6 |Page appears on an active **Compatibility View** list. | -|7 |Page is using native XML parsing. | -|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. | -|9 |Page state is set by the browser mode and the page's DOCTYPE.| - -#### Browser state reason -The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. - -|Code |Description | -|-----|------------| -|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. | -|2 |Site appears on an active **Compatibility View** list, created in Group Policy. | -|3 |Site appears on an active **Compatibility View** list, created by the user. | -|4 |Page is using an X-UA-compatible tag. | -|5 |Page state is set by the **Developer** toolbar. | -|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. | -|7 |Site appears on the Microsoft **Compatibility View (CV)** list. | -|8 |Site appears on the **Quirks** list, created in Group Policy. | -|11 |Site is using the default browser. | - -#### Zone -The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. - -|Code |Description | -|-----|------------| -|-1 |Internet Explorer is using an invalid zone. | -|0 |Internet Explorer is using the Local machine zone. | -|1 |Internet Explorer is using the Local intranet zone. | -|2 |Internet Explorer is using the Trusted sites zone. | -|3 |Internet Explorer is using the Internet zone. | -|4 |Internet Explorer is using the Restricted sites zone. | - -## Where is the data stored and how do I collect it? -The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: - -- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. - -- **XML file**. Any agent that works with XML can be used. - -## WMI Site Discovery suggestions -We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company. - -On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:

250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB - ->**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. - -## Getting ready to use Enterprise Site Discovery -Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: - -- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

--OR- -- Collect your hardware inventory using the MOF Editor with a .MOF import file.

--OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) - -### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges -You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. - ->**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. - -**To set up Enterprise Site Discovery** - -- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). - -### WMI only: Set up your firewall for WMI data -If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: - -**To set up your firewall** - -1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. - -2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. - -3. Restart your computer to start collecting your WMI data. - -## Use PowerShell to finish setting up Enterprise Site Discovery -You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery). - ->**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. - -- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. - -- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. - -**To set up data collection using a domain allow list** - - - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. - - >**Important**
Wildcards, like \*.microsoft.com, aren’t supported. - -**To set up data collection using a zone allow list** - - - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. - - >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. - -## Use Group Policy to finish setting up Enterprise Site Discovery -You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery). - ->**Note**
 All of the Group Policy settings can be used individually or as a group. - - **To set up Enterprise Site Discovery using Group Policy** - -- Open your Group Policy editor, and go to these new settings: - - |Setting name and location |Description |Options | - |---------------------------|-------------|---------| - |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |

  • **On.** Turns on WMI recording.
  • **Off.** Turns off WMI recording.
| - |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
  • **XML file path.** Including this turns on XML recording.
  • **Blank.** Turns off XML recording.
| - |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone

Binary representation: *00010*, based on:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones

Binary representation: *10110*, based on:

1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone | - |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | - -### Combining WMI and XML Group Policy settings -You can use both the WMI and XML settings individually or together: - -**To turn off Enterprise Site Discovery** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
- -**Turn on WMI recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
- -**To turn on XML recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
- -To turn on both WMI and XML recording - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
- -## Use Configuration Manager to collect your data -After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: - -- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

--OR- -- Collect your hardware inventory using the MOF Editor with a .MOF import file.

--OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) - -### Collect your hardware inventory using the MOF Editor while connected to a client device -You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. - - **To collect your inventory** - -1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - - ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) - -2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. - -3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. - - ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) - -4. Select the check boxes next to the following classes, and then click **OK**: - - - IESystemInfo - - - IEURLInfo - - - IECountInfo - -5. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports. - -### Collect your hardware inventory using the MOF Editor with a .MOF import file -You can collect your hardware inventory using the MOF Editor and a .MOF import file. - - **To collect your inventory** - -1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - -2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**. - -3. Pick the inventory items to install, and then click **Import**. - -4. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports. - -### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) -You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. - -**To collect your inventory** - -1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory. - -2. Add this text to the end of the file: - - ``` - [SMS_Report (TRUE), - SMS_Group_Name ("IESystemInfo"), - SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), - Namespace ("root\\\\cimv2\\\\IETelemetry") ] - Class IESystemInfo: SMS_Class_Template - { - [SMS_Report (TRUE), Key ] - String SystemKey; - [SMS_Report (TRUE) ] - String IEVer; - }; - - [SMS_Report (TRUE), - SMS_Group_Name ("IEURLInfo"), - SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), - Namespace ("root\\\\cimv2\\\\IETelemetry") ] - Class IEURLInfo: SMS_Class_Template - { - [SMS_Report (TRUE), Key ] - String URL; - [SMS_Report (TRUE) ] - String Domain; - [SMS_Report (TRUE) ] - UInt32 DocMode; - [SMS_Report (TRUE) ] - UInt32 DocModeReason; - [SMS_Report (TRUE) ] - UInt32 Zone; - [SMS_Report (TRUE) ] - UInt32 BrowserStateReason; - [SMS_Report (TRUE) ] - String ActiveXGUID[]; - [SMS_Report (TRUE) ] - UInt32 CrashCount; - [SMS_Report (TRUE) ] - UInt32 HangCount; - [SMS_Report (TRUE) ] - UInt32 NavigationFailureCount; - [SMS_Report (TRUE) ] - UInt32 NumberOfVisits; - [SMS_Report (TRUE) ] - UInt32 MostRecentNavigationFailure; - }; - - [SMS_Report (TRUE), - SMS_Group_Name ("IECountInfo"), - SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), - Namespace ("root\\\\cimv2\\\\IETelemetry") ] - Class IECountInfo: SMS_Class_Template - { - [SMS_Report (TRUE), Key ] - String CountKey; - [SMS_Report (TRUE) ] - UInt32 CrashCount; - [SMS_Report (TRUE) ] - UInt32 HangCount; - [SMS_Report (TRUE) ] - UInt32 NavigationFailureCount; - }; - ``` - -3. Save the file and close it to the same location. - Your environment is now ready to collect your hardware inventory and review the sample reports. - -## View the sample reports with your collected data -The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. - -### SCCM Report Sample – ActiveX.rdl -Gives you a list of all of the ActiveX-related sites visited by the client computer. - -![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) - -### SCCM Report Sample – Site Discovery.rdl -Gives you a list of all of the sites visited by the client computer. - -![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) - -## View the collected XML data -After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: - -``` xml - - - [dword] - [dword] - [dword] - - - [string] - - [guid] - - [dword] - [dword] - [dword] - [dword] - [dword] - [dword] - [dword] - [dword] - [string] - [dword] - - - - -``` -You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list. - -**To add your XML data to your Enterprise Mode site list** - -1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. - - ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) - -2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). - -3. Click **OK** to close the **Bulk add sites to the list** menu. - -## Turn off data collection on your client devices -After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. - -**To stop collecting data, using PowerShell** - -- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`. - - >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer. - - -**To stop collecting data, using Group Policy** - -1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**. - -2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location. - -### Delete already stored data from client computers -You can completely remove the data stored on your employee’s computers. - -**To delete all existing data** - -- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands: - - - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo` - - - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo` - - - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo` - - - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'` - -## Related topics -* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562) -* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. +author: dansimp +ms.prod: ie11 +ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Collect data using Enterprise Site Discovery +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Collect data using Enterprise Site Discovery + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 with Service Pack 1 (SP1) + +Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. + +>**Upgrade Readiness and Windows upgrades**
+>You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + + +## Before you begin +Before you start, you need to make sure you have the following: + +- Latest cumulative security update (for all supported versions of Internet Explorer): + + 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. + + ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) + + 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. + + ![affected software section](images/affectedsoftware.png) + + 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. + +- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including: + + - Configuration-related PowerShell scripts + + - IETelemetry.mof file + + - Sample System Center 2012 report templates + + You must use System Center 2012 R2 Configuration Manager or later for these samples to work. + +Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. + +## What data is collected? +Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. + +|Data point |IE11 |IE10 |IE9 |IE8 |Description | +|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| +|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | +|Domain | X | X | X | X |Top-level domain of the browsed site. | +|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | +|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | +|Document mode reason | X | X | | |The reason why a document mode was set by IE. | +|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | +|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | +|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | +|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | +|Number of visits | X | X | X | X |Number of times a site has been visited. | +|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | + + +>**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +### Understanding the returned reason codes +The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection. + +#### DocMode reason +The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.| +|4 |Page is using an X-UA-compatible meta tag. | +|5 |Page is using an X-UA-compatible HTTP header. | +|6 |Page appears on an active **Compatibility View** list. | +|7 |Page is using native XML parsing. | +|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. | +|9 |Page state is set by the browser mode and the page's DOCTYPE.| + +#### Browser state reason +The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. | +|2 |Site appears on an active **Compatibility View** list, created in Group Policy. | +|3 |Site appears on an active **Compatibility View** list, created by the user. | +|4 |Page is using an X-UA-compatible tag. | +|5 |Page state is set by the **Developer** toolbar. | +|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. | +|7 |Site appears on the Microsoft **Compatibility View (CV)** list. | +|8 |Site appears on the **Quirks** list, created in Group Policy. | +|11 |Site is using the default browser. | + +#### Zone +The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|-1 |Internet Explorer is using an invalid zone. | +|0 |Internet Explorer is using the Local machine zone. | +|1 |Internet Explorer is using the Local intranet zone. | +|2 |Internet Explorer is using the Trusted sites zone. | +|3 |Internet Explorer is using the Internet zone. | +|4 |Internet Explorer is using the Restricted sites zone. | + +## Where is the data stored and how do I collect it? +The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: + +- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. + +- **XML file**. Any agent that works with XML can be used. + +## WMI Site Discovery suggestions +We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company. + +On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:

250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB + +>**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +## Getting ready to use Enterprise Site Discovery +Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges +You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. + +>**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. + +**To set up Enterprise Site Discovery** + +- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). + +### WMI only: Set up your firewall for WMI data +If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: + +**To set up your firewall** + +1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. + +2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. + +3. Restart your computer to start collecting your WMI data. + +## Use PowerShell to finish setting up Enterprise Site Discovery +You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery). + +>**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. + +- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. + +- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. + +**To set up data collection using a domain allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. + + >**Important**
Wildcards, like \*.microsoft.com, aren’t supported. + +**To set up data collection using a zone allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. + + >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. + +## Use Group Policy to finish setting up Enterprise Site Discovery +You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery). + +>**Note**
 All of the Group Policy settings can be used individually or as a group. + + **To set up Enterprise Site Discovery using Group Policy** + +- Open your Group Policy editor, and go to these new settings: + + |Setting name and location |Description |Options | + |---------------------------|-------------|---------| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |

  • **On.** Turns on WMI recording.
  • **Off.** Turns off WMI recording.
| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
  • **XML file path.** Including this turns on XML recording.
  • **Blank.** Turns off XML recording.
| + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone

Binary representation: *00010*, based on:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones

Binary representation: *10110*, based on:

1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone | + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | + +### Combining WMI and XML Group Policy settings +You can use both the WMI and XML settings individually or together: + +**To turn off Enterprise Site Discovery** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
+ +**Turn on WMI recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
+ +**To turn on XML recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
+ +To turn on both WMI and XML recording + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
+ +## Use Configuration Manager to collect your data +After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### Collect your hardware inventory using the MOF Editor while connected to a client device +You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + + ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) + +2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. + +3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. + + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) + +4. Select the check boxes next to the following classes, and then click **OK**: + + - IESystemInfo + + - IEURLInfo + + - IECountInfo + +5. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the MOF Editor with a .MOF import file +You can collect your hardware inventory using the MOF Editor and a .MOF import file. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + +2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**. + +3. Pick the inventory items to install, and then click **Import**. + +4. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. + +**To collect your inventory** + +1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory. + +2. Add this text to the end of the file: + + ``` + [SMS_Report (TRUE), + SMS_Group_Name ("IESystemInfo"), + SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IESystemInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String SystemKey; + [SMS_Report (TRUE) ] + String IEVer; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IEURLInfo"), + SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IEURLInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String URL; + [SMS_Report (TRUE) ] + String Domain; + [SMS_Report (TRUE) ] + UInt32 DocMode; + [SMS_Report (TRUE) ] + UInt32 DocModeReason; + [SMS_Report (TRUE) ] + UInt32 Zone; + [SMS_Report (TRUE) ] + UInt32 BrowserStateReason; + [SMS_Report (TRUE) ] + String ActiveXGUID[]; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + [SMS_Report (TRUE) ] + UInt32 NumberOfVisits; + [SMS_Report (TRUE) ] + UInt32 MostRecentNavigationFailure; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IECountInfo"), + SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IECountInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String CountKey; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + }; + ``` + +3. Save the file and close it to the same location. + Your environment is now ready to collect your hardware inventory and review the sample reports. + +## View the sample reports with your collected data +The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. + +### SCCM Report Sample – ActiveX.rdl +Gives you a list of all of the ActiveX-related sites visited by the client computer. + +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) + +### SCCM Report Sample – Site Discovery.rdl +Gives you a list of all of the sites visited by the client computer. + +![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) + +## View the collected XML data +After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: + +``` xml + + + [dword] + [dword] + [dword] + + + [string] + + [guid] + + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [string] + [dword] + + + + +``` +You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list. + +**To add your XML data to your Enterprise Mode site list** + +1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. + + ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) + +2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +## Turn off data collection on your client devices +After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. + +**To stop collecting data, using PowerShell** + +- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`. + + >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer. + + +**To stop collecting data, using Group Policy** + +1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**. + +2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location. + +### Delete already stored data from client computers +You can completely remove the data stored on your employee’s computers. + +**To delete all existing data** + +- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands: + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo` + + - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'` + +## Related topics +* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562) +* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md index bc538f78ad..502c425b80 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md @@ -1,97 +1,97 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. -author: lomayor -ms.prod: ie11 -title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Use the Settings page to finish setting up the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes. - -## Use the Environment settings area -This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications. - -**To add location info** -1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. - - The **Settings** page appears. - -2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**. - -3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**. - -## Use the Group and role settings area -After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group. - -**To add a new group and determine the required change request Approvers** -1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. - - The **Settings** page appears. - -2. In the **Group and role settings** area of the page, click **Group details**. - - The **Add or edit group names** box appears. - -3. Click the **Add group** tab, and then add the following info: - - - **New group name.** Type name of your new group. - - - **Group head email.** Type the email address for the primary contact for the group. - - - **Group head name.** This box automatically fills, based on the email address. - - - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box. - -4. Click **Save**. - - -**To set a group's required Approvers** -1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box. - -2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles. - - - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role. - - You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. - - - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role. - - You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. - - - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role. - -## Use the Freeze production changes area -This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date. - -**To add the start and end dates** -1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. - - The **Settings** page appears. - -2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time. - -3. Click **Save**. - -## Related topics -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) - -- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. +author: lomayor +ms.prod: ie11 +title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Use the Settings page to finish setting up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes. + +## Use the Environment settings area +This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications. + +**To add location info** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**. + +3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**. + +## Use the Group and role settings area +After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group. + +**To add a new group and determine the required change request Approvers** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Group and role settings** area of the page, click **Group details**. + + The **Add or edit group names** box appears. + +3. Click the **Add group** tab, and then add the following info: + + - **New group name.** Type name of your new group. + + - **Group head email.** Type the email address for the primary contact for the group. + + - **Group head name.** This box automatically fills, based on the email address. + + - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + + +**To set a group's required Approvers** +1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box. + +2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles. + + - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role. + +## Use the Freeze production changes area +This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date. + +**To add the start and end dates** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time. + +3. Click **Save**. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md index 3f3ea15d45..24e93d73e5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -1,73 +1,73 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to create a change request within the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Create a change request using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. - ->[!Important] ->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. - -**To create a new change request** -1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. - - The **Create new request** page appears. - -2. Fill out the required fields, based on the group and the app, including: - - - **Group name.** Select the name of your group from the dropdown box. - - - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. - - - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. - - - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list. - - - **Requested by.** Automatically filled in with your name. - - - **Description.** Add descriptive info about the app. - - - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**. - - - **Reason for request.** Select the best reason for why you want to update, delete, or add the app. - - - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. - - - **App location (URL).** The full URL location to the app, starting with https:// or https://. - - - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. - - - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). - -4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. - - A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. - -5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. - - - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. - - - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. - -## Next steps -After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to create a change request within the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Create a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. + +>[!Important] +>Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +**To create a new change request** +1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. + + The **Create new request** page appears. + +2. Fill out the required fields, based on the group and the app, including: + + - **Group name.** Select the name of your group from the dropdown box. + + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. + + - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. + + - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list. + + - **Requested by.** Automatically filled in with your name. + + - **Description.** Add descriptive info about the app. + + - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**. + + - **Reason for request.** Select the best reason for why you want to update, delete, or add the app. + + - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. + + - **App location (URL).** The full URL location to the app, starting with https:// or https://. + + - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. + + - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). + +4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. + + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. + +5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. + + - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. + + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. + +## Next steps +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md index 090b718581..c69b357557 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md @@ -1,43 +1,43 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Create packages for multiple operating systems or languages -author: lomayor -ms.prod: ie11 -ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Create packages for multiple operating systems or languages (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Create packages for multiple operating systems or languages -You'll create multiple versions of your custom browser package if: - -- You support more than 1 version of Windows®. - -- You support more than 1 language. - -- You have custom installation packages with only minor differences. Like, having a different phone number. - - **To create a new package** - -1. Create an installation package using the Internet Explorer Customization Wizard 11, as described in the [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md) topic. - -2. Go to your **CIE/Custom** folder and rename the `Install.ins`file. For example, if you need a version for employees in Texas, rename the file to Texas.ins. - -3. Run the wizard again, using the Custom folder as the destination directory.

-**Important**
-Except for the **Title bar** text, **Favorites**, **Links bar**, **Home page**, and **Search bar**, keep all of your wizard settings the same for all of your build computers. - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Create packages for multiple operating systems or languages +author: lomayor +ms.prod: ie11 +ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Create packages for multiple operating systems or languages (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Create packages for multiple operating systems or languages +You'll create multiple versions of your custom browser package if: + +- You support more than 1 version of Windows®. + +- You support more than 1 language. + +- You have custom installation packages with only minor differences. Like, having a different phone number. + + **To create a new package** + +1. Create an installation package using the Internet Explorer Customization Wizard 11, as described in the [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md) topic. + +2. Go to your **CIE/Custom** folder and rename the `Install.ins`file. For example, if you need a version for employees in Texas, rename the file to Texas.ins. + +3. Run the wizard again, using the Custom folder as the destination directory.

+**Important**
+Except for the **Title bar** text, **Favorites**, **Links bar**, **Home page**, and **Search bar**, keep all of your wizard settings the same for all of your build computers. + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md index 421429eb16..d5ebc1d49f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Customize Internet Explorer 11 installation packages -author: lomayor -ms.prod: ie11 -ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Customize Internet Explorer 11 installation packages (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Customize Internet Explorer 11 installation packages -You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files. - -|Topic |Description | -|------------------------------------------------------------------------|----------------------------------------------------| -|[Using IEAK 11 to create packages](using-ieak11-to-create-install-packages.md) |How to use the Internet Explorer Administration Kit 11 (IEAK 11) and the IE Customization Wizard 11 to set up, configure, deploy, and maintain IE11. | -|[Create packages for multiple operating systems or languages](create-install-packages-for-multiple-operating-systems-or-languages.md) |How to create multiple versions of your custom installation package, to support multiple operating systems or languages. | -|[Using .INF files to create packages](using-inf-files-to-create-install-packages.md) |How to use the Microsoft® Windows Setup Engine to automate setup tasks and customize your component installations. | - - - -In addition, you can configure IE before, during, or after deployment, using these tools: - -- **IE Administration Kit 11 (IEAK 11)**. Creates customized installation packages that can be deployed through your software distribution system. For more information about the IEAK 11, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). - -- **Group Policy**. Configures and enforces IE11 settings. For more information about settings and configuration options, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md). - -- **Unattend.xml**. Customizes some of the IE settings during your Windows installation. This option only applies if you're updating a Windows image with IE11.

**Note**
-You'll only see the new IE11 Unattend.xml settings if your Unattend.xml file's associated with a Windows image that includes the IE11 update. For more information about editing and using the Unattend.xml file, see [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788). For more information about using the Windows System Image Manager, see [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789). - -   - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Customize Internet Explorer 11 installation packages +author: lomayor +ms.prod: ie11 +ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Customize Internet Explorer 11 installation packages (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Customize Internet Explorer 11 installation packages +You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files. + +|Topic |Description | +|------------------------------------------------------------------------|----------------------------------------------------| +|[Using IEAK 11 to create packages](using-ieak11-to-create-install-packages.md) |How to use the Internet Explorer Administration Kit 11 (IEAK 11) and the IE Customization Wizard 11 to set up, configure, deploy, and maintain IE11. | +|[Create packages for multiple operating systems or languages](create-install-packages-for-multiple-operating-systems-or-languages.md) |How to create multiple versions of your custom installation package, to support multiple operating systems or languages. | +|[Using .INF files to create packages](using-inf-files-to-create-install-packages.md) |How to use the Microsoft® Windows Setup Engine to automate setup tasks and customize your component installations. | + + + +In addition, you can configure IE before, during, or after deployment, using these tools: + +- **IE Administration Kit 11 (IEAK 11)**. Creates customized installation packages that can be deployed through your software distribution system. For more information about the IEAK 11, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). + +- **Group Policy**. Configures and enforces IE11 settings. For more information about settings and configuration options, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md). + +- **Unattend.xml**. Customizes some of the IE settings during your Windows installation. This option only applies if you're updating a Windows image with IE11.

**Note**
+You'll only see the new IE11 Unattend.xml settings if your Unattend.xml file's associated with a Windows image that includes the IE11 update. For more information about editing and using the Unattend.xml file, see [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788). For more information about using the Windows System Image Manager, see [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789). + +   + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 9fe470dfba..71d871cad1 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -1,49 +1,49 @@ ---- -ms.localizationpriority: medium -description: Delete a single site from your global Enterprise Mode site list. -ms.pagetype: appcompat -ms.mktglfcycl: deploy -author: lomayor -ms.prod: ie11 -ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - - - **To delete a single site from your global Enterprise Mode site list** - -- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
-The site is permanently removed from your list. - -If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system. - -- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) - -- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +description: Delete a single site from your global Enterprise Mode site list. +ms.pagetype: appcompat +ms.mktglfcycl: deploy +author: lomayor +ms.prod: ie11 +ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + + + **To delete a single site from your global Enterprise Mode site list** + +- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
+The site is permanently removed from your list. + +If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system. + +- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) + +- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md index e964d84927..21baca9a6b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md @@ -1,35 +1,35 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS). -author: lomayor -ms.prod: ie11 -ms.assetid: f51224bd-3371-4551-821d-1d62310e3384 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - -# Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) -You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS). - -## What is Automatic Version Synchronization? -Automatic Version Synchronization (AVS) lets you use the Internet Explorer Administration Kit 11 (IEAK 11) to synchronize the IE11 setup files on a local computer with the latest setup files on the web. - -You must synchronize the setup files at least once on the local computer, for each language and operating system combination, before proceeding through the rest of the wizard. If your packages have more than one version of IE, you need to keep the versions in separate component download folders, which can be pointed to from the **File Locations** page of the IEAK 11. For more information about using the AVS feature, see [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](../ie11-ieak/auto-version-sync-ieak11-wizard.md) -. - -## Related topics -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) -- [Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS). +author: lomayor +ms.prod: ie11 +ms.assetid: f51224bd-3371-4551-821d-1d62310e3384 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) +You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS). + +## What is Automatic Version Synchronization? +Automatic Version Synchronization (AVS) lets you use the Internet Explorer Administration Kit 11 (IEAK 11) to synchronize the IE11 setup files on a local computer with the latest setup files on the web. + +You must synchronize the setup files at least once on the local computer, for each language and operating system combination, before proceeding through the rest of the wizard. If your packages have more than one version of IE, you need to keep the versions in separate component download folders, which can be pointed to from the **File Locations** page of the IEAK 11. For more information about using the AVS feature, see [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](../ie11-ieak/auto-version-sync-ieak11-wizard.md) +. + +## Related topics +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) +- [Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md index cffde71282..1df03c3f05 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md @@ -1,33 +1,33 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Deploy Internet Explorer 11 using software distribution tools -author: lomayor -ms.prod: ie11 -ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Deploy Internet Explorer 11 using software distribution tools (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Deploy Internet Explorer 11 using software distribution tools -If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include: - -- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664). - -- **Windows Server Update Services (WSUS).** Download a single copy of the IE11 updates, caching them to local servers so your users' computers can receive the updates directly from the WSUS servers, instead of through Windows Update. For more information about using this tool, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790). - -- **Group Policy Software Installation.** Deploy and install IE11 on your user's computers through a combination of Group Policy and Microsoft Active Directory. For more information about using this tool, see [Group Policy Software Installation overview](https://go.microsoft.com/fwlink/p/?LinkId=296365). - -- **Microsoft Deployment Toolkit (MDT).** Add the IE11 update to your deployment share, using MDT to update your previously-deployed Windows image. For more information about using this tool, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkID=331148). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Deploy Internet Explorer 11 using software distribution tools +author: lomayor +ms.prod: ie11 +ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Deploy Internet Explorer 11 using software distribution tools (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Deploy Internet Explorer 11 using software distribution tools +If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include: + +- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664). + +- **Windows Server Update Services (WSUS).** Download a single copy of the IE11 updates, caching them to local servers so your users' computers can receive the updates directly from the WSUS servers, instead of through Windows Update. For more information about using this tool, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790). + +- **Group Policy Software Installation.** Deploy and install IE11 on your user's computers through a combination of Group Policy and Microsoft Active Directory. For more information about using this tool, see [Group Policy Software Installation overview](https://go.microsoft.com/fwlink/p/?LinkId=296365). + +- **Microsoft Deployment Toolkit (MDT).** Add the IE11 update to your deployment share, using MDT to update your previously-deployed Windows image. For more information about using this tool, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkID=331148). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md index b2038ad2f7..acb447d590 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md @@ -1,121 +1,121 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013. -author: lomayor -ms.prod: ie11 -ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can pin websites to the Windows 8.1 taskbar for quick access. You pin a website simply by dragging its tab to the taskbar. Some websites can also extend the icon’s Jump List. - -The ability to pin websites to the Windows 8.1 taskbar can help make end users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to users. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=398474). - -## Deploying pinned websites in MDT 2013 -This topic requires that you have a complete MDT 2013 deployment share that contains Windows 8.1 which comes with Internet Explorer 11. If you’re deploying to Windows 7 clients and need to learn how to add IE11 to an MDT 2013 deployment share as an update, see [Installing Internet Explorer 11 using Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=398475) in the TechNet library. - -Deploying pinned websites in MDT 2013 is a 4-step process: - -1. Create a .website file for each website that you want to deploy. When you pin a website to the taskbar, Windows 8.1 creates a .website file that describes how the icon should look and feel. - -2. Copy the .website files to your deployment share. - -3. Copy the .website files to your target computers. - -4. Edit the task sequence of your Unattend.xml answer files to pin the websites to the taskbar. In particular, you want to add each .website file to the **TaskbarLinks** item in Unattend.xml during oobeSystem phase. You can add up to six .website files to the **TaskbarLinks** item. - -Pinned websites are immediately available to every user who logs on to the computer although the user must click each icon to populate its Jump List. - -**Important**
-To follow the examples in this topic, you’ll need to pin the Bing (https://www.bing.com/) and MSN (https://www.msn.com/) websites to the taskbar. - -### Step 1: Creating .website files -The first step is to create a .website file for each website that you want to pin to the Windows 8.1 taskbar during deployment. A .website file is like a shortcut, except it’s a plain text file that describes not only the website’s URL but also how the icon looks. - - **To create each .website file** - -1. Open the website in IE11. - -2. Drag the website’s tab and drop it on the Windows 8.1 taskbar. - -3. Go to `%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar` in Windows Explorer, and copy the bing.website and msn.website files to your desktop. - -### Step 2: Copying the .website files to the deployment share -Next, you must enable your deployment share to copy the bing.website and msn.website files to the **Start** menu on each target computer. - - **To copy .website files to the deployment share** - -1. Open your MDT 2013 deployment share in Windows Explorer. - -2. In the `$OEM$` folder, create the path `$1\Users\Public\Public Links`. If the `$OEM$` folder doesn’t exist, create it at the root of your deployment share. - -3. Copy the bing.website and msn.website files from your desktop to `$OEM$\$1\Users\Public\Public Links` in your deployment share. - -### Step 3: Copying .website files to target computers -After your operating system is installed on the target computer, you need to copy the .website files over so they can be pinned to the taskbar. - - **To copy .website files to target computers** - -1. In the **Deployment Workbench** of MDT 2013, open the deployment share containing the task sequence during which you want to deploy pinned websites, and then click **Task Sequences**. - -2. In the right pane of the **Deployment Workbench**, right-click your task sequence (create a new one if you don’t have one yet), and click **Properties**. - -3. In the **Task Sequence** tab, click the **Postinstall** folder, click **General** from the **Add** button, and then click **Run Command Line**. - -4. Rename the newly created item to *Copy Files* and move it up to the top of the **Postinstall** folder. - -5. In the **Command Line** box enter the following text, `xcopy "%DEPLOYROOT%\$OEM$\$1" "%OSDisk%\" /yqe`. - -6. Click the **Apply** button to save your changes. - -### Step 4: Pinning .website files to the Taskbar -With the .website files ready to copy to the **Public Links** folder on target computers for all users, the last step is to edit the Unattend.xml answer files to pin those .website files to the taskbar. You will need to complete the following steps for each task sequence during which you want to pin these websites to the taskbar. - - **To pin .website files to the Taskbar** - -1. Open the Windows System Image Manager (Windows SIM). - -2. On the **OS Info** tab, click **Edit Unattend.xml** to open the Unattend.xml file. - -2. In the **Windows Image** pane, under **Components** and then **Microsoft-Windows-Shell-Setup**, right-click **TaskbarLinks**, and then click **Add Setting to Pass 7 oobeSystem**. - -3. In the **TaskbarLinks Properties** pane, add the relative path to the target computer’s (not the deployment share’s) .website files that you created earlier. You can add up to six links to the **TaskbarLinks** item. For example, `%PUBLIC%\Users\Public\Public Links\Bing.website` and `%PUBLIC%\Users\Public\Public Links\MSN.website` - -4. On the **File** menu, click **Save Answer File**, and then close Windows SIM. - -5. To close the task sequence, click **OK**. - -## Updating intranet websites for pinning -The MDT 2013 deployment share and task sequences are now ready to pin websites to the taskbar during deployment. This pinning feature can include intranet sites important in your organization. - -You can make your intranet websites act more like applications by extending them to fully support the Windows 8.1 taskbar. This includes creating custom Jump Lists, thumbnail previews, and notifications. For info about extending your intranet websites, see [Pinned Sites Developer Documentation](https://go.microsoft.com/fwlink/p/?LinkId=398484) on MSDN. For more ideas about what to pin, see [Add-ons](https://go.microsoft.com/fwlink/p/?LinkId=398483) in the Internet Explorer Gallery. - -## Related topics -- [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788) -- [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789) -- [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148) -- [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669) - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013. +author: lomayor +ms.prod: ie11 +ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can pin websites to the Windows 8.1 taskbar for quick access. You pin a website simply by dragging its tab to the taskbar. Some websites can also extend the icon’s Jump List. + +The ability to pin websites to the Windows 8.1 taskbar can help make end users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to users. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=398474). + +## Deploying pinned websites in MDT 2013 +This topic requires that you have a complete MDT 2013 deployment share that contains Windows 8.1 which comes with Internet Explorer 11. If you’re deploying to Windows 7 clients and need to learn how to add IE11 to an MDT 2013 deployment share as an update, see [Installing Internet Explorer 11 using Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=398475) in the TechNet library. + +Deploying pinned websites in MDT 2013 is a 4-step process: + +1. Create a .website file for each website that you want to deploy. When you pin a website to the taskbar, Windows 8.1 creates a .website file that describes how the icon should look and feel. + +2. Copy the .website files to your deployment share. + +3. Copy the .website files to your target computers. + +4. Edit the task sequence of your Unattend.xml answer files to pin the websites to the taskbar. In particular, you want to add each .website file to the **TaskbarLinks** item in Unattend.xml during oobeSystem phase. You can add up to six .website files to the **TaskbarLinks** item. + +Pinned websites are immediately available to every user who logs on to the computer although the user must click each icon to populate its Jump List. + +**Important**
+To follow the examples in this topic, you’ll need to pin the Bing (https://www.bing.com/) and MSN (https://www.msn.com/) websites to the taskbar. + +### Step 1: Creating .website files +The first step is to create a .website file for each website that you want to pin to the Windows 8.1 taskbar during deployment. A .website file is like a shortcut, except it’s a plain text file that describes not only the website’s URL but also how the icon looks. + + **To create each .website file** + +1. Open the website in IE11. + +2. Drag the website’s tab and drop it on the Windows 8.1 taskbar. + +3. Go to `%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar` in Windows Explorer, and copy the bing.website and msn.website files to your desktop. + +### Step 2: Copying the .website files to the deployment share +Next, you must enable your deployment share to copy the bing.website and msn.website files to the **Start** menu on each target computer. + + **To copy .website files to the deployment share** + +1. Open your MDT 2013 deployment share in Windows Explorer. + +2. In the `$OEM$` folder, create the path `$1\Users\Public\Public Links`. If the `$OEM$` folder doesn’t exist, create it at the root of your deployment share. + +3. Copy the bing.website and msn.website files from your desktop to `$OEM$\$1\Users\Public\Public Links` in your deployment share. + +### Step 3: Copying .website files to target computers +After your operating system is installed on the target computer, you need to copy the .website files over so they can be pinned to the taskbar. + + **To copy .website files to target computers** + +1. In the **Deployment Workbench** of MDT 2013, open the deployment share containing the task sequence during which you want to deploy pinned websites, and then click **Task Sequences**. + +2. In the right pane of the **Deployment Workbench**, right-click your task sequence (create a new one if you don’t have one yet), and click **Properties**. + +3. In the **Task Sequence** tab, click the **Postinstall** folder, click **General** from the **Add** button, and then click **Run Command Line**. + +4. Rename the newly created item to *Copy Files* and move it up to the top of the **Postinstall** folder. + +5. In the **Command Line** box enter the following text, `xcopy "%DEPLOYROOT%\$OEM$\$1" "%OSDisk%\" /yqe`. + +6. Click the **Apply** button to save your changes. + +### Step 4: Pinning .website files to the Taskbar +With the .website files ready to copy to the **Public Links** folder on target computers for all users, the last step is to edit the Unattend.xml answer files to pin those .website files to the taskbar. You will need to complete the following steps for each task sequence during which you want to pin these websites to the taskbar. + + **To pin .website files to the Taskbar** + +1. Open the Windows System Image Manager (Windows SIM). + +2. On the **OS Info** tab, click **Edit Unattend.xml** to open the Unattend.xml file. + +2. In the **Windows Image** pane, under **Components** and then **Microsoft-Windows-Shell-Setup**, right-click **TaskbarLinks**, and then click **Add Setting to Pass 7 oobeSystem**. + +3. In the **TaskbarLinks Properties** pane, add the relative path to the target computer’s (not the deployment share’s) .website files that you created earlier. You can add up to six links to the **TaskbarLinks** item. For example, `%PUBLIC%\Users\Public\Public Links\Bing.website` and `%PUBLIC%\Users\Public\Public Links\MSN.website` + +4. On the **File** menu, click **Save Answer File**, and then close Windows SIM. + +5. To close the task sequence, click **OK**. + +## Updating intranet websites for pinning +The MDT 2013 deployment share and task sequences are now ready to pin websites to the taskbar during deployment. This pinning feature can include intranet sites important in your organization. + +You can make your intranet websites act more like applications by extending them to fully support the Windows 8.1 taskbar. This includes creating custom Jump Lists, thumbnail previews, and notifications. For info about extending your intranet websites, see [Pinned Sites Developer Documentation](https://go.microsoft.com/fwlink/p/?LinkId=398484) on MSDN. For more ideas about what to pin, see [Add-ons](https://go.microsoft.com/fwlink/p/?LinkId=398483) in the Internet Explorer Gallery. + +## Related topics +- [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788) +- [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789) +- [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148) +- [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669) + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md index b34b835676..d892799770 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md @@ -1,61 +1,61 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. -author: lomayor -ms.prod: ie11 -ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - -# Deprecated document modes and Internet Explorer 11 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, we’re deprecating document modes. - -This means that while Internet Explorer 11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices. - ->**Note**
->For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). - -## What is document mode? -Each release after Internet Explorer 8 has helped with the transition by introducing additional document modes that emulated previously supported versions, while also introducing support for features defined by industry standards. During this time, numerous websites and apps were updated to the latest and greatest industry standards, while many other sites and apps continued to simply rely on document modes to work properly. - -Because our goal with Microsoft Edge is to give users the best site and app viewing experience possible, we’ve decided to stop support for document modes. All websites and apps using legacy features and code will need to be updated to rely on the new modern standards and practices. - -If you have legacy sites and apps that can’t be updated to modern standards, you can continue to use IE11 and document modes. We recommend that you use the **IE11 Standards document mode** because it represents the highest support available for modern standards. You should also use the HTML5 document type declaration to turn on the latest supported standards while using IE11:``. - -## Document modes and IE11 -The compatibility improvements made in IE11 lets older websites just work in the latest standards mode, by default, without requiring emulation of the previous browser behavior. Because older websites are now just working, we’ve decided that Internet Explorer 10 document mode will be the last new document mode. Instead, developers will need to move to using the IE11 document mode going forward. - -## Document mode selection flowchart -This flowchart shows how IE11 works when document modes are used. - -![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)
-[Click this link to enlarge image](img-ie11-docmode-lg.md) - -## Known Issues with Internet Explorer 8 document mode in Enterprise Mode -The default document mode for Enterprise Mode is Internet Explorer 8. While this mode provides a strong emulation of that browser, it isn’t an exact match. For example, Windows Internet Explorer 9 fundamentally changed how document modes work with iframes and document modes can’t undo architectural changes. It’s also a known issue that Windows 10 supports GDI font rendering while using Enterprise Mode, but uses natural metrics once outside of Enterprise Mode. - -## Related topics -- [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. +author: lomayor +ms.prod: ie11 +ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Deprecated document modes and Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, we’re deprecating document modes. + +This means that while Internet Explorer 11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices. + +>**Note**
+>For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). + +## What is document mode? +Each release after Internet Explorer 8 has helped with the transition by introducing additional document modes that emulated previously supported versions, while also introducing support for features defined by industry standards. During this time, numerous websites and apps were updated to the latest and greatest industry standards, while many other sites and apps continued to simply rely on document modes to work properly. + +Because our goal with Microsoft Edge is to give users the best site and app viewing experience possible, we’ve decided to stop support for document modes. All websites and apps using legacy features and code will need to be updated to rely on the new modern standards and practices. + +If you have legacy sites and apps that can’t be updated to modern standards, you can continue to use IE11 and document modes. We recommend that you use the **IE11 Standards document mode** because it represents the highest support available for modern standards. You should also use the HTML5 document type declaration to turn on the latest supported standards while using IE11:``. + +## Document modes and IE11 +The compatibility improvements made in IE11 lets older websites just work in the latest standards mode, by default, without requiring emulation of the previous browser behavior. Because older websites are now just working, we’ve decided that Internet Explorer 10 document mode will be the last new document mode. Instead, developers will need to move to using the IE11 document mode going forward. + +## Document mode selection flowchart +This flowchart shows how IE11 works when document modes are used. + +![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)
+[Click this link to enlarge image](img-ie11-docmode-lg.md) + +## Known Issues with Internet Explorer 8 document mode in Enterprise Mode +The default document mode for Enterprise Mode is Internet Explorer 8. While this mode provides a strong emulation of that browser, it isn’t an exact match. For example, Windows Internet Explorer 9 fundamentally changed how document modes work with iframes and document modes can’t undo architectural changes. It’s also a known issue that Windows 10 supports GDI font rendering while using Enterprise Mode, but uses natural metrics once outside of Enterprise Mode. + +## Related topics +- [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md index 82c1e09e9d..6f6339d452 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md @@ -1,53 +1,53 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. -author: lomayor -ms.prod: ie11 -ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. - -If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md). - - **To change how your page renders** - -1. In the Enterprise Mode Site List Manager, double-click the site you want to change. - -2. Change the comment or the compatibility mode option. - -3. Click **Save** to validate your changes and to add the updated information to your site list.
-If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). - -4. On the **File** menu, click **Save to XML**, and save the updated file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. +author: lomayor +ms.prod: ie11 +ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. + +If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md). + + **To change how your page renders** + +1. In the Enterprise Mode Site List Manager, double-click the site you want to change. + +2. Change the comment or the compatibility mode option. + +3. Click **Save** to validate your changes and to add the updated information to your site list.
+If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +4. On the **File** menu, click **Save to XML**, and save the updated file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md index 236dfd3b18..4e5e30e18a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md @@ -1,110 +1,110 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Enable and disable add-ons using administrative templates and group policy -ms.author: lomayor -author: lomayor -ms.prod: ie11 -ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b -ms.reviewer: -manager: dansimp -title: Enable and disable add-ons using administrative templates and group policy (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 4/12/2018 ---- - - -# Enable and disable add-ons using administrative templates and group policy -Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates. - -There are four types of add-ons: - -- **Search Providers.** Type a term and see suggestions provided by your search provider. - -- **Accelerators.** Highlight text on a web page and then click the blue **Accelerator** icon to email, map, search, translate, or do many other tasks. - -- **Web Slices.** Subscribe to parts of a website to get real-time information on the Favorites bar. - -- **Toolbars.** Add features (like stock tickers) to your browser. - -## Using the Local Group Policy Editor to manage group policy objects -You can use the Local Group Policy Editor to change how add-ons work in your organization. - - **To manage add-ons** - -1. In the Local Group Policy Editor, go to `Computer Configuration\Administrative Templates\Windows Components\Internet Explorer`. - -2. Change any or all of these settings to match your company’s policy and requirements. - - - Turn off add-on performance notifications - - - Automatically activate newly installed add-ons - - - Do not allow users to enable or disable add-ons - -3. Go into the **Internet Control Panel\\Advance Page** folder, where you can change: - - - Do not allow resetting IE settings - - - Allow third-party browser extensions - -4. Go into the **Security Features\\Add-on Management** folder, where you can change: - - - Add-on List - - - Deny all add-ons unless specifically allowed in the Add-on List - - - Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects - -5. Close the Local Group Policy Editor when you’re done. - -## Using the CLSID and Administrative Templates to manage group policy objects -Every add-on has a Class ID (CLSID) that you use to enable and disable specific add-ons, using Group Policy and Administrative Templates. - - **To manage add-ons** - -1. Get the CLSID for the add-on you want to enable or disable: - - 1. Open IE, click **Tools**, and then click **Manage Add-ons**. - - 2. Double-click the add-on you want to change. - - 3. In the More Information dialog, click **Copy** and then click **Close**. - - 4. Open Notepad and paste the information for the add-on. - - 5. On the Manage Add-ons windows, click **Close**. - - 6. On the Internet Options dialog, click **Close** and then close IE. - -2. From the copied information, select and copy just the **Class ID** value. - - >[!NOTE] - >You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. - -3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. -
**-OR-**
-Open the Local Group Policy Editor and go to: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. - -4. Open the **Add-on List** Group Policy Object, select **Enabled**, and then click **Show**.
The Show Contents dialog appears. - -6. In **Value Name**, paste the Class ID for your add-on, for example, **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. - -6. In **Value**, enter one of the following: - - - **0**. The add-on is disabled and your employees can’t change it. - - - **1**. The add-on is enabled and your employees can’t change it. - - - **2**. The add-on is enabled and your employees can change it. - -7. Close the Show Contents dialog. - -7. In the Group Policy editor, go to: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer. - -8. Double-click **Automatically activate/enable newly installed add-ons** and select **Enabled**.

Enabling turns off the message prompting you to Enable or Don't enable the add-on. - -7. Click **OK** twice to close the Group Policy editor. - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Enable and disable add-ons using administrative templates and group policy +ms.author: lomayor +author: lomayor +ms.prod: ie11 +ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b +ms.reviewer: +audience: itpro manager: dansimp +title: Enable and disable add-ons using administrative templates and group policy (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 4/12/2018 +--- + + +# Enable and disable add-ons using administrative templates and group policy +Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates. + +There are four types of add-ons: + +- **Search Providers.** Type a term and see suggestions provided by your search provider. + +- **Accelerators.** Highlight text on a web page and then click the blue **Accelerator** icon to email, map, search, translate, or do many other tasks. + +- **Web Slices.** Subscribe to parts of a website to get real-time information on the Favorites bar. + +- **Toolbars.** Add features (like stock tickers) to your browser. + +## Using the Local Group Policy Editor to manage group policy objects +You can use the Local Group Policy Editor to change how add-ons work in your organization. + + **To manage add-ons** + +1. In the Local Group Policy Editor, go to `Computer Configuration\Administrative Templates\Windows Components\Internet Explorer`. + +2. Change any or all of these settings to match your company’s policy and requirements. + + - Turn off add-on performance notifications + + - Automatically activate newly installed add-ons + + - Do not allow users to enable or disable add-ons + +3. Go into the **Internet Control Panel\\Advance Page** folder, where you can change: + + - Do not allow resetting IE settings + + - Allow third-party browser extensions + +4. Go into the **Security Features\\Add-on Management** folder, where you can change: + + - Add-on List + + - Deny all add-ons unless specifically allowed in the Add-on List + + - Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects + +5. Close the Local Group Policy Editor when you’re done. + +## Using the CLSID and Administrative Templates to manage group policy objects +Every add-on has a Class ID (CLSID) that you use to enable and disable specific add-ons, using Group Policy and Administrative Templates. + + **To manage add-ons** + +1. Get the CLSID for the add-on you want to enable or disable: + + 1. Open IE, click **Tools**, and then click **Manage Add-ons**. + + 2. Double-click the add-on you want to change. + + 3. In the More Information dialog, click **Copy** and then click **Close**. + + 4. Open Notepad and paste the information for the add-on. + + 5. On the Manage Add-ons windows, click **Close**. + + 6. On the Internet Options dialog, click **Close** and then close IE. + +2. From the copied information, select and copy just the **Class ID** value. + + >[!NOTE] + >You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. + +3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. +
**-OR-**
+Open the Local Group Policy Editor and go to: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. + +4. Open the **Add-on List** Group Policy Object, select **Enabled**, and then click **Show**.
The Show Contents dialog appears. + +6. In **Value Name**, paste the Class ID for your add-on, for example, **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. + +6. In **Value**, enter one of the following: + + - **0**. The add-on is disabled and your employees can’t change it. + + - **1**. The add-on is enabled and your employees can’t change it. + + - **2**. The add-on is enabled and your employees can change it. + +7. Close the Show Contents dialog. + +7. In the Group Policy editor, go to: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer. + +8. Double-click **Automatically activate/enable newly installed add-ons** and select **Enabled**.

Enabling turns off the message prompting you to Enable or Don't enable the add-on. + +7. Click **OK** twice to close the Group Policy editor. + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md index 6d21965faa..d1ac1a3190 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md @@ -1,30 +1,30 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Enhanced Protected Mode problems with Internet Explorer -author: lomayor -ms.prod: ie11 -ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Enhanced Protected Mode problems with Internet Explorer (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Enhanced Protected Mode problems with Internet Explorer -Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on. - -You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide. - -For more information about Enhanced Protected Mode, see the [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=267512) post on IEBlog, and both the [Understanding Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=282662) and the [Enhanced Protected Mode and Local Files](https://go.microsoft.com/fwlink/p/?LinkId=282663) blog posts on IEInternals. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Enhanced Protected Mode problems with Internet Explorer +author: lomayor +ms.prod: ie11 +ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Enhanced Protected Mode problems with Internet Explorer (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enhanced Protected Mode problems with Internet Explorer +Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on. + +You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide. + +For more information about Enhanced Protected Mode, see the [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=267512) post on IEBlog, and both the [Understanding Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=282662) and the [Enhanced Protected Mode and Local Files](https://go.microsoft.com/fwlink/p/?LinkId=282663) blog posts on IEInternals. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md index f3ffd4bf9f..2059dff44a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. -author: lomayor -ms.prod: ie11 -ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Enterprise Mode for Internet Explorer 11 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. - -## In this section - -|Topic |Description | -|---------------------------------------------------------------|-----------------------------------------------------------------------------------| -|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. | -|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. | -|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. | -|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | -|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | -|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. | -|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.| -|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | -|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | -|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. | -|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. | -|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. | -|[Remove sites from a local compatibility view list](remove-sites-from-a-local-compatibililty-view-list.md) |Guidance about how to remove websites from a device's local compatibility view list. | -|[Turn off Enterprise Mode](turn-off-enterprise-mode.md) |Guidance about how to stop using your site list and how to turn off local control, using Group Policy or the registry. | - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. +author: lomayor +ms.prod: ie11 +ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enterprise Mode for Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +## In this section + +|Topic |Description | +|---------------------------------------------------------------|-----------------------------------------------------------------------------------| +|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. | +|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. | +|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. | +|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | +|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | +|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. | +|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.| +|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. | +|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. | +|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. | +|[Remove sites from a local compatibility view list](remove-sites-from-a-local-compatibililty-view-list.md) |Guidance about how to remove websites from a device's local compatibility view list. | +|[Turn off Enterprise Mode](turn-off-enterprise-mode.md) |Guidance about how to stop using your site list and how to turn off local control, using Group Policy or the registry. | + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md index daa0f1c0ee..3e8e129b3d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md @@ -1,236 +1,236 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update. -author: lomayor -ms.prod: ie11 -ms.assetid: 17c61547-82e3-48f2-908d-137a71938823 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Enterprise Mode schema v.1 guidance - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 - -Use the Enterprise Mode Site List Manager (schema v.1) to create and update your Enterprise Mode site list for devices running the v.1 version of the schema, or the Enterprise Mode Site List Manager (schema v.2) to create and update your Enterprise Mode site list for devices running the v.2 version of the schema. We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). - -If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. - -## Enterprise Mode schema v.1 example -The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. - -**Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both https://contoso.com and https://contoso.com. - -``` xml - - - www.cpandl.com - www.woodgrovebank.com - adatum.com - contoso.com - relecloud.com - /about - - fabrikam.com - /products - - - - contoso.com - /travel - - fabrikam.com - /products - - - -``` - -### Schema elements -This table includes the elements used by the Enterprise Mode schema. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ElementDescriptionSupported browser
<rules>Root node for the schema. -

Example -

-<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
Internet Explorer 11 and Microsoft Edge
<emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. -

Example -

-<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
--or- -

For IPv6 ranges:

<rules version="205">
-  <emie>
-    <domain>[10.122.34.99]:8080</domain>
-  </emie>
-  </rules>
--or- -

For IPv4 ranges:

<rules version="205">
-  <emie>
-    <domain>10.122.34.99:8080</domain>
-  </emie>
-  </rules>
Internet Explorer 11 and Microsoft Edge
<docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied. -

Example -

-<rules version="205">
-  <docMode>
-    <domain docMode="7">contoso.com</domain>
-  </docMode>
-</rules>
Internet Explorer 11
<domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. -

Example -

-<emie>
-  <domain>contoso.com:8080</domain>
-</emie>
Internet Explorer 11 and Microsoft Edge
<path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. -

Example -

-<emie>
-  <domain exclude="true">fabrikam.com
-    <path exclude="false">/products</path>
-  </domain>
-</emie>

-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
- -### Schema attributes -This table includes the attributes used by the Enterprise Mode schema. - - - - - - - - - - - - - - - - - - - - - - - - - -
AttributeDescriptionSupported browser
<version>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
<exclude>Specifies the domain or path excluded from applying the behavior and is supported on the <domain> and <path> elements. -

Example -

-<emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
-  </domain>
-</emie>

-Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not.

Internet Explorer 11 and Microsoft Edge
<docMode>Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section. -

Example -

-<docMode>
-  <domain exclude="false">fabrikam.com
-    <path docMode="7">/products</path>
-  </domain>
-</docMode>
Internet Explorer 11
- -### Using Enterprise Mode and document mode together -If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. - -For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node. - -```xml - - - contoso.com - test.contoso.com - - - test.contoso.com - - -``` - -### What not to include in your schema -We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, `https://`, `https://`, or custom protocols. They break parsing. -- Don’t use wildcards. -- Don’t use query strings, ampersands break parsing. - -## How to use trailing slashes -You can use trailing slashes at the path-level, but not at the domain-level: -- **Domain-level.** Don’t add trailing slashes to a domain, it breaks parsing. -- **Path-level.** Adding a trailing slash to a path means that the path ends at that point. By not adding a trailing slash, the rule applies to all of the sub-paths. - -**Example** - -``` xml -contoso.com - /about/ - -``` -In this example, `contoso.com/about/careers` will use the default version of Internet Explorer, even though `contoso.com/about/` uses Enterprise Mode. - - -## How to target specific sites -If you want to target specific sites in your organization. - -|Targeted site |Example |Explanation | -|--------------|--------|------------| -|You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |

  • contoso.com uses document mode 5.
  • info.contoso.com uses document mode 9.
  • test.contoso.com also uses document mode 5.
| -|You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|
  • bing.com uses IE8 Enterprise Mode.
  • contoso.com uses IE7 Enterprise Mode.
| -|You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
| -|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
| +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update. +author: lomayor +ms.prod: ie11 +ms.assetid: 17c61547-82e3-48f2-908d-137a71938823 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enterprise Mode schema v.1 guidance + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Use the Enterprise Mode Site List Manager (schema v.1) to create and update your Enterprise Mode site list for devices running the v.1 version of the schema, or the Enterprise Mode Site List Manager (schema v.2) to create and update your Enterprise Mode site list for devices running the v.2 version of the schema. We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. + +## Enterprise Mode schema v.1 example +The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. + +**Important**
+Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both https://contoso.com and https://contoso.com. + +``` xml + + + www.cpandl.com + www.woodgrovebank.com + adatum.com + contoso.com + relecloud.com + /about + + fabrikam.com + /products + + + + contoso.com + /travel + + fabrikam.com + /products + + + +``` + +### Schema elements +This table includes the elements used by the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ElementDescriptionSupported browser
<rules>Root node for the schema. +

Example +

+<rules version="205">
+  <emie>
+    <domain>contoso.com</domain>
+  </emie>
+</rules>
Internet Explorer 11 and Microsoft Edge
<emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. +

Example +

+<rules version="205">
+  <emie>
+    <domain>contoso.com</domain>
+  </emie>
+</rules>
+-or- +

For IPv6 ranges:

<rules version="205">
+  <emie>
+    <domain>[10.122.34.99]:8080</domain>
+  </emie>
+  </rules>
+-or- +

For IPv4 ranges:

<rules version="205">
+  <emie>
+    <domain>10.122.34.99:8080</domain>
+  </emie>
+  </rules>
Internet Explorer 11 and Microsoft Edge
<docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied. +

Example +

+<rules version="205">
+  <docMode>
+    <domain docMode="7">contoso.com</domain>
+  </docMode>
+</rules>
Internet Explorer 11
<domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. +

Example +

+<emie>
+  <domain>contoso.com:8080</domain>
+</emie>
Internet Explorer 11 and Microsoft Edge
<path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. +

Example +

+<emie>
+  <domain exclude="true">fabrikam.com
+    <path exclude="false">/products</path>
+  </domain>
+</emie>

+Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
+ +### Schema attributes +This table includes the attributes used by the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeDescriptionSupported browser
<version>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
<exclude>Specifies the domain or path excluded from applying the behavior and is supported on the <domain> and <path> elements. +

Example +

+<emie>
+  <domain exclude="false">fabrikam.com
+    <path exclude="true">/products</path>
+  </domain>
+</emie>

+Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not.

Internet Explorer 11 and Microsoft Edge
<docMode>Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section. +

Example +

+<docMode>
+  <domain exclude="false">fabrikam.com
+    <path docMode="7">/products</path>
+  </domain>
+</docMode>
Internet Explorer 11
+ +### Using Enterprise Mode and document mode together +If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. + +For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node. + +```xml + + + contoso.com + test.contoso.com + + + test.contoso.com + + +``` + +### What not to include in your schema +We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: +- Don’t use protocols. For example, `https://`, `https://`, or custom protocols. They break parsing. +- Don’t use wildcards. +- Don’t use query strings, ampersands break parsing. + +## How to use trailing slashes +You can use trailing slashes at the path-level, but not at the domain-level: +- **Domain-level.** Don’t add trailing slashes to a domain, it breaks parsing. +- **Path-level.** Adding a trailing slash to a path means that the path ends at that point. By not adding a trailing slash, the rule applies to all of the sub-paths. + +**Example** + +``` xml +contoso.com + /about/ + +``` +In this example, `contoso.com/about/careers` will use the default version of Internet Explorer, even though `contoso.com/about/` uses Enterprise Mode. + + +## How to target specific sites +If you want to target specific sites in your organization. + +|Targeted site |Example |Explanation | +|--------------|--------|------------| +|You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |
  • contoso.com uses document mode 5.
  • info.contoso.com uses document mode 9.
  • test.contoso.com also uses document mode 5.
| +|You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|
  • bing.com uses IE8 Enterprise Mode.
  • contoso.com uses IE7 Enterprise Mode.
| +|You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
| +|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
| diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 187ba67198..17e4e860cf 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -7,6 +7,7 @@ author: lomayor ms.prod: ie11 ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5 ms.reviewer: +audience: itpro manager: dansimp ms.author: lomayor title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md index d2b98ef8a0..abb8513201 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md @@ -1,49 +1,49 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. -author: lomayor -ms.prod: ie11 -ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. This file includes all of your URLs, including your compatibility mode selections and should be stored somewhere safe. If your list gets deleted by mistake you can easily import this file and return everything back to when this file was last saved. - -**Important**
  -This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file. - - **To export your compatibility list** - -1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**. - -2. Export the file to your selected location. For example, `C:\Users\\Documents\sites.emie`. - -## Related topics - -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. +author: lomayor +ms.prod: ie11 +ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. This file includes all of your URLs, including your compatibility mode selections and should be stored somewhere safe. If your list gets deleted by mistake you can easily import this file and return everything back to when this file was last saved. + +**Important**
  +This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file. + + **To export your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**. + +2. Export the file to your selected location. For example, `C:\Users\\Documents\sites.emie`. + +## Related topics + +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md index 2170dd1219..a48b0e5732 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md @@ -1,109 +1,109 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. -author: lomayor -ms.prod: ie11 -ms.assetid: 4b21bb27-aeac-407f-ae58-ab4c6db2baf6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Fix web compatibility issues using document modes and the Enterprise Mode site list (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Fix web compatibility issues using document modes and the Enterprise Mode site list -The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. This addition to the site list is a continuation of our commitment to help you upgrade and stay up-to-date on the latest version of Internet Explorer, while still preserving your investments in existing apps. - -## What does this mean for me? -Enterprises can have critical apps that are coded explicitly for a specific browser version and that might not be in their direct control, making it very difficult and expensive to update to modern standards or newer browser versions. Because you can decide which URLs should open using specific document modes, this update helps ensure better compatibility, faster upgrades, and reduced testing and fixing costs. - -## How does this fix work? -You can continue to use your legacy and orphaned web apps, by specifying a document mode in the centralized Enterprise Mode site list. Then, when IE11 goes to a site on your list, the browser loads the page in the specified document mode just as it would if it were specified through an X-UA-Compatible meta tag on the site. For more information about document modes and X-UA-compatible headers, see [Defining document compatibility](https://go.microsoft.com/fwlink/p/?LinkId=518412). - -**Important**
-Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. - -### When do I use document modes versus Enterprise Mode? -While the `` functionality provides great compatibility for you on Windows Internet Explorer 8 or Windows Internet Explorer 7, the new `` capabilities can help you stay up-to-date regardless of which versions of IE are running in your environment. Because of this, we recommend starting your testing process like this: - -- If your enterprise primarily uses Internet Explorer 8 or Internet Explorer 7 start testing using Enterprise Mode. - -- If your enterprise primarily uses Windows Internet Explorer 9 or Internet Explorer 10, start testing using the various document modes. - -Because you might have multiple versions of IE deployed, you might need to use both Enterprise Mode and document modes to effectively move to IE11. - -### Test your sites for document mode compatibility -To see if this fix might help you, run through this process one step at a time, for each of your problematic sites: - -1. Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool. - - ![Emulation tool showing document mode selection](images/docmode-f12.png) - -2. Starting with the **11 (Default)** option, test your broken scenario.
-If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](https://go.microsoft.com/fwlink/p/?LinkId=518417). - -3. If none of the document modes fix your issue, change the **Browser Profile** to **Enterprise**, pick the mode you want to test with starting with **8** (IE8 Enterprise Mode), and then test your broken scenario. - -### Add your site to the Enterprise Mode site list -After you’ve figured out the document mode that fixes your compatibility problems, you can add the site to your Enterprise Mode site list. - -**Note**
-There are two versions of the Enterprise Mode site list schema and the Enterprise Mode Site List Manager, based on your operating system. For more info about the schemas, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) or [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). For more info about the different site list management tools, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). - - **To add your site to the site list** - -1. Open the Enterprise Mode Site List Manager, and click **Add**. - - ![Enterprise Mode Site List Manager, showing the available modes](images/emie-listmgr.png) - -2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
-Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11. - -**Note**
-For more information about Enterprise Mode, see [What is Enterprise Mode?](what-is-enterprise-mode.md) For more information about the Enterprise Mode Site List Manager and how to add sites to your site list, see [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). - - -### Review your Enterprise Mode site list -Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like: - -![Enterprise Mode Site List Manager, showing the different modes](images/emie-sitelistmgr.png) - -And the underlying XML code will look something like: - -``` xml - - - bing.com/images - www.msn.com/news - - - - timecard - tar - msdn.microsoft.com - - -``` - -### Turn on Enterprise Mode and using your site list -If you haven’t already turned on Enterprise Mode for your company, you’ll need to do that. You can turn on Enterprise Mode using Group Policy or your registry. For specific instructions and details, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). - -## Turn off default Compatibility View for your intranet sites -By default, IE11 uses the **Display intranet sites in Compatibility View** setting. However, we’ve heard your feedback and know that you might want to turn this functionality off so you can continue to upgrade your web apps to more modern standards. - -To help you move forward, you can now use the Enterprise Mode site list to specify sites or web paths to use the IE7 document mode, which goes down to IE5 “Quirks” mode if the page doesn’t have an explicit `DOCTYPE` tag. Using this document mode effectively helps you provide the Compatibility View functionality for single sites or a group of sites, which after thorough testing, can help you turn off Compatibility View as the default setting for your intranet sites. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. +author: lomayor +ms.prod: ie11 +ms.assetid: 4b21bb27-aeac-407f-ae58-ab4c6db2baf6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Fix web compatibility issues using document modes and the Enterprise Mode site list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Fix web compatibility issues using document modes and the Enterprise Mode site list +The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. This addition to the site list is a continuation of our commitment to help you upgrade and stay up-to-date on the latest version of Internet Explorer, while still preserving your investments in existing apps. + +## What does this mean for me? +Enterprises can have critical apps that are coded explicitly for a specific browser version and that might not be in their direct control, making it very difficult and expensive to update to modern standards or newer browser versions. Because you can decide which URLs should open using specific document modes, this update helps ensure better compatibility, faster upgrades, and reduced testing and fixing costs. + +## How does this fix work? +You can continue to use your legacy and orphaned web apps, by specifying a document mode in the centralized Enterprise Mode site list. Then, when IE11 goes to a site on your list, the browser loads the page in the specified document mode just as it would if it were specified through an X-UA-Compatible meta tag on the site. For more information about document modes and X-UA-compatible headers, see [Defining document compatibility](https://go.microsoft.com/fwlink/p/?LinkId=518412). + +**Important**
+Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. + +### When do I use document modes versus Enterprise Mode? +While the `` functionality provides great compatibility for you on Windows Internet Explorer 8 or Windows Internet Explorer 7, the new `` capabilities can help you stay up-to-date regardless of which versions of IE are running in your environment. Because of this, we recommend starting your testing process like this: + +- If your enterprise primarily uses Internet Explorer 8 or Internet Explorer 7 start testing using Enterprise Mode. + +- If your enterprise primarily uses Windows Internet Explorer 9 or Internet Explorer 10, start testing using the various document modes. + +Because you might have multiple versions of IE deployed, you might need to use both Enterprise Mode and document modes to effectively move to IE11. + +### Test your sites for document mode compatibility +To see if this fix might help you, run through this process one step at a time, for each of your problematic sites: + +1. Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool. + + ![Emulation tool showing document mode selection](images/docmode-f12.png) + +2. Starting with the **11 (Default)** option, test your broken scenario.
+If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](https://go.microsoft.com/fwlink/p/?LinkId=518417). + +3. If none of the document modes fix your issue, change the **Browser Profile** to **Enterprise**, pick the mode you want to test with starting with **8** (IE8 Enterprise Mode), and then test your broken scenario. + +### Add your site to the Enterprise Mode site list +After you’ve figured out the document mode that fixes your compatibility problems, you can add the site to your Enterprise Mode site list. + +**Note**
+There are two versions of the Enterprise Mode site list schema and the Enterprise Mode Site List Manager, based on your operating system. For more info about the schemas, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) or [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). For more info about the different site list management tools, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). + + **To add your site to the site list** + +1. Open the Enterprise Mode Site List Manager, and click **Add**. + + ![Enterprise Mode Site List Manager, showing the available modes](images/emie-listmgr.png) + +2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
+Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11. + +**Note**
+For more information about Enterprise Mode, see [What is Enterprise Mode?](what-is-enterprise-mode.md) For more information about the Enterprise Mode Site List Manager and how to add sites to your site list, see [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). + + +### Review your Enterprise Mode site list +Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like: + +![Enterprise Mode Site List Manager, showing the different modes](images/emie-sitelistmgr.png) + +And the underlying XML code will look something like: + +``` xml + + + bing.com/images + www.msn.com/news + + + + timecard + tar + msdn.microsoft.com + + +``` + +### Turn on Enterprise Mode and using your site list +If you haven’t already turned on Enterprise Mode for your company, you’ll need to do that. You can turn on Enterprise Mode using Group Policy or your registry. For specific instructions and details, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Turn off default Compatibility View for your intranet sites +By default, IE11 uses the **Display intranet sites in Compatibility View** setting. However, we’ve heard your feedback and know that you might want to turn this functionality off so you can continue to upgrade your web apps to more modern standards. + +To help you move forward, you can now use the Enterprise Mode site list to specify sites or web paths to use the IE7 document mode, which goes down to IE5 “Quirks” mode if the page doesn’t have an explicit `DOCTYPE` tag. Using this document mode effectively helps you provide the Compatibility View functionality for single sites or a group of sites, which after thorough testing, can help you turn off Compatibility View as the default setting for your intranet sites. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md index 69d58d1c31..852ac4ae6c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. -author: lomayor -ms.prod: ie11 -ms.assetid: 9f80e39f-dcf1-4124-8931-131357f31d67 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Fix validation problems using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Fix validation problems using the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. If a site doesn’t pass validation, you’ll have a couple of options to address it. - -There are typically 3 types of errors you’ll see: - -- **Validation**. The site caused a validation error. Typically these occur because of typos, malformed URLs, or access-related issues. You can pick the site, click **Add to list** to ignore the problem and accept the site to your site list, or you can click **OK** to keep the site off of your site list. - -- **Duplicate**. The site already exists in the global compatibility list with a different compatibility mode. For example, the site was originally rendered in Enterprise Mode, but this update is for Default IE. You can pick the site, click **Add to list** to ignore the problem and accept the change to your site list, or you can click **OK** to keep your original compatibility mode. - -- **Redirection**. This is the least common type of validation error. Typically in this situation, a site redirects from an easy-to-remember URL to a longer URL. Like `\\tar` redirects to `\\timecard`. You can add the short URL or you can add both the short and long versions to your list.
-Another possibility is that redirection happens multiple times, with an intermediary site experiencing compatibility issues. For example, an employee types a short URL that then redirects multiple times, finally ending up on a non-intranet site. In this situation, you might want to add the intermediary URLs to your Enterprise Mode site list, in case there’s logic in one of them that has compatibility issues. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. +author: lomayor +ms.prod: ie11 +ms.assetid: 9f80e39f-dcf1-4124-8931-131357f31d67 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Fix validation problems using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Fix validation problems using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. If a site doesn’t pass validation, you’ll have a couple of options to address it. + +There are typically 3 types of errors you’ll see: + +- **Validation**. The site caused a validation error. Typically these occur because of typos, malformed URLs, or access-related issues. You can pick the site, click **Add to list** to ignore the problem and accept the site to your site list, or you can click **OK** to keep the site off of your site list. + +- **Duplicate**. The site already exists in the global compatibility list with a different compatibility mode. For example, the site was originally rendered in Enterprise Mode, but this update is for Default IE. You can pick the site, click **Add to list** to ignore the problem and accept the change to your site list, or you can click **OK** to keep your original compatibility mode. + +- **Redirection**. This is the least common type of validation error. Typically in this situation, a site redirects from an easy-to-remember URL to a longer URL. Like `\\tar` redirects to `\\timecard`. You can add the short URL or you can add both the short and long versions to your list.
+Another possibility is that redirection happens multiple times, with an intermediary site experiencing compatibility issues. For example, an employee types a short URL that then redirects multiple times, finally ending up on a non-intranet site. In this situation, you might want to add the intermediary URLs to your Enterprise Mode site list, in case there’s logic in one of them that has compatibility issues. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md index ae518b4cd1..859cf8fbb7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md @@ -1,43 +1,43 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 -Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures. - -From AGPM you can: - -- **Edit GPOs outside of your production environment.** Your GPOs are stored in an outside archive for editing, reviewing, and approving. Then, when you deploy, AGPM moves the GPOs to your production environment. - -- **Assign roles to your employees.** You can assign 3 roles to your employees or groups, including: - - - **Reviewer.** Can view and compare GPOs in the archive. This role can't edit or deploy GPOs. - - - **Editor.** Can view, compare, check-in and out, and edit GPOs in the archive. This role can also request GPO deployment. - - - **Approver.** Can approve GPO creation and deployment to the production environment. - -- **Manage your GPO lifecycle with change control features.** You can use the available version-control, history, and auditing features to help you manage your GPOs while moving through your archive, to your editing process, and finally to your GPO deployment. - -**Note**
-For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/en-us/download/details.aspx?id=13975). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 +Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures. + +From AGPM you can: + +- **Edit GPOs outside of your production environment.** Your GPOs are stored in an outside archive for editing, reviewing, and approving. Then, when you deploy, AGPM moves the GPOs to your production environment. + +- **Assign roles to your employees.** You can assign 3 roles to your employees or groups, including: + + - **Reviewer.** Can view and compare GPOs in the archive. This role can't edit or deploy GPOs. + + - **Editor.** Can view, compare, check-in and out, and edit GPOs in the archive. This role can also request GPO deployment. + + - **Approver.** Can approve GPO creation and deployment to the production environment. + +- **Manage your GPO lifecycle with change control features.** You can use the available version-control, history, and auditing features to help you manage your GPOs while moving through your archive, to your editing process, and finally to your GPO deployment. + +**Note**
+For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/en-us/download/details.aspx?id=13975). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md index fb65dd9940..3c121b3e5e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 -A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2. - -## Why use the GPMC? -The GPMC lets you: - -- Import, export, copy, paste, backup and restore GPOs. - -- Search for existing GPOs. - -- Create reports, including providing the Resultant Set of Policy (RSoP) data in HTML reports that you can save and print. - -- Use simulated RSoP data to prototype your Group Policy before implementing it in the production environment. - -- Obtain RSoP data to view your GPO interactions and to troubleshoot your Group Policy deployment. - -- Create migration tables to let you import and copy GPOs across domains and across forests. Migration tables are files that map references to users, groups, computers, and Universal Naming Convention (UNC) paths in the source GPO to new values in the destination GPO. - -- Create scriptable interfaces to support all of the operations available within the GPMC. You can't use scripts to edit individual policy settings in a GPO. - -For more information about the GPMC, see [Group Policy Management Console](https://go.microsoft.com/fwlink/p/?LinkId=214515) on TechNet. - -## Searching for Group Policy settings -To search for Group Policy settings in the Group Policy Management Console (GPMC), use the [Group Policy Search tool](https://go.microsoft.com/fwlink/p/?LinkId=279857). To find the Group Policy settings, click **Windows Components**, and then click **Internet Explorer**. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 +A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2. + +## Why use the GPMC? +The GPMC lets you: + +- Import, export, copy, paste, backup and restore GPOs. + +- Search for existing GPOs. + +- Create reports, including providing the Resultant Set of Policy (RSoP) data in HTML reports that you can save and print. + +- Use simulated RSoP data to prototype your Group Policy before implementing it in the production environment. + +- Obtain RSoP data to view your GPO interactions and to troubleshoot your Group Policy deployment. + +- Create migration tables to let you import and copy GPOs across domains and across forests. Migration tables are files that map references to users, groups, computers, and Universal Naming Convention (UNC) paths in the source GPO to new values in the destination GPO. + +- Create scriptable interfaces to support all of the operations available within the GPMC. You can't use scripts to edit individual policy settings in a GPO. + +For more information about the GPMC, see [Group Policy Management Console](https://go.microsoft.com/fwlink/p/?LinkId=214515) on TechNet. + +## Searching for Group Policy settings +To search for Group Policy settings in the Group Policy Management Console (GPMC), use the [Group Policy Search tool](https://go.microsoft.com/fwlink/p/?LinkId=279857). To find the Group Policy settings, click **Windows Components**, and then click **Internet Explorer**. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md index d6703810d1..574b7f8895 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer. -author: lomayor -ms.prod: ie11 -ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy and Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy and Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer. - -## In this section - -|Topic |Description | -|----------------------------------------------------|-----------------------------------------------------------------| -|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Info about many of the new group policy settings added for Internet Explorer 11. | -|[Group Policy management tools](group-policy-objects-and-ie11.md) |Guidance about how to use Microsoft Active Directory Domain Services (AD DS) to manage your Group Policy settings. | -|[ActiveX installation using group policy](activex-installation-using-group-policy.md) |Info about using the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. | -|[Group Policy and compatibility with Internet Explorer 11](group-policy-compatibility-with-ie11.md) |Our Group Policy recommendations for security, performance, and compatibility with previous versions of IE, regardless of which Zone the website is in. | -|[Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) |Info about Group Policy preferences, as compared to Group Policy settings. | -|[Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) |Info about Administrative Templates, including where to store them and the related Group Policy settings. | -|[Enable and disable add\-ons using administrative templates and group policy](enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md) |Guidance about how to use your local Group Policy editor or the CLSID and Administrative Templates to manage your Group Policy objects. - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer. +author: lomayor +ms.prod: ie11 +ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy and Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy and Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer. + +## In this section + +|Topic |Description | +|----------------------------------------------------|-----------------------------------------------------------------| +|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Info about many of the new group policy settings added for Internet Explorer 11. | +|[Group Policy management tools](group-policy-objects-and-ie11.md) |Guidance about how to use Microsoft Active Directory Domain Services (AD DS) to manage your Group Policy settings. | +|[ActiveX installation using group policy](activex-installation-using-group-policy.md) |Info about using the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. | +|[Group Policy and compatibility with Internet Explorer 11](group-policy-compatibility-with-ie11.md) |Our Group Policy recommendations for security, performance, and compatibility with previous versions of IE, regardless of which Zone the website is in. | +|[Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) |Info about Group Policy preferences, as compared to Group Policy settings. | +|[Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) |Info about Administrative Templates, including where to store them and the related Group Policy settings. | +|[Enable and disable add\-ons using administrative templates and group policy](enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md) |Guidance about how to use your local Group Policy editor or the CLSID and Administrative Templates to manage your Group Policy objects. + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md index 8895e8e19e..36176c7bde 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md @@ -1,36 +1,36 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, the Local Group Policy Editor, and Internet Explorer 11 -A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1. - -Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=294912). - -|Computer configuration |User configuration | -|-----------------------|-------------------| -|Windows settings:
  • Name Resolution policy
  • Scripts (Startup/Shutdown)
  • Deployed printers
  • Security settings
  • Policy-based Quality of Service (QoS)
|Windows settings:
  • Scripts (Startup/Shutdown)
  • Deployed printers
  • Security settings
  • Policy-based Quality of Service (QoS)

| -|Administrative templates:
  • Control Panel
  • Network
  • Printers
  • Server
  • System
  • Windows components
  • All settings

|Administrative templates:
  • Control Panel
  • Desktop
  • Network
  • Shared folders
  • Start menu and taskbar
  • System
  • Windows components
  • All settings
| - - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, the Local Group Policy Editor, and Internet Explorer 11 +A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1. + +Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=294912). + +|Computer configuration |User configuration | +|-----------------------|-------------------| +|Windows settings:
  • Name Resolution policy
  • Scripts (Startup/Shutdown)
  • Deployed printers
  • Security settings
  • Policy-based Quality of Service (QoS)
|Windows settings:
  • Scripts (Startup/Shutdown)
  • Deployed printers
  • Security settings
  • Policy-based Quality of Service (QoS)

| +|Administrative templates:
  • Control Panel
  • Network
  • Printers
  • Server
  • System
  • Windows components
  • All settings

|Administrative templates:
  • Control Panel
  • Desktop
  • Network
  • Shared folders
  • Start menu and taskbar
  • System
  • Windows components
  • All settings
| + + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md index 812e8abe3d..5e66dc9f4c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Group Policy suggestions for compatibility with Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy and compatibility with Internet Explorer 11 -Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in. - -|Activity |Location |Setting the policy object | -|---------------------------------|----------------------------------------------|-------------------------------------------------------------------------| -|Turn on Compatibility View for all intranet zones |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Turn on IE Standards Mode for local intranet** , and then click **Disabled**. | -|Turn on Compatibility View for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Windows Internet Explorer 7 sites** , and then click **Enabled**.Users will be able to add or remove sites manually to their local Compatibility View list, but they won’t be able to remove the sites you specifically added. | -|Turn on Quirks mode for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Quirks Mode sites**, and then click **Enabled**. | -|Ensure your users are using the most up-to-date version of Microsoft’s compatibility list. |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Include updated Web site lists from Microsoft**, and then click **Enabled**. | -|Restrict users from making security zone configuration changes. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel` |Double-click **Disable the Security Page**, and then click **Enabled**. | -|Control which security zone settings are applied to specific websites. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel\Security Page` |Double-click **Site to Zone Assignment List**, click **Enabled**, and then enter your list of websites and their applicable security zones. | -|Turn off Data Execution Prevention (DEP). |`Administrative Templates\ Windows Components\Internet Explorer\Security Features` |Double-click **Turn off Data Execution Prevention**, and then click **Enabled**. | - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Group Policy suggestions for compatibility with Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy and compatibility with Internet Explorer 11 +Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in. + +|Activity |Location |Setting the policy object | +|---------------------------------|----------------------------------------------|-------------------------------------------------------------------------| +|Turn on Compatibility View for all intranet zones |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Turn on IE Standards Mode for local intranet** , and then click **Disabled**. | +|Turn on Compatibility View for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Windows Internet Explorer 7 sites** , and then click **Enabled**.Users will be able to add or remove sites manually to their local Compatibility View list, but they won’t be able to remove the sites you specifically added. | +|Turn on Quirks mode for selected websites, using Group Policy |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Use Policy List of Quirks Mode sites**, and then click **Enabled**. | +|Ensure your users are using the most up-to-date version of Microsoft’s compatibility list. |`Administrative Templates\Windows Components\Internet Explorer\Compatibility View` |Double-click **Include updated Web site lists from Microsoft**, and then click **Enabled**. | +|Restrict users from making security zone configuration changes. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel` |Double-click **Disable the Security Page**, and then click **Enabled**. | +|Control which security zone settings are applied to specific websites. |`Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel\Security Page` |Double-click **Site to Zone Assignment List**, click **Enabled**, and then enter your list of websites and their applicable security zones. | +|Turn off Data Execution Prevention (DEP). |`Administrative Templates\ Windows Components\Internet Explorer\Security Features` |Double-click **Turn off Data Execution Prevention**, and then click **Enabled**. | + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md index 247e023667..494906c975 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Overview of the available Group Policy management tools -author: lomayor -ms.prod: ie11 -ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy management tools (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy management tools -Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model. - -By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. - -**Note**
   -For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. - -## Managing settings with GPOs -After deploying IE11 to your organization, you can continue to manage the browser settings by using Active Directory Domain Services (AD DS) together with the following Group Policy-related setting management groups: - -- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md). Used to manage registry-based policies and options. - -- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md). Used to set up and manage options that can be changed by the user after installation. - -**Note**
-Whenever possible, we recommend that you manage IE11 using Administrative Templates, because these settings are always written to secure policy branches in the registry. In addition, we recommend that you deploy using standard user accounts instead of letting your users log on to their computers as administrators. This helps to prevent your users from making unwanted changes to their systems or overriding Group Policy settings. - - -Users won't be able to use the IE11 user interface or the registry to change any managed settings on their computers. However, they will be able to change many of the preferences associated with the settings you set up using the Internet Explorer Administration Kit 11 (IEAK 11). - -## Which GPO tool should I use? -You can use any of these tools to create, manage, view, and troubleshoot Group Policy objects (GPOs). For information about each, see: - -- [Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11](group-policy-and-group-policy-mgmt-console-ie11.md). Provides a single location to manage all GPOs, WMI filters, and Group Policy–related permissions across multiple forests in an organization. - -- [Group Policy, the Local Group Policy Editor, and Internet Explorer 11](group-policy-and-local-group-policy-editor-ie11.md). Provides a user interface that lets you edit settings within individual GPOs. - -- [Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11](group-policy-and-advanced-group-policy-mgmt-ie11.md). An add-on license for the Microsoft Desktop Optimization Pack (MDOP) that helps to extend Group Policy for Software Assurance customers. - -- [Group Policy, Windows Powershell, and Internet Explorer 11](group-policy-windows-powershell-ie11.md). A command-line shell and scripting language that helps automate Windows and application administration on a single computer locally, or across many computers remotely. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Overview of the available Group Policy management tools +author: lomayor +ms.prod: ie11 +ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy management tools (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy management tools +Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model. + +By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. + +**Note**
   +For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. + +## Managing settings with GPOs +After deploying IE11 to your organization, you can continue to manage the browser settings by using Active Directory Domain Services (AD DS) together with the following Group Policy-related setting management groups: + +- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md). Used to manage registry-based policies and options. + +- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md). Used to set up and manage options that can be changed by the user after installation. + +**Note**
+Whenever possible, we recommend that you manage IE11 using Administrative Templates, because these settings are always written to secure policy branches in the registry. In addition, we recommend that you deploy using standard user accounts instead of letting your users log on to their computers as administrators. This helps to prevent your users from making unwanted changes to their systems or overriding Group Policy settings. + + +Users won't be able to use the IE11 user interface or the registry to change any managed settings on their computers. However, they will be able to change many of the preferences associated with the settings you set up using the Internet Explorer Administration Kit 11 (IEAK 11). + +## Which GPO tool should I use? +You can use any of these tools to create, manage, view, and troubleshoot Group Policy objects (GPOs). For information about each, see: + +- [Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11](group-policy-and-group-policy-mgmt-console-ie11.md). Provides a single location to manage all GPOs, WMI filters, and Group Policy–related permissions across multiple forests in an organization. + +- [Group Policy, the Local Group Policy Editor, and Internet Explorer 11](group-policy-and-local-group-policy-editor-ie11.md). Provides a user interface that lets you edit settings within individual GPOs. + +- [Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11](group-policy-and-advanced-group-policy-mgmt-ie11.md). An add-on license for the Microsoft Desktop Optimization Pack (MDOP) that helps to extend Group Policy for Software Assurance customers. + +- [Group Policy, Windows Powershell, and Internet Explorer 11](group-policy-windows-powershell-ie11.md). A command-line shell and scripting language that helps automate Windows and application administration on a single computer locally, or across many computers remotely. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md index 66f39f438f..473be60b15 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Info about Group Policy preferences versus Group Policy settings -author: lomayor -ms.prod: ie11 -ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group policy preferences and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group policy preferences and Internet Explorer 11 -Group Policy preferences are less strict than Group Policy settings, based on: - -| |Group Policy preferences |Group Policy settings | -|-----|-------------------------|----------------------| -|Enforcement |
  • Not enforced
  • Has the user interface turned on
  • Can only be refreshed or applied once
|
  • Enforced
  • Has the user interface turned off
  • Can be refreshed multiple times
| -|Flexibility |Lets you create preference items for registry settings, files, and folders. |
  • Requires app support
  • Needs you to create Administrative Templates for new policy settings
  • Won't let you create policy settings to manage files and folders
| -|Local Group Policy |Not available |Available -|Awareness |Supports apps that aren't Group Policy-aware |Requires apps to be Group Policy-aware | -|Storage |
  • Overwrites the original settings
  • Removing the preference doesn't restore the original setting
|
  • Doesn't overwrite the original settings
  • Stored in the Policy branches of the registry
  • Removing the setting restores the original setting
| -|Targeting and filtering |
  • Targeting is specific, with a user interface for each type of targeting item
  • Supports targeting at the individual preference item level
|
  • Filtering is based on Windows Management Instrumentation (WMI), and requires writing WMI queries
  • Supports filtering at the Group Policy Object (GPO) level
| - - -For more information about Group Policy preferences, see the [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Info about Group Policy preferences versus Group Policy settings +author: lomayor +ms.prod: ie11 +ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group policy preferences and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group policy preferences and Internet Explorer 11 +Group Policy preferences are less strict than Group Policy settings, based on: + +| |Group Policy preferences |Group Policy settings | +|-----|-------------------------|----------------------| +|Enforcement |
  • Not enforced
  • Has the user interface turned on
  • Can only be refreshed or applied once
|
  • Enforced
  • Has the user interface turned off
  • Can be refreshed multiple times
| +|Flexibility |Lets you create preference items for registry settings, files, and folders. |
  • Requires app support
  • Needs you to create Administrative Templates for new policy settings
  • Won't let you create policy settings to manage files and folders
| +|Local Group Policy |Not available |Available +|Awareness |Supports apps that aren't Group Policy-aware |Requires apps to be Group Policy-aware | +|Storage |
  • Overwrites the original settings
  • Removing the preference doesn't restore the original setting
|
  • Doesn't overwrite the original settings
  • Stored in the Policy branches of the registry
  • Removing the setting restores the original setting
| +|Targeting and filtering |
  • Targeting is specific, with a user interface for each type of targeting item
  • Supports targeting at the individual preference item level
|
  • Filtering is based on Windows Management Instrumentation (WMI), and requires writing WMI queries
  • Supports filtering at the Group Policy Object (GPO) level
| + + +For more information about Group Policy preferences, see the [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md index 19c1de8291..65ae07a3ce 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md @@ -1,29 +1,29 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy problems with Internet Explorer 11 -If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872). - -## Group Policy Object-related Log Files -You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**. For more information about the Event Viewer, see [What information appears in event logs? (Event Viewer)](https://go.microsoft.com/fwlink/p/?LinkId=294917). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy problems with Internet Explorer 11 +If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872). + +## Group Policy Object-related Log Files +You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**. For more information about the Event Viewer, see [What information appears in event logs? (Event Viewer)](https://go.microsoft.com/fwlink/p/?LinkId=294917). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md index 02a0adf579..7c53292112 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md @@ -1,49 +1,49 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects. -author: lomayor -ms.prod: ie11 -ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, Shortcut Extensions, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, Shortcut Extensions, and Internet Explorer 11 -Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to: - -- **File system objects.** Traditional shortcuts that link to apps, files, folders, drives, shares, or computers. For example, linking a shortcut to an app from the **Start** screen. - -- **URLs.** Shortcuts to webpages or FTP sites. For example, a link to your intranet site from your employee's **Favorites** folder. - -- **Shell objects.** Shortcuts to objects that appear in the shell namespace, such as printers, desktop items, Control Panel items, the Recycle Bin, and so on. - -## How do I configure shortcuts? -You can create and configure shortcuts for any domain-based Group Policy Object (GPO) in the Group Policy Management Console (GPMC). - - **To create a new Shortcut preference item** - -1. Open GPMC, right-click the Group Policy object that needs the new shortcut extension, and click **Edit**. - -2. From **Computer Configuration** or **User Configuration**, go to **Preferences**, and then go to **Windows Settings**. - -3. Right-click **Shortcuts**, click **New**, and then choose **Shortcut**. - -4. Choose what the shortcut should do, including **Create**, **Delete**, **Replace**, or **Update**. - -5. Type the required shortcut settings and your comments into the **Description** box, and click **OK**. - -For more information about shortcut extensions, including step-by-step guidance, see [Shortcuts Extension](https://go.microsoft.com/fwlink/p/?LinkId=214525) and [Configure a Shortcut Item](https://go.microsoft.com/fwlink/p/?LinkId=301837). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects. +author: lomayor +ms.prod: ie11 +ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, Shortcut Extensions, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, Shortcut Extensions, and Internet Explorer 11 +Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to: + +- **File system objects.** Traditional shortcuts that link to apps, files, folders, drives, shares, or computers. For example, linking a shortcut to an app from the **Start** screen. + +- **URLs.** Shortcuts to webpages or FTP sites. For example, a link to your intranet site from your employee's **Favorites** folder. + +- **Shell objects.** Shortcuts to objects that appear in the shell namespace, such as printers, desktop items, Control Panel items, the Recycle Bin, and so on. + +## How do I configure shortcuts? +You can create and configure shortcuts for any domain-based Group Policy Object (GPO) in the Group Policy Management Console (GPMC). + + **To create a new Shortcut preference item** + +1. Open GPMC, right-click the Group Policy object that needs the new shortcut extension, and click **Edit**. + +2. From **Computer Configuration** or **User Configuration**, go to **Preferences**, and then go to **Windows Settings**. + +3. Right-click **Shortcuts**, click **New**, and then choose **Shortcut**. + +4. Choose what the shortcut should do, including **Create**, **Delete**, **Replace**, or **Update**. + +5. Type the required shortcut settings and your comments into the **Description** box, and click **OK**. + +For more information about shortcut extensions, including step-by-step guidance, see [Shortcuts Extension](https://go.microsoft.com/fwlink/p/?LinkId=214525) and [Configure a Shortcut Item](https://go.microsoft.com/fwlink/p/?LinkId=301837). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md index 0a81ff7136..dcea0b00e6 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Group Policy, Windows Powershell, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Group Policy, Windows Powershell, and Internet Explorer 11 -Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell. - -Each cmdlet is a single-function command-line tool that can: - -- Create, edit, remove, back up, and import GPOs. - -- Create, update, and remove Group Policy links. - -- Set inheritance flags and permissions on organizational units (OU) and domains. - -- Configure registry-based policy settings and registry settings for Group Policy preferences. - -For more info about PowerShell and Group Policy management, see [Use Windows PowerShell to Manage Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=276828). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Group Policy, Windows Powershell, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Group Policy, Windows Powershell, and Internet Explorer 11 +Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell. + +Each cmdlet is a single-function command-line tool that can: + +- Create, edit, remove, back up, and import GPOs. + +- Create, update, and remove Group Policy links. + +- Set inheritance flags and permissions on organizational units (OU) and domains. + +- Configure registry-based policy settings and registry settings for Group Policy preferences. + +For more info about PowerShell and Group Policy management, see [Use Windows PowerShell to Manage Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=276828). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index 0b4e605611..4e3fdb4baa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -1,142 +1,142 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: -author: lomayor -ms.author: lomayor -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: Internet Explorer 11 delivery through automatic updates -ms.sitesec: library -ms.date: 05/22/2018 ---- - -# Internet Explorer 11 delivery through automatic updates -Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. - -- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process) - -- [Internet Explorer 11 automatic upgrades](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#internet-explorer-11-automatic-upgrades) - -- [Options for blocking automatic delivery](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#options-for-blocking-automatic-delivery) - -- [Availability of Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#availability-of-internet-explorer-11) - -- [Prevent automatic installation of Internet Explorer 11 with WSUS](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#prevent-automatic-installation-of-internet-explorer-11-with-wsus) - -## Automatic updates delivery process - -Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 -to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their -current version of Internet Explorer. - -Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. - ->[!Note] ->If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. - -## Internet Explorer 11 automatic upgrades - -Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. - -Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. - -## Options for blocking automatic delivery - -If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: - -- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - - >[!Note] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). - -- **Use an update management solution to control update deployment.** - If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. - - >[!Note] - >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). - -Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). - -## Availability of Internet Explorer 11 - -Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the System Center Configuration Manager, Microsoft Systems Management Server, and WSUS. - -## Prevent automatic installation of Internet Explorer 11 with WSUS - -Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft - Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Options**. - -3. Click **Automatic Approvals**. - -4. Click the rule that automatically approves an update that is classified as - Update Rollup, and then click **Edit.** - - >[!Note] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. - -5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - - >[!Note] - >The properties for this rule will resemble the following:
  • When an update is in Update Rollups
  • Approve the update for all computers
- -6. Clear the **Update Rollup** check box, and then click **OK**. - -7. Click **OK** to close the **Automatic Approvals** dialog box.

After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. - -8. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -9. Expand *ComputerName*, and then click **Synchronizations**. - -10. Click **Synchronize Now**. - -11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. - -12. Choose **Unapproved** in the **Approval**drop down box. - -13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. - - >[!Note] - >There may be multiple updates, depending on the imported language and operating system updates. - -**Optional** - -If you need to reset your Update Rollups packages to auto-approve, do this: - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Options**. - -3. Click **Automatic Approvals**. - -4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. - -5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - -6. Check the **Update Rollups** check box, and then click **OK**. - -7. Click **OK** to close the **Automatic Approvals** dialog box. - ->[!Note] ->Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. - - -## Additional resources - -- [Automatic delivery process](what-is-the-internet-explorer-11-blocker-toolkit.md#automatic-delivery-process) - -- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) - -- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) - -- [Internet Explorer 11 delivery through automatic updates](https://technet.microsoft.com/microsoft-edge/dn449235) - -- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: +author: lomayor +ms.author: lomayor +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: Internet Explorer 11 delivery through automatic updates +ms.sitesec: library +ms.date: 05/22/2018 +--- + +# Internet Explorer 11 delivery through automatic updates +Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. + +- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process) + +- [Internet Explorer 11 automatic upgrades](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#internet-explorer-11-automatic-upgrades) + +- [Options for blocking automatic delivery](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#options-for-blocking-automatic-delivery) + +- [Availability of Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#availability-of-internet-explorer-11) + +- [Prevent automatic installation of Internet Explorer 11 with WSUS](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#prevent-automatic-installation-of-internet-explorer-11-with-wsus) + +## Automatic updates delivery process + +Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 +to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their +current version of Internet Explorer. + +Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. + +>[!Note] +>If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. + +## Internet Explorer 11 automatic upgrades + +Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. + +Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. + +## Options for blocking automatic delivery + +If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: + +- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + + >[!Note] + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). + +- **Use an update management solution to control update deployment.** + If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. + + >[!Note] + >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). + +Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). + +## Availability of Internet Explorer 11 + +Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the System Center Configuration Manager, Microsoft Systems Management Server, and WSUS. + +## Prevent automatic installation of Internet Explorer 11 with WSUS + +Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft + Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves an update that is classified as + Update Rollup, and then click **Edit.** + + >[!Note] + >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + + >[!Note] + >The properties for this rule will resemble the following:

  • When an update is in Update Rollups
  • Approve the update for all computers
+ +6. Clear the **Update Rollup** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box.

After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. + +8. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +9. Expand *ComputerName*, and then click **Synchronizations**. + +10. Click **Synchronize Now**. + +11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. + +12. Choose **Unapproved** in the **Approval**drop down box. + +13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. + + >[!Note] + >There may be multiple updates, depending on the imported language and operating system updates. + +**Optional** + +If you need to reset your Update Rollups packages to auto-approve, do this: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + +6. Check the **Update Rollups** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +>[!Note] +>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. + + +## Additional resources + +- [Automatic delivery process](what-is-the-internet-explorer-11-blocker-toolkit.md#automatic-delivery-process) + +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) + +- [Internet Explorer 11 delivery through automatic updates](https://technet.microsoft.com/microsoft-edge/dn449235) + +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md index 421a10b9d9..48331957e3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -1,16 +1,16 @@ ---- -description: A full-sized view of how document modes are chosen in IE11. -title: Full-sized flowchart detailing how document modes are chosen in IE11 -author: lomayor -ms.date: 04/19/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
- -

- Full-sized flowchart detailing how document modes are chosen in IE11 -

- +--- +description: A full-sized view of how document modes are chosen in IE11. +title: Full-sized flowchart detailing how document modes are chosen in IE11 +author: lomayor +ms.date: 04/19/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
+ +

+ Full-sized flowchart detailing how document modes are chosen in IE11 +

+ diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md index a84fbae316..add9fe0016 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md @@ -1,50 +1,50 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. -author: lomayor -ms.prod: ie11 -ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Import your Enterprise Mode site list to the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Import your Enterprise Mode site list to the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. - -**Important**   -Importing your file overwrites everything that’s currently in the tool, so make sure it’s what you really mean to do. - - **To import your compatibility list** - -1. On the **File** menu of the Enterprise Mode Site List Manager, click **Import**. - -2. Go to your exported .EMIE file (for example, `C:\users\\documents\sites.emie`), and then click **Open**. - -3. Review the alert message about all of your entries being overwritten. If you still want to import the file, click **Yes**. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. +author: lomayor +ms.prod: ie11 +ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Import your Enterprise Mode site list to the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Import your Enterprise Mode site list to the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. + +**Important**   +Importing your file overwrites everything that’s currently in the tool, so make sure it’s what you really mean to do. + + **To import your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Import**. + +2. Go to your exported .EMIE file (for example, `C:\users\\documents\sites.emie`), and then click **Open**. + +3. Review the alert message about all of your entries being overwritten. If you still want to import the file, click **Yes**. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md index 3f147df80e..f5e959c3c4 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. -author: lomayor -ms.prod: ie11 -ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install and Deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install and Deploy Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 Update -- Windows 7 with Service Pack 1 (SP1) -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. - -## In this section - -|Topic |Description | -|------|------------| -|[Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) |Guidance about how to use .INF files or the IE Administration Kit 11 (IEAK 11) to create custom packages and about how to create those packages for multiple operating systems. | -|[Choose how to install Internet Explorer 11 (IE11)](choose-how-to-install-ie11.md) |Guidance for the different ways you can install IE, including using System Center 2012 R2 Configuration Manager, Windows Server Update Services (WSUS), Microsoft Intune, your network, the operating system deployment system, or third-party tools. | -|[Choose how to deploy Internet Explorer 11 (IE11)](choose-how-to-deploy-ie11.md) |Guidance about how to deploy your custom version of IE using Automatic Version Synchronization (AVS) or using your software distribution tools. | -|[Virtualization and compatibility with Internet Explorer 11](virtualization-and-compatibility-with-ie11.md) |Info about the Microsoft-supported options for virtualizing web apps. | - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. +author: lomayor +ms.prod: ie11 +ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install and Deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install and Deploy Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 Update +- Windows 7 with Service Pack 1 (SP1) +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. + +## In this section + +|Topic |Description | +|------|------------| +|[Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) |Guidance about how to use .INF files or the IE Administration Kit 11 (IEAK 11) to create custom packages and about how to create those packages for multiple operating systems. | +|[Choose how to install Internet Explorer 11 (IE11)](choose-how-to-install-ie11.md) |Guidance for the different ways you can install IE, including using System Center 2012 R2 Configuration Manager, Windows Server Update Services (WSUS), Microsoft Intune, your network, the operating system deployment system, or third-party tools. | +|[Choose how to deploy Internet Explorer 11 (IE11)](choose-how-to-deploy-ie11.md) |Guidance about how to deploy your custom version of IE using Automatic Version Synchronization (AVS) or using your software distribution tools. | +|[Virtualization and compatibility with Internet Explorer 11](virtualization-and-compatibility-with-ie11.md) |Info about the Microsoft-supported options for virtualizing web apps. | + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md index 4791de3e60..e93450be88 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md @@ -1,54 +1,54 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune. -author: lomayor -ms.prod: ie11 -ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using Microsoft Intune -Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805). - -## Adding and deploying the IE11 package -You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune. - - **To add the IE11 package** - -1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher. - -2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi). - -For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). - - **To automatically deploy and install the IE11 package** - -1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard. - -2. Deploy the package to any of your employee computers that are managed by Microsoft Intune. - -3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard. - -For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). - - **To let your employees install the IE11 package** - -1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups. - -2. Any employee in the assigned group can now install the package. - -For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808) - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune. +author: lomayor +ms.prod: ie11 +ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using Microsoft Intune +Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805). + +## Adding and deploying the IE11 package +You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune. + + **To add the IE11 package** + +1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher. + +2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi). + +For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). + + **To automatically deploy and install the IE11 package** + +1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard. + +2. Deploy the package to any of your employee computers that are managed by Microsoft Intune. + +3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard. + +For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). + + **To let your employees install the IE11 package** + +1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups. + +2. Any employee in the assigned group can now install the package. + +For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808) + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md index 594e4cc0ae..5046293535 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md @@ -1,59 +1,59 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images. -author: lomayor -ms.prod: ie11 -ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images - -You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images. - -You'll need to extract the .cab file for each supported operating system and platform combination and the .msu file for each prerequisite update. Download the IE11 update and prerequisites here: - -- [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=279697) - -- [Microsoft Update Catalog](https://go.microsoft.com/fwlink/p/?LinkId=214287) - -After you install the .msu file updates, you'll need to add them to your MDT deployment. You'll also need to extract the IE11 .cab update file from the IE11 installation package, using the `/x` command-line option. For example, `IE11-Windows6.1-x64-en-us.exe /x:c:\ie11cab`. - -## Installing IE11 using Microsoft Deployment Toolkit (MDT) - -MDT adds IE11 to your Windows images, regardless whether you are creating or deploying a customized or non-customized image. MDT also lets you perform offline servicing during the System Center 2012 R2 Configuration Manager task sequence, letting you add IE11 before starting Windows. For info, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?linkid=331148). - - **To add IE11 to a MDT deployment share** - -1. Right-click **Packages** from each **Deployment Shares** location, and then click **Import OS Packages**. - -2. Go to the **Specify Directory** page, search for your folder with your update files (.cab and .msu) for import, and click **Next**. - -3. Go to the **Summary** page and click **Next**.

-MDT starts importing your update files.

**Note**
Ignore any warnings that say, "Skipping invalid CAB file". This shows up because the **Import OS Packages** wizard skips the IE11\_Support.cab file, which isn't an actual update file. - -4. After the import finishes, click **Finish**. - -### Offline servicing with MDT - -You can add the IE11 update while you're performing offline servicing, or slipstreaming, of your Windows images. This method lets you deploy IE11 without needing any additional installation after you've deployed Windows. - -These articles have step-by-step details about adding packages to your Windows images: - -- For Windows 8.1, see [Add or Remove Packages Offline Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=276791). - -- For Windows 7 SP1, see [Add or Remove Packages Offline](https://go.microsoft.com/fwlink/p/?LinkId=214490). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images. +author: lomayor +ms.prod: ie11 +ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images + +You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images. + +You'll need to extract the .cab file for each supported operating system and platform combination and the .msu file for each prerequisite update. Download the IE11 update and prerequisites here: + +- [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=279697) + +- [Microsoft Update Catalog](https://go.microsoft.com/fwlink/p/?LinkId=214287) + +After you install the .msu file updates, you'll need to add them to your MDT deployment. You'll also need to extract the IE11 .cab update file from the IE11 installation package, using the `/x` command-line option. For example, `IE11-Windows6.1-x64-en-us.exe /x:c:\ie11cab`. + +## Installing IE11 using Microsoft Deployment Toolkit (MDT) + +MDT adds IE11 to your Windows images, regardless whether you are creating or deploying a customized or non-customized image. MDT also lets you perform offline servicing during the System Center 2012 R2 Configuration Manager task sequence, letting you add IE11 before starting Windows. For info, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?linkid=331148). + + **To add IE11 to a MDT deployment share** + +1. Right-click **Packages** from each **Deployment Shares** location, and then click **Import OS Packages**. + +2. Go to the **Specify Directory** page, search for your folder with your update files (.cab and .msu) for import, and click **Next**. + +3. Go to the **Summary** page and click **Next**.

+MDT starts importing your update files.

**Note**
Ignore any warnings that say, "Skipping invalid CAB file". This shows up because the **Import OS Packages** wizard skips the IE11\_Support.cab file, which isn't an actual update file. + +4. After the import finishes, click **Finish**. + +### Offline servicing with MDT + +You can add the IE11 update while you're performing offline servicing, or slipstreaming, of your Windows images. This method lets you deploy IE11 without needing any additional installation after you've deployed Windows. + +These articles have step-by-step details about adding packages to your Windows images: + +- For Windows 8.1, see [Add or Remove Packages Offline Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=276791). + +- For Windows 7 SP1, see [Add or Remove Packages Offline](https://go.microsoft.com/fwlink/p/?LinkId=214490). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md index e94d46a676..4d91b89af4 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager -author: lomayor -ms.prod: ie11 -ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager -You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination. - - **To install IE11** - -1. Download and approve the [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). - -2. Create a software distribution package that includes the IE11 installation package. - -3. Create a program that includes the command-line needed to run the IE11 installation package. To run the package silently, without restarting and without checking the Internet for updates, use:`ie11_package.exe /quiet /norestart /update-no`. - -4. Move the installation package to your distribution points, and then advertise the package. - -You can also use System Center Essentials 2010 to deploy IE11 installation packages. For info, see [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?linkid=395200) and the [System Center Essentials 2010 Operations Guide](https://go.microsoft.com/fwlink/p/?LinkId=214266). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager +author: lomayor +ms.prod: ie11 +ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager +You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination. + + **To install IE11** + +1. Download and approve the [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). + +2. Create a software distribution package that includes the IE11 installation package. + +3. Create a program that includes the command-line needed to run the IE11 installation package. To run the package silently, without restarting and without checking the Internet for updates, use:`ie11_package.exe /quiet /norestart /update-no`. + +4. Move the installation package to your distribution points, and then advertise the package. + +You can also use System Center Essentials 2010 to deploy IE11 installation packages. For info, see [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?linkid=395200) and the [System Center Essentials 2010 Operations Guide](https://go.microsoft.com/fwlink/p/?LinkId=214266). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md index 7816ad8190..2dfe51cdf9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md @@ -1,42 +1,42 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to install the Internet Explorer 11 update using your network -author: lomayor -ms.prod: ie11 -ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using your network (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using your network -You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11). - -**Note**
If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file. - - **To manually create the folder structure** - -- Copy your custom IE11 installation file into a folder on your network, making sure it's available to your employees. - - **To create the folder structure using IEAK 11** - -- Run the Internet Explorer Customization Wizard 11 in IEAK 11, using the **Full Installation Package** option.

- The wizard automatically puts your custom installation files in your `\\Flat` folder. Where the `` is the location of your other build files. - -**Note**
Use the localized versions of the IE Customization Wizard 11 to create localized IE11 installation packages. - -## Related topics -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to install the Internet Explorer 11 update using your network +author: lomayor +ms.prod: ie11 +ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using your network (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using your network +You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11). + +**Note**
If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file. + + **To manually create the folder structure** + +- Copy your custom IE11 installation file into a folder on your network, making sure it's available to your employees. + + **To create the folder structure using IEAK 11** + +- Run the Internet Explorer Customization Wizard 11 in IEAK 11, using the **Full Installation Package** option.

+ The wizard automatically puts your custom installation files in your `\\Flat` folder. Where the `` is the location of your other build files. + +**Note**
Use the localized versions of the IE Customization Wizard 11 to create localized IE11 installation packages. + +## Related topics +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md index 99af9a34e2..063f5c2aa2 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md @@ -1,50 +1,50 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to install the Internet Explorer 11 update using third-party tools and command-line options. -author: lomayor -ms.prod: ie11 -ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using third-party tools (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using third-party tools -You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options: - -## Setup Modes - -|Command-line options |Description | -|---------------------|------------------------------------------------------| -|`/passive` |Installs without customer involvement. | -|`/quiet` |Installs without customer involvement and without showing the UI. | - -## Setup Options - -|Command-line options |Description | -|---------------------|------------------------------------------------------| -|`/update-no` |Installs without checking for updates.

**Important**
If you don't use this option, you'll need an Internet connection to finish your installation. | -|`/no-default` |Installs without making IE11 the default web browser. | -|`/closeprograms` |Automatically closes running programs. | - - -## Restart Options - -|Command-line options |Description | -|---------------------|------------------------------------------------------| -|`/norestart` |Installs without restarting the computer. | -|`/forcerestart` |Installs and restarts after installation. | - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to install the Internet Explorer 11 update using third-party tools and command-line options. +author: lomayor +ms.prod: ie11 +ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using third-party tools (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using third-party tools +You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options: + +## Setup Modes + +|Command-line options |Description | +|---------------------|------------------------------------------------------| +|`/passive` |Installs without customer involvement. | +|`/quiet` |Installs without customer involvement and without showing the UI. | + +## Setup Options + +|Command-line options |Description | +|---------------------|------------------------------------------------------| +|`/update-no` |Installs without checking for updates.

**Important**
If you don't use this option, you'll need an Internet connection to finish your installation. | +|`/no-default` |Installs without making IE11 the default web browser. | +|`/closeprograms` |Automatically closes running programs. | + + +## Restart Options + +|Command-line options |Description | +|---------------------|------------------------------------------------------| +|`/norestart` |Installs without restarting the computer. | +|`/forcerestart` |Installs and restarts after installation. | + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md index 3bc741dbc0..aba6187431 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md @@ -1,52 +1,52 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)' -author: lomayor -ms.prod: ie11 -ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) -Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790). - - **To import from Windows Update to WSUS** - -1. Open your WSUS admin site. For example, `https:///WSUSAdmin/`.

- Where `` is the name of your WSUS server. - -2. Choose the top server node or the **Updates** node, and then click **Import Updates**. - -3. To get the updates, install the Microsoft Update Catalog ActiveX control. - -4. Search for Internet Explorer 11 and add its contents to your basket. - -5. After you're done browsing, go to your basket and click **Import**. - - You can also download the updates without importing them by unchecking the **Import directly into Windows Server Update Services** box. - - **To approve Internet Explorer in WSUS for installation** - -6. Open your WSUS admin site and check the **Review synchronization settings** box from the **To Do** list. - -7. Click **Synchronize now** to sync your WSUS server with Windows Update, and then click **Updates** from the navigation bar. - -8. Enter **Internet Explorer 11** into the **Search Contains** box, and then click **Apply**. - -9. Choose the right version of IE11 for your operating system, and click **Approve for installation**. - -10. Click each computer group you want to set up for the WSUS server, picking the right approval level, and then click **OK**. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)' +author: lomayor +ms.prod: ie11 +ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) +Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790). + + **To import from Windows Update to WSUS** + +1. Open your WSUS admin site. For example, `https:///WSUSAdmin/`.

+ Where `` is the name of your WSUS server. + +2. Choose the top server node or the **Updates** node, and then click **Import Updates**. + +3. To get the updates, install the Microsoft Update Catalog ActiveX control. + +4. Search for Internet Explorer 11 and add its contents to your basket. + +5. After you're done browsing, go to your basket and click **Import**. + + You can also download the updates without importing them by unchecking the **Import directly into Windows Server Update Services** box. + + **To approve Internet Explorer in WSUS for installation** + +6. Open your WSUS admin site and check the **Review synchronization settings** box from the **To Do** list. + +7. Click **Synchronize now** to sync your WSUS server with Windows Update, and then click **Updates** from the navigation bar. + +8. Enter **Internet Explorer 11** into the **Search Contains** box, and then click **Apply**. + +9. Choose the right version of IE11 for your operating system, and click **Approve for installation**. + +10. Click each computer group you want to set up for the WSUS server, picking the right approval level, and then click **OK**. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md index c7eac22844..29b3b5ca55 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md @@ -1,61 +1,61 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to fix potential installation problems with Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 3ae77745-86ac-40a9-a37d-eebbf37661a3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Install problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install problems with Internet Explorer 11 -Most Internet Explorer 11 installations are straightforward and work the way they should. But it's possible that you might have problems. - -If you do, you can: - -- Check that you meet the minimum operating system requirements and have the prerequisites installed. - -- Check that there are no other updates or restarts waiting. - -- Temporarily turn off your antispyware and antivirus software. - -- Try another IE11 installer. For example from [Windows Update](https://go.microsoft.com/fwlink/p/?LinkId=302315) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. - -- Review the `IE11_main.log` file in the `\Windows` folder. This log file has information about each installation and is appended for each subsequent installation. - -- Make sure you use the same download server URLs that you entered during the Setup process. - -## Internet Explorer didn't finish installing -If Internet Explorer doesn't finish installing, it might mean that Windows Update wasn't able to install an associated update, that you have a previous, unsupported version of IE installed, or that there's a problem with your copy of IE. We recommend you try this: - - **To fix this issue** - -1. Uninstall IE: - - 1. In the Control Panel, open the **Programs and Features** box, scroll down to IE11, and then click **Uninstall**. - - 2. After the uninstall finishes, restart your computer. - -2. Run [Windows Update](https://go.microsoft.com/fwlink/p/?LinkId=302315), clicking **Check for updates**. - -3. Check the list for IE11. If it's included in the list of updates for download, exclude it before you update your computer.

-If you get an error during the Windows Update process, see [Fix the problem with Microsoft Windows Update that is not working](https://go.microsoft.com/fwlink/p/?LinkId=302316). - -4. Restart your computer, making sure all of your the updates are finished. - -5. Try to reinstall IE11 from either Windows Update (if you saw it in Step 3) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. - - - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to fix potential installation problems with Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 3ae77745-86ac-40a9-a37d-eebbf37661a3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Install problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install problems with Internet Explorer 11 +Most Internet Explorer 11 installations are straightforward and work the way they should. But it's possible that you might have problems. + +If you do, you can: + +- Check that you meet the minimum operating system requirements and have the prerequisites installed. + +- Check that there are no other updates or restarts waiting. + +- Temporarily turn off your antispyware and antivirus software. + +- Try another IE11 installer. For example from [Windows Update](https://go.microsoft.com/fwlink/p/?LinkId=302315) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. + +- Review the `IE11_main.log` file in the `\Windows` folder. This log file has information about each installation and is appended for each subsequent installation. + +- Make sure you use the same download server URLs that you entered during the Setup process. + +## Internet Explorer didn't finish installing +If Internet Explorer doesn't finish installing, it might mean that Windows Update wasn't able to install an associated update, that you have a previous, unsupported version of IE installed, or that there's a problem with your copy of IE. We recommend you try this: + + **To fix this issue** + +1. Uninstall IE: + + 1. In the Control Panel, open the **Programs and Features** box, scroll down to IE11, and then click **Uninstall**. + + 2. After the uninstall finishes, restart your computer. + +2. Run [Windows Update](https://go.microsoft.com/fwlink/p/?LinkId=302315), clicking **Check for updates**. + +3. Check the list for IE11. If it's included in the list of updates for download, exclude it before you update your computer.

+If you get an error during the Windows Update process, see [Fix the problem with Microsoft Windows Update that is not working](https://go.microsoft.com/fwlink/p/?LinkId=302316). + +4. Restart your computer, making sure all of your the updates are finished. + +5. Try to reinstall IE11 from either Windows Update (if you saw it in Step 3) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. + + + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md index 77eb2fa5b1..cf102f1c8f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md @@ -1,42 +1,42 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to fix intranet search problems with Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Fix intranet search problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Fix intranet search problems with Internet Explorer 11 -After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site. - -## Why is my intranet redirecting me to search results? -IE11 works differently with search, based on whether your organization is domain-joined. - -- **Domain-joined computers.** A single word entry is treated as a search term. However, IE11 also checks for available intranet sites and offers matches through the **Notification bar**. If you select **Yes** from the **Notification bar** to navigate to the intranet site, IE11 associates that word with the site so that the next time you type in the intranet site name, inline auto-complete will resolve to the intranet site address. - -- **Non-domain-joined computers.** A single word entry is treated as an intranet site. However, if the term doesn't resolve to a site, IE11 then treats the entry as a search term and opens your default search provider. - -To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like `contoso/` or the `https://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. - - **To enable single-word intranet search** - -1. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**. - -2. Click **Advanced**, check the **Go to an intranet site for a single word entry in the Address bar** box, and then click **OK**. - -If you'd like your entire organization to have single word entries default to an intranet site, you can turn on the **Go to an intranet site for a single word entry in the Address bar** Group Policy. With this policy turned on, a search for `contoso` automatically resolves to `https://contoso`. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to fix intranet search problems with Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Fix intranet search problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Fix intranet search problems with Internet Explorer 11 +After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site. + +## Why is my intranet redirecting me to search results? +IE11 works differently with search, based on whether your organization is domain-joined. + +- **Domain-joined computers.** A single word entry is treated as a search term. However, IE11 also checks for available intranet sites and offers matches through the **Notification bar**. If you select **Yes** from the **Notification bar** to navigate to the intranet site, IE11 associates that word with the site so that the next time you type in the intranet site name, inline auto-complete will resolve to the intranet site address. + +- **Non-domain-joined computers.** A single word entry is treated as an intranet site. However, if the term doesn't resolve to a site, IE11 then treats the entry as a search term and opens your default search provider. + +To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like `contoso/` or the `https://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. + + **To enable single-word intranet search** + +1. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**. + +2. Click **Advanced**, check the **Go to an intranet site for a single word entry in the Address bar** box, and then click **OK**. + +If you'd like your entire organization to have single word entries default to an intranet site, you can turn on the **Go to an intranet site for a single word entry in the Address bar** Group Policy. With this policy turned on, a search for `contoso` automatically resolves to `https://contoso`. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md index 3a9b502928..a464bbc679 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md +++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md @@ -1,42 +1,42 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer. -author: lomayor -ms.prod: ie11 -ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Manage Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Manage Internet Explorer 11 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer. - -## In this section - -|Topic |Description | -|------|------------| -|[Auto detect settings Internet Explorer 11](auto-detect-settings-for-ie11.md) |Guidance about how to update your automatic detection of DHCP and DNS servers. | -|[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. | -|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. |  - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer. +author: lomayor +ms.prod: ie11 +ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Manage Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Manage Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer. + +## In this section + +|Topic |Description | +|------|------------| +|[Auto detect settings Internet Explorer 11](auto-detect-settings-for-ie11.md) |Guidance about how to update your automatic detection of DHCP and DNS servers. | +|[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. | +|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. |  + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md index 42ffd10dc8..6c19898cf3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md @@ -1,98 +1,98 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK. -author: lomayor -ms.prod: ie11 -ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Missing Internet Explorer Maintenance settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Missing Internet Explorer Maintenance settings for Internet Explorer 11 - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy Preferences, Administrative Templates (.admx), and the IE Administration Kit 11 (IEAK 11). - -Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy Preferences, Administrative Templates (.admx), or IE Administration Kit 11 (IEAK 11). - -Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the **Security** settings or Group Policy Preferences within the **Internet Zone** settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. - -For more information about all of the new options and Group Policy, see: - -- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) - -- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) - -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) - -- [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876) - -- [Group Policy ADMX Syntax Reference Guide](https://go.microsoft.com/fwlink/p/?LinkId=276830) - -- [Enable and Disable Settings in a Preference Item](https://go.microsoft.com/fwlink/p/?LinkId=282671) - -## IEM replacements -The IEM settings have replacements you can use in either Group Policy Preferences or IEAK 11. - -### Browser user interface replacements - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Browser title |Lets you customize the text that shows up in the title bar of the browser.|On the **Browser User Interface** page of IEAK 11, click **Customize Title Bars**, and then type the text that appears on the title bar of the **Title Bar Text** box.

Your text is appended to the text," Microsoft Internet Explorer provided by". | -|Browser toolbar customizations (background and buttons) |Lets you customize the buttons on the browser toolbar.

  • **Buttons.** Customizes the buttons on the Internet Explorer 11 toolbar.
  • **Background.** No longer available.
|On the **Browser User Interface** page of IEAK 11, click **Add**, type your new toolbar caption, action, and icon, and if the button should appear by default, and then click **OK**. You can also edit, remove, or delete an existing toolbar button from this page. | -|Custom logo and animated bitmaps |Lets you replace the static and animated logos in the upper-right corner of the IE window with customized logos. |This setting isn't available anymore. | - - -### Connection replacements - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Connection settings|Lets you import your connection settings from a previously set up computer. These settings define how your employees interact with the connection settings on the **System Polices and Restrictions** page. You can also remove old dial-up connections settings from your employee's computers.|In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, and set up your proxy settings.

-OR-

On the **Connection Settings** page of IEAK 11, change your connection settings, including importing your current connection settings and deleting existing dial-up connection settings (as needed). | -|Automatic browser configuration |Lets you update your employee's computer after you've deployed IE11, by specifying a URL to an .ins file, an auto-proxy URL, or both. You can decide when the update occurs, in minutes. Typing zero, or not putting in any number, means that automatic configuration only happens after the browser is started and used to go to a page. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Automatic Configuration** tab, and then add your URL.

On the **Automatic Configuration** page of IEAK 11, modify the configuration settings, including providing the URL to an .ins file or an auto-proxy site. | -|Proxy settings |Lets you specify your proxy servers. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, click **LAN Settings**, and then choose whether to turn on automatic detection of your configuration settings and if you want to use proxy servers.

-OR-

On the **Proxy Settings** page of IEAK 11, turn on your proxy settings, adding your proxy server addresses and exceptions. | -|User Agent string |Lets the browser provide identification to visited servers. This string is often used to keep Internet traffic statistics. |This setting isn't available anymore. | - -### URLs replacements - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Favorites and links |Lets you use custom URLs for the **Favorites** and **Links** folders. You can also specify the folder order, disable IE Suggested Sites, and import an existing folder structure. |On the **Favorites, Favorites Bar and Feeds** page of IEAK 11, add your custom URLs to the **Favorites**, **Favorites Bar**, or **RSS Feeds** folders, or create new folders.

You can also edit, test, or remove your URLs, sort the list order, or disable IE Suggested Sites. | -|Important URLs |Lets you add custom **Home** pages that can open different tabs. You can also add a **Support** page that shows up when an employee clicks online Help.|In the **Internet Settings Group Policy Preferences** dialog box, click the **General** tab, and add your custom **Home** page.

On the **Important URLs - Home page and Support** page of IEAK 11, add the custom URLs to your **Home** and **Support** pages.

You can also click to retain the previous home page information when the user upgrades to a newer version of IE. | - -### Security Zones and Content Ratings - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Security zones |Lets you change your security settings, by zone |In the **Internet Settings Group Policy Preferences** dialog box, click the **Security** tab, and update your security settings, based on zone.

-OR-

On the **Security and Privacy Settings** page of IEAK 11, choose your **Security Zones and Privacy** setting, changing it, as necessary. | -|Content ratings |Lets you change your content ratings so your employees can't view sites with risky content. |On the **Security and Privacy Settings** page of IEAK 11, choose your **Content Ratings** setting, changing it, as necessary. | -|Authenticode settings |Lets you pick your trustworthy software publishers and stop your employees from adding new, untrusted publishers while browsing. |These settings aren't available anymore. | - -### Programs - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Programs |Lets you import your default program settings, which specify the programs Windows uses for each Internet service. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Programs** tab, and choose how to open IE11 links.

-OR-

On the **Programs** page of IEAK 11, choose whether to customize or import your program settings. | - -#### Advanced IEM settings -The Advanced IEM settings, including Corporate and Internet settings, were also deprecated. However, they also have replacements you can use in either Group Policy Preferences or IEAK 11. - -**Note**
Advanced IEM Settings were shown under **Programs** and only available when running in **Preference** mode. - -|IEM setting |Description |Replacement tool | -|------------|------------|-----------------| -|Corporate settings |Specifies the location of the file with the settings you use to make IE work best in your organization. |On the Additional Settings page of IEAK 11, expand Corporate Settings, and then customize how your organization handles temporary Internet files, code downloads, menu items, and toolbar buttons. | -|Internet settings |Specifies the location of the file that includes your default IE settings. |In the Internet Settings Group Policy Preferences dialog box, click the Advanced tab, and then update your Internet-related settings, as required

-OR-

On the Additional Settings page of IEAK 11, expand Internet Settings, and then customize your default values in the Internet Options dialog box. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK. +author: lomayor +ms.prod: ie11 +ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Missing Internet Explorer Maintenance settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Missing Internet Explorer Maintenance settings for Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy Preferences, Administrative Templates (.admx), and the IE Administration Kit 11 (IEAK 11). + +Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy Preferences, Administrative Templates (.admx), or IE Administration Kit 11 (IEAK 11). + +Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the **Security** settings or Group Policy Preferences within the **Internet Zone** settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. + +For more information about all of the new options and Group Policy, see: + +- [Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) + +- [Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) + +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) + +- [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876) + +- [Group Policy ADMX Syntax Reference Guide](https://go.microsoft.com/fwlink/p/?LinkId=276830) + +- [Enable and Disable Settings in a Preference Item](https://go.microsoft.com/fwlink/p/?LinkId=282671) + +## IEM replacements +The IEM settings have replacements you can use in either Group Policy Preferences or IEAK 11. + +### Browser user interface replacements + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Browser title |Lets you customize the text that shows up in the title bar of the browser.|On the **Browser User Interface** page of IEAK 11, click **Customize Title Bars**, and then type the text that appears on the title bar of the **Title Bar Text** box.

Your text is appended to the text," Microsoft Internet Explorer provided by". | +|Browser toolbar customizations (background and buttons) |Lets you customize the buttons on the browser toolbar.

  • **Buttons.** Customizes the buttons on the Internet Explorer 11 toolbar.
  • **Background.** No longer available.
|On the **Browser User Interface** page of IEAK 11, click **Add**, type your new toolbar caption, action, and icon, and if the button should appear by default, and then click **OK**. You can also edit, remove, or delete an existing toolbar button from this page. | +|Custom logo and animated bitmaps |Lets you replace the static and animated logos in the upper-right corner of the IE window with customized logos. |This setting isn't available anymore. | + + +### Connection replacements + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Connection settings|Lets you import your connection settings from a previously set up computer. These settings define how your employees interact with the connection settings on the **System Polices and Restrictions** page. You can also remove old dial-up connections settings from your employee's computers.|In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, and set up your proxy settings.

-OR-

On the **Connection Settings** page of IEAK 11, change your connection settings, including importing your current connection settings and deleting existing dial-up connection settings (as needed). | +|Automatic browser configuration |Lets you update your employee's computer after you've deployed IE11, by specifying a URL to an .ins file, an auto-proxy URL, or both. You can decide when the update occurs, in minutes. Typing zero, or not putting in any number, means that automatic configuration only happens after the browser is started and used to go to a page. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Automatic Configuration** tab, and then add your URL.

On the **Automatic Configuration** page of IEAK 11, modify the configuration settings, including providing the URL to an .ins file or an auto-proxy site. | +|Proxy settings |Lets you specify your proxy servers. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, click **LAN Settings**, and then choose whether to turn on automatic detection of your configuration settings and if you want to use proxy servers.

-OR-

On the **Proxy Settings** page of IEAK 11, turn on your proxy settings, adding your proxy server addresses and exceptions. | +|User Agent string |Lets the browser provide identification to visited servers. This string is often used to keep Internet traffic statistics. |This setting isn't available anymore. | + +### URLs replacements + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Favorites and links |Lets you use custom URLs for the **Favorites** and **Links** folders. You can also specify the folder order, disable IE Suggested Sites, and import an existing folder structure. |On the **Favorites, Favorites Bar and Feeds** page of IEAK 11, add your custom URLs to the **Favorites**, **Favorites Bar**, or **RSS Feeds** folders, or create new folders.

You can also edit, test, or remove your URLs, sort the list order, or disable IE Suggested Sites. | +|Important URLs |Lets you add custom **Home** pages that can open different tabs. You can also add a **Support** page that shows up when an employee clicks online Help.|In the **Internet Settings Group Policy Preferences** dialog box, click the **General** tab, and add your custom **Home** page.

On the **Important URLs - Home page and Support** page of IEAK 11, add the custom URLs to your **Home** and **Support** pages.

You can also click to retain the previous home page information when the user upgrades to a newer version of IE. | + +### Security Zones and Content Ratings + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Security zones |Lets you change your security settings, by zone |In the **Internet Settings Group Policy Preferences** dialog box, click the **Security** tab, and update your security settings, based on zone.

-OR-

On the **Security and Privacy Settings** page of IEAK 11, choose your **Security Zones and Privacy** setting, changing it, as necessary. | +|Content ratings |Lets you change your content ratings so your employees can't view sites with risky content. |On the **Security and Privacy Settings** page of IEAK 11, choose your **Content Ratings** setting, changing it, as necessary. | +|Authenticode settings |Lets you pick your trustworthy software publishers and stop your employees from adding new, untrusted publishers while browsing. |These settings aren't available anymore. | + +### Programs + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Programs |Lets you import your default program settings, which specify the programs Windows uses for each Internet service. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Programs** tab, and choose how to open IE11 links.

-OR-

On the **Programs** page of IEAK 11, choose whether to customize or import your program settings. | + +#### Advanced IEM settings +The Advanced IEM settings, including Corporate and Internet settings, were also deprecated. However, they also have replacements you can use in either Group Policy Preferences or IEAK 11. + +**Note**
Advanced IEM Settings were shown under **Programs** and only available when running in **Preference** mode. + +|IEM setting |Description |Replacement tool | +|------------|------------|-----------------| +|Corporate settings |Specifies the location of the file with the settings you use to make IE work best in your organization. |On the Additional Settings page of IEAK 11, expand Corporate Settings, and then customize how your organization handles temporary Internet files, code downloads, menu items, and toolbar buttons. | +|Internet settings |Specifies the location of the file that includes your default IE settings. |In the Internet Settings Group Policy Preferences dialog box, click the Advanced tab, and then update your Internet-related settings, as required

-OR-

On the Additional Settings page of IEAK 11, expand Internet Settings, and then customize your default values in the Internet Options dialog box. | + diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md index 40ab475677..ea68f25a40 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md +++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md @@ -1,53 +1,53 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers. -author: lomayor -ms.prod: ie11 -ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Missing the Compatibility View Button (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Missing the Compatibility View Button - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Compatibility View was introduced in Windows Internet Explorer 8 to help existing content continue to work with Windows Internet Explorer 7, while developers updated their content to support modern interoperable web standards. Since then, the Internet Explorer web platform, and the web itself, have changed so that most public web content looks for standards-based features instead of IE 7-compatible behavior. - -Thanks to these changes, using Internet Explorer 11 in the latest standards mode is more compatible with the web than ever before. As a result, IE11 simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers. - -## What happened to the Compatibility View button? -In previous versions of IE, the **Compatibility View** button would attempt to fix a broken standards-based website, by getting the page to appear like it did in Internet Explorer 7. Today however, more standards-based websites are broken by attempting to appear like they did in Internet Explorer 7. So instead of implementing and using Compatibility View, developers are updating their server configuration to add X-UA-Compatible meta tags, which forces the content to the “edge”, making the **Compatibility View** button disappear. In support of these changes, the Compatibility View button has been completely removed for IE11. - -## What if I still need Compatibility View? -There might be extenuating circumstances in your company, which require you to continue to use Compatibility View. In this situation, this process should be viewed strictly as a workaround. You should work with the website vendor to make sure that the affected pages are updated to match the latest web standards. The functionality described here is currently deprecated and will be removed at a time in the future. - -**Important**
This functionality is only available in Internet Explorer for the desktop. - - **To change your Compatibility View settings** - -1. Open Internet Explorer for the desktop, click **Tools**, and then click **Compatibility View settings**. - -2. In the **Compatibility View Settings** box, add the problematic website URL, and then click **Add**.

-Compatibility View is turned on for this single website, for this specific computer. - -3. Decide if you want your intranet sites displayed using Compatibility View, decide whether to use Microsoft compatibility lists, and then click **Close**. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers. +author: lomayor +ms.prod: ie11 +ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Missing the Compatibility View Button (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Missing the Compatibility View Button + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Compatibility View was introduced in Windows Internet Explorer 8 to help existing content continue to work with Windows Internet Explorer 7, while developers updated their content to support modern interoperable web standards. Since then, the Internet Explorer web platform, and the web itself, have changed so that most public web content looks for standards-based features instead of IE 7-compatible behavior. + +Thanks to these changes, using Internet Explorer 11 in the latest standards mode is more compatible with the web than ever before. As a result, IE11 simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers. + +## What happened to the Compatibility View button? +In previous versions of IE, the **Compatibility View** button would attempt to fix a broken standards-based website, by getting the page to appear like it did in Internet Explorer 7. Today however, more standards-based websites are broken by attempting to appear like they did in Internet Explorer 7. So instead of implementing and using Compatibility View, developers are updating their server configuration to add X-UA-Compatible meta tags, which forces the content to the “edge”, making the **Compatibility View** button disappear. In support of these changes, the Compatibility View button has been completely removed for IE11. + +## What if I still need Compatibility View? +There might be extenuating circumstances in your company, which require you to continue to use Compatibility View. In this situation, this process should be viewed strictly as a workaround. You should work with the website vendor to make sure that the affected pages are updated to match the latest web standards. The functionality described here is currently deprecated and will be removed at a time in the future. + +**Important**
This functionality is only available in Internet Explorer for the desktop. + + **To change your Compatibility View settings** + +1. Open Internet Explorer for the desktop, click **Tools**, and then click **Compatibility View settings**. + +2. In the **Compatibility View Settings** box, add the problematic website URL, and then click **Add**.

+Compatibility View is turned on for this single website, for this specific computer. + +3. Decide if you want your intranet sites displayed using Compatibility View, decide whether to use Microsoft compatibility lists, and then click **Close**. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md index f4e208137d..df476d43ad 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md @@ -1,33 +1,33 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: How to turn managed browser hosting controls back on in Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: .NET Framework problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# .NET Framework problems with Internet Explorer 11 -If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0. - - **To turn managed browser hosting controls back on** - -1. **For x86 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: How to turn managed browser hosting controls back on in Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: .NET Framework problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# .NET Framework problems with Internet Explorer 11 +If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0. + + **To turn managed browser hosting controls back on** + +1. **For x86 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + +2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + +For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md index 5098fab9f0..c1cd3ac8b3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md @@ -1,74 +1,74 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: New group policy settings for Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: New group policy settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# New group policy settings for Internet Explorer 11 -Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including: - - -| Policy | Category Path | Supported on | Explanation | -|-----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Allow IE to use the HTTP2 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.

If you enable this policy setting, IE uses the HTTP2 network protocol.

If you disable this policy setting, IE won't use the HTTP2 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. | -| Allow IE to use the SPDY/3 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.

If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.

If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced\* tab of the \*\*Internet Options** dialog box. The default is on.

**Note**
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. | -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.

If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.

If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.

If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. | -| Allow only approved domains to use the TDC ActiveX control |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 in Windows 10 | This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.

If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.

If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. | -| Allow SSL3 Fallback | Administrative Templates\Windows Components\Internet Explorer\Security Features | Internet Explorer 11 on Windows 10 | This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.

If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.

If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.

**Important:**
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. | -| Allow VBScript to run in Internet Explorer |

  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Trusted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Trusted Sites Zone
| Internet Explorer 11 | This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.

If you enable this policy setting (default), you must also pick one of the following options from the Options box:

  • Enable. VBScript runs on pages in specific zones, without any interaction.
  • Prompt. Employees are prompted whether to allow VBScript to run in the zone.
  • Disable. VBScript is prevented from running in the zone.

If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone. | -| Always send Do Not Track header | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 | This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.

If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.

**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.

**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.

If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. | -| Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. | -| Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. | -| Hide the button (next to the New Tab button) that opens Microsoft Edge | User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ | IE11 on Windows 10, version 1703 | This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.

If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.

If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.

If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. | -| Let users turn on and use Enterprise Mode from the **Tools** menu | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.

If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.

If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. | -| Limit Site Discovery output by Domain | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.

**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. | -| Limit Site Discovery output by Zone | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.

To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 0 – Local Intranet zone
  • 0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:
  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
  • 1 – Restricted Sites zone
  • 0 – Internet zone
  • 1 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 1 – Local Machine zone

**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. | -| Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data | Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History | At least Windows Internet Explorer 9 | **In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.

**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.

If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.

If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.

If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. | -| Send all sites not included in the Enterprise Mode Site List to Microsoft Edge | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.

If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.

If you disable or don't configure this policy setting, all sites will open based on the currently active browser.

**Note:**
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. | -| Show message when opening sites in Microsoft Edge using Enterprise Mode | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. | -| Turn off automatic download of the ActiveX VersionList | Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management | At least Windows Internet Explorer 8 | This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.

If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.

If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.

**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking () topic. | -| Turn off loading websites and content in the background to optimize performance | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.

If you enable this policy setting, IE doesn't load any websites or content in the background.

If you disable this policy setting, IE preemptively loads websites and content in the background.

If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. | -| Turn off phone number detection | Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing | IE11 on Windows 10 | This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.

If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.

If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.

If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. | -| Turn off sending URL path as UTF-8 | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding | At least Windows Internet Explorer 7 | This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.

If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.

If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.

If you don't configure this policy setting, users can turn this behavior on or off. | -| Turn off sending UTF-8 query strings for URLs | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.

If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:

  • **0.** Never encode query strings.
  • **1.** Only encode query strings for URLs that aren't in the Intranet zone.
  • **2.** Only encode query strings for URLs that are in the Intranet zone.
  • **3.** Always encode query strings.

If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. | -| Turn off the ability to launch report site problems using a menu option | Administrative Templates\Windows Components\Internet Explorer\Browser menus | Internet Explorer 11 | This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.

If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.

If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. | -| Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.

**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. | -| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.

**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. | -| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | -| Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | -| Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.

If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.

If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. | - -## Removed Group Policy settings -IE11 no longer supports these Group Policy settings: - -- Turn on Internet Explorer 7 Standards Mode - -- Turn off Compatibility View button - -- Turn off Quick Tabs functionality - -- Turn off the quick pick menu - -- Use large icons for command buttons - -## Viewing your policy settings -After you've finished updating and deploying your Group Policy, you can use the Resultant Set of Policy (RSoP) snap-in to view your settings. - -**To use the RSoP snap-in** - -1. Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see. - -2. Open your wizard results in the Group Policy Management Console (GPMC).

-For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](https://go.microsoft.com/fwlink/p/?LinkId=395201) - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: New group policy settings for Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: New group policy settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# New group policy settings for Internet Explorer 11 +Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including: + + +| Policy | Category Path | Supported on | Explanation | +|-----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Allow IE to use the HTTP2 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.

If you enable this policy setting, IE uses the HTTP2 network protocol.

If you disable this policy setting, IE won't use the HTTP2 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. | +| Allow IE to use the SPDY/3 network protocol | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.

If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.

If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.

If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced\* tab of the \*\*Internet Options** dialog box. The default is on.

**Note**
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. | +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.

If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.

If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.

If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. | +| Allow only approved domains to use the TDC ActiveX control |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 in Windows 10 | This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.

If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.

If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. | +| Allow SSL3 Fallback | Administrative Templates\Windows Components\Internet Explorer\Security Features | Internet Explorer 11 on Windows 10 | This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.

If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.

If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.

**Important:**
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. | +| Allow VBScript to run in Internet Explorer |

  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Internet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Intranet Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Local Machine Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Trusted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Restricted Sites Zone
  • Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Trusted Sites Zone
| Internet Explorer 11 | This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.

If you enable this policy setting (default), you must also pick one of the following options from the Options box:

  • Enable. VBScript runs on pages in specific zones, without any interaction.
  • Prompt. Employees are prompted whether to allow VBScript to run in the zone.
  • Disable. VBScript is prevented from running in the zone.

If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone. | +| Always send Do Not Track header | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 | This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.

If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.

**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.

**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.

If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. | +| Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. | +| Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. | +| Hide the button (next to the New Tab button) that opens Microsoft Edge | User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ | IE11 on Windows 10, version 1703 | This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.

If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.

If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.

If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. | +| Let users turn on and use Enterprise Mode from the **Tools** menu | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.

If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.

If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. | +| Limit Site Discovery output by Domain | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.

**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. | +| Limit Site Discovery output by Zone | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.

To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 0 – Local Intranet zone
  • 0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:
  • 0 – Restricted Sites zone
  • 0 – Internet zone
  • 0 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
  • 1 – Restricted Sites zone
  • 0 – Internet zone
  • 1 – Trusted Sites zone
  • 1 – Local Intranet zone
  • 1 – Local Machine zone

**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. | +| Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data | Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History | At least Windows Internet Explorer 9 | **In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.

**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.

If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.

If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.

If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. | +| Send all sites not included in the Enterprise Mode Site List to Microsoft Edge | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.

If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.

If you disable or don't configure this policy setting, all sites will open based on the currently active browser.

**Note:**
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. | +| Show message when opening sites in Microsoft Edge using Enterprise Mode | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1607 | This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. | +| Turn off automatic download of the ActiveX VersionList | Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management | At least Windows Internet Explorer 8 | This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.

If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.

If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.

**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking () topic. | +| Turn off loading websites and content in the background to optimize performance | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.

If you enable this policy setting, IE doesn't load any websites or content in the background.

If you disable this policy setting, IE preemptively loads websites and content in the background.

If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. | +| Turn off phone number detection | Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing | IE11 on Windows 10 | This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.

If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.

If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.

If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. | +| Turn off sending URL path as UTF-8 | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding | At least Windows Internet Explorer 7 | This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.

If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.

If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.

If you don't configure this policy setting, users can turn this behavior on or off. | +| Turn off sending UTF-8 query strings for URLs | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.

If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:

  • **0.** Never encode query strings.
  • **1.** Only encode query strings for URLs that aren't in the Intranet zone.
  • **2.** Only encode query strings for URLs that are in the Intranet zone.
  • **3.** Always encode query strings.

If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. | +| Turn off the ability to launch report site problems using a menu option | Administrative Templates\Windows Components\Internet Explorer\Browser menus | Internet Explorer 11 | This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.

If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.

If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. | +| Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.

**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. | +| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.

**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. | +| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | +| Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.

**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. | +| Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.

If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.

If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. | + +## Removed Group Policy settings +IE11 no longer supports these Group Policy settings: + +- Turn on Internet Explorer 7 Standards Mode + +- Turn off Compatibility View button + +- Turn off Quick Tabs functionality + +- Turn off the quick pick menu + +- Use large icons for command buttons + +## Viewing your policy settings +After you've finished updating and deploying your Group Policy, you can use the Resultant Set of Policy (RSoP) snap-in to view your settings. + +**To use the RSoP snap-in** + +1. Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see. + +2. Open your wizard results in the Group Policy Management Console (GPMC).

+For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](https://go.microsoft.com/fwlink/p/?LinkId=395201) + diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md index 825f199730..32665259c3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md +++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md @@ -1,205 +1,205 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use. -author: lomayor -ms.author: lomayor -ms.prod: ie11 -ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199 -ms.reviewer: -manager: dansimp -title: Out-of-date ActiveX control blocking (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 05/10/2018 ---- - - -# Out-of-date ActiveX control blocking - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) -- Windows Vista SP2 - -ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a new security feature, called *out-of-date ActiveX control blocking*. - -Out-of-date ActiveX control blocking lets you: - -- Know when IE prevents a webpage from loading common, but outdated ActiveX controls. - -- Interact with other parts of the webpage that aren’t affected by the outdated control. - -- Update the outdated control, so that it’s up-to-date and safer to use. - -The out-of-date ActiveX control blocking feature works with all [Security Zones](https://go.microsoft.com/fwlink/p/?LinkId=403863), except the Local Intranet Zone and the Trusted Sites Zone. - -It also works with these operating system and IE combinations: - -|Windows operating system |IE version | -|----------------------------------------|---------------------------------| -|Windows 10 |All supported versions of IE.
Microsoft Edge doesn't support ActiveX controls. | -|Windows 8.1 and Windows 8.1 Update |All supported versions of IE | -|Windows 7 SP1 |All supported versions of IE | -|Windows Server 2012 |All supported versions of IE | -|Windows Server 2008 R2 SP1 |All supported versions of IE | -|Windows Server 2008 SP2 |Windows Internet Explorer 9 only | -|Windows Vista SP2 |Windows Internet Explorer 9 only | - -For more info about this new feature, see the [Internet Explorer begins blocking out-of-date ActiveX controls](https://go.microsoft.com/fwlink/p/?LinkId=507691) blog. To see the complete list of out-of-date Active controls blocked by this feature, see [Blocked out-of-date ActiveX controls](blocked-out-of-date-activex-controls.md). - - -## What does the out-of-date ActiveX control blocking notification look like? -When IE blocks an outdated ActiveX control, you’ll see a notification bar similar to this, depending on your version of IE: - -**Internet Explorer 9 through Internet Explorer 11** - -![Warning about outdated activex controls (ie9+)](images/outdatedcontrolwarning.png) - -**Windows Internet Explorer 8** - -![Warning about outdated activex controls (ie8)](images/ieoutdatedcontrolwarning.png) - -Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE: - -![Warning about outdated activex controls outside ie](images/ieoutdatedcontroloutsideofie.png) - - -## How do I fix an outdated ActiveX control or app? -From the notification about the outdated ActiveX control, you can go to the control’s website to download its latest version. - - **To get the updated ActiveX control** - -1. From the notification bar, tap or click **Update**.

-IE opens the ActiveX control’s website. - -2. Download the latest version of the control. - -**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to load an outdated ActiveX control. However, although we don’t recommend it, you can view the missing webpage content by tapping or clicking **Run this time**. This option runs the ActiveX control without updating or fixing the problem. The next time you visit a webpage running the same outdated ActiveX control, you’ll get the notification again. - - **To get the updated app** - -1. From the security warning, tap or click **Update** link.

-IE opens the app’s website. - -2. Download the latest version of the app. - -**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to launch an outdated app. However, although we don’t recommend it, you can let the webpage launch the app by tapping or clicking **Allow**. This option opens the app without updating or fixing the problem. The next time you visit a webpage running the same outdated app, you’ll get the notification again. - -## How does IE decide which ActiveX controls to block? -IE uses Microsoft’s versionlist.xml or versionlistWin7.xml file to determine whether an ActiveX control should be stopped from loading. These files are updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file. - -You can see your copy of the file here `%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml` or you can view Microsoft’s version, based on your operating system and version of IE, here: -- [Internet Explorer 11 on Windows 7 SP1 or Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?LinkId=798230) -- [All other configurations](https://go.microsoft.com/fwlink/p/?LinkId=403864) - -**Security Note:**
Although we strongly recommend against it, if you don’t want your computer to automatically download the updated version list from Microsoft, run the following command from a command prompt: - -``` -reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f -``` -Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk. - -## Out-of-date ActiveX control blocking on managed devices -Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system. - -### Group Policy settings -Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration. - -**Important**
-Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and the Trusted Sites Zone; therefore, intranet websites and line-of-business apps will continue to use out-of-date ActiveX controls without disruption. - -|Setting |Category path |Supported on |Help text | -|--------|--------------|-------------|----------| -|Turn on ActiveX control logging in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE saves log information for ActiveX controls.

If you enable this setting, IE logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don't configure this setting, IE won't log ActiveX control information.

Note that you can turn this setting on or off regardless of the **Turn off blocking of outdated ActiveX controls for IE** or **Turn off blocking of outdated ActiveX controls for IE on specific domains** settings. | -|Remove the **Run this time** button for outdated ActiveX controls in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`|Internet Explorer 8 through IE11 |This setting allows you stop users from seeing the **Run this time** button and from running specific outdated ActiveX controls in IE.

If you enable this setting, users won't see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control.

If you disable or don't configure this setting, users will see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. | -|Turn off blocking of outdated ActiveX controls for IE on specific domains |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting allows you to manage a list of domains on which IE will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in IE. Each domain entry must be formatted like one of the following:

  • **"domainname.TLD".** For example, if you want to include `*.contoso.com/*`, use "contoso.com".
  • **"hostname".** For example, if you want to include `https://example`, use "example".
  • **"file:///path/filename.htm"**. For example, use `file:///C:/Users/contoso/Desktop/index.htm`.

If you disable or don't configure this setting, the list is deleted and IE continues to block specific outdated ActiveX controls on all domains in the Internet Zone. | -|Turn off blocking of outdated ActiveX controls for IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, IE stops blocking outdated ActiveX controls.

If you disable or don't configure this setting, IE continues to block specific outdated ActiveX controls. | -|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |This functionality is only available through the registry |Internet Explorer 8 through IE11 |This setting determines whether the out-of-date ActiveX control blocking notification shows the **Update** button. This button points users to update specific out-of-date ActiveX controls in IE. | - - -If you don't want to use Group Policy, you can also turn these settings on or off using the registry. You can update the registry manually. - -|Setting |Registry setting | -|-------------------------|----------------------------------------------------------------| -|Turn on ActiveX control logging in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v AuditModeEnabled /t REG_DWORD /d 1 /f`

Where:

  • **0 or not configured.** Logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.
  • **1.** Logs ActiveX control information.
| -|Remove **Run this time** button for outdated ActiveX controls in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v RunThisTimeEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Removes the **Run this time** button.
  • **1 or not configured.** Leaves the **Run this time** button.
| -|Turn off blocking of outdated ActiveX controls for IE on specific domains |reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v contoso.com /t REG_SZ /f

Where:

  • **contoso.com.** A single domain on which outdated ActiveX controls won't be blocked in IE. Use a new `reg add` command for each domain you wish to add to the **Allow** list.
| -|Turn off blocking of outdated ActiveX controls for IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Stops blocking outdated ActiveX controls.
  • **1 or not configured.** Continues to block specific outdated ActiveX controls.
| -|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |`reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v UpdateEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Removes the **Update** button
  • **1 or not configured.** Leaves the **Update** button.
- -## Inventory your ActiveX controls -You can inventory the ActiveX controls being used in your company, by turning on the **Turn on ActiveX control logging in IE** setting: - -- **Windows 10:** Through a comma-separated values (.csv) file or through a local Windows Management Instrumentation (WMI) class. - -- **All other versions of Microsoft Windows:** Through a .csv file only. - - -### Inventory your ActiveX controls by using a .CSV file -If you decide to inventory the ActiveX controls being used in your company by turning on the **Turn on ActiveX control logging in IE** setting, IE logs the ActiveX control information to the `%LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv` file. - -Here’s a detailed example and description of what’s included in the VersionAuditLog.csv file. - -|Source URI |File path |Product version |File version |Allowed/Blocked |Reason |EPM-compatible | -|-----------|----------|----------------|-------------|----------------|-------|---------------| -|`https://contoso.com/test1.html` |C:\Windows\System32\Macromed\Flash\Flash.ocx |14.0.0.125 |14.0.0.125 |Allowed |Not in blocklist |EPM-compatible | -|`https://contoso.com/test2.html` |C:\Program Files\Java\jre6\bin\jp2iexp.dll |6.0.410.2 |6.0.410.2 |Blocked |Out of date |Not EPM-compatible | - -**Where:** -- **Source URI.** The URL of the page that loaded the ActiveX control. - -- **File path.** The location of the binary that implements the ActiveX control. - -- **Product version.** The product version of the binary that implements the ActiveX control. - -- **File version.** The file version of the binary that implements the ActiveX control. - -- **Allowed/Blocked** Whether IE blocked the ActiveX control. - -- **Enhanced Protected Mode (EPM)-compatible.** Whether the loaded ActiveX control is compatible with [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=403865).

**Note**
Enhanced Protected Mode isn’t supported on Internet Explorer 9 or earlier versions of IE. Therefore, if you’re using Internet Explorer 8 or Internet Explorer 9, all ActiveX controls will always be marked as not EPM-compatible. - -- **Reason.** The ActiveX control can be blocked or allowed for any of these reasons: - -|Reason |Corresponds to |Description | -|-------------------------|---------------|-------------------------------------------------| -|Version not in blocklist |Allowed |The version of the loaded ActiveX control is explicitly allowed by the IE version list. | -|Trusted domain |Allowed |The ActiveX control was loaded on a domain listed in the **Turn off blocking of outdated ActiveX controls for IE on specific domains** setting. | -|File doesn’t exist |Allowed |The loaded ActiveX control is missing required binaries to run correctly. | -|Out-of-date |Blocked |The loaded ActiveX control is explicitly blocked by the IE version list because it is out-of-date. | -|Not in blocklist |Allowed |The loaded ActiveX control isn’t in the IE version list. | -|Managed by policy |Allowed |The loaded ActiveX control is managed by a Group Policy setting that isn’t listed here, and will be managed in accordance with that Group Policy setting. | -|Trusted Site Zone or intranet |Allowed |The ActiveX control was loaded in the Trusted Sites Zone or the Local Intranet Zone. | -|Hardblocked |Blocked |The loaded ActiveX control is blocked in IE because it contains known security vulnerabilities. | -|Unknown |Allowed or blocked |None of the above apply. | - -### Inventory your ActiveX controls by using a local WMI class -For Windows 10 you also have the option to log your inventory info to a local WMI class. Info logged to this class includes all of info you get from the .csv file, plus the CLSID of the loaded ActiveX control or the name of any apps started from an ActiveX control. - -#### Before you begin -Before you can use WMI to inventory your ActiveX controls, you need to [download the configuration package (.zip file)](https://go.microsoft.com/fwlink/p/?LinkId=616971), which includes: - -- **ConfigureWMILogging.ps1**. A Windows PowerShell script. - -- **ActiveXWMILogging.mof**. A managed object file. - -Before running the PowerShell script, you must copy both the .ps1 and .mof file to the same directory location, on the client computer. - - **To configure IE to use WMI logging** - -1. Open your Group Policy editor and turn on the `Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX control logging in IE` setting. - -2. On the client device, start PowerShell in elevated mode (using admin privileges) and run `ConfigureWMILogging.ps1` by by-passing the PowerShell execution policy, using this command: - ``` - powershell –ExecutionPolicy Bypass .\ConfigureWMILogging.ps1 - ``` - For more info, see [about_Execution_Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). - -3. **Optional:** Set up your domain firewall for WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md). - -The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md). - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use. +author: lomayor +ms.author: lomayor +ms.prod: ie11 +ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199 +ms.reviewer: +audience: itpro manager: dansimp +title: Out-of-date ActiveX control blocking (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 05/10/2018 +--- + + +# Out-of-date ActiveX control blocking + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows Vista SP2 + +ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a new security feature, called *out-of-date ActiveX control blocking*. + +Out-of-date ActiveX control blocking lets you: + +- Know when IE prevents a webpage from loading common, but outdated ActiveX controls. + +- Interact with other parts of the webpage that aren’t affected by the outdated control. + +- Update the outdated control, so that it’s up-to-date and safer to use. + +The out-of-date ActiveX control blocking feature works with all [Security Zones](https://go.microsoft.com/fwlink/p/?LinkId=403863), except the Local Intranet Zone and the Trusted Sites Zone. + +It also works with these operating system and IE combinations: + +|Windows operating system |IE version | +|----------------------------------------|---------------------------------| +|Windows 10 |All supported versions of IE.
Microsoft Edge doesn't support ActiveX controls. | +|Windows 8.1 and Windows 8.1 Update |All supported versions of IE | +|Windows 7 SP1 |All supported versions of IE | +|Windows Server 2012 |All supported versions of IE | +|Windows Server 2008 R2 SP1 |All supported versions of IE | +|Windows Server 2008 SP2 |Windows Internet Explorer 9 only | +|Windows Vista SP2 |Windows Internet Explorer 9 only | + +For more info about this new feature, see the [Internet Explorer begins blocking out-of-date ActiveX controls](https://go.microsoft.com/fwlink/p/?LinkId=507691) blog. To see the complete list of out-of-date Active controls blocked by this feature, see [Blocked out-of-date ActiveX controls](blocked-out-of-date-activex-controls.md). + + +## What does the out-of-date ActiveX control blocking notification look like? +When IE blocks an outdated ActiveX control, you’ll see a notification bar similar to this, depending on your version of IE: + +**Internet Explorer 9 through Internet Explorer 11** + +![Warning about outdated activex controls (ie9+)](images/outdatedcontrolwarning.png) + +**Windows Internet Explorer 8** + +![Warning about outdated activex controls (ie8)](images/ieoutdatedcontrolwarning.png) + +Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE: + +![Warning about outdated activex controls outside ie](images/ieoutdatedcontroloutsideofie.png) + + +## How do I fix an outdated ActiveX control or app? +From the notification about the outdated ActiveX control, you can go to the control’s website to download its latest version. + + **To get the updated ActiveX control** + +1. From the notification bar, tap or click **Update**.

+IE opens the ActiveX control’s website. + +2. Download the latest version of the control. + +**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to load an outdated ActiveX control. However, although we don’t recommend it, you can view the missing webpage content by tapping or clicking **Run this time**. This option runs the ActiveX control without updating or fixing the problem. The next time you visit a webpage running the same outdated ActiveX control, you’ll get the notification again. + + **To get the updated app** + +1. From the security warning, tap or click **Update** link.

+IE opens the app’s website. + +2. Download the latest version of the app. + +**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to launch an outdated app. However, although we don’t recommend it, you can let the webpage launch the app by tapping or clicking **Allow**. This option opens the app without updating or fixing the problem. The next time you visit a webpage running the same outdated app, you’ll get the notification again. + +## How does IE decide which ActiveX controls to block? +IE uses Microsoft’s versionlist.xml or versionlistWin7.xml file to determine whether an ActiveX control should be stopped from loading. These files are updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file. + +You can see your copy of the file here `%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml` or you can view Microsoft’s version, based on your operating system and version of IE, here: +- [Internet Explorer 11 on Windows 7 SP1 or Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?LinkId=798230) +- [All other configurations](https://go.microsoft.com/fwlink/p/?LinkId=403864) + +**Security Note:**
Although we strongly recommend against it, if you don’t want your computer to automatically download the updated version list from Microsoft, run the following command from a command prompt: + +``` +reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f +``` +Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk. + +## Out-of-date ActiveX control blocking on managed devices +Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system. + +### Group Policy settings +Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration. + +**Important**
+Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and the Trusted Sites Zone; therefore, intranet websites and line-of-business apps will continue to use out-of-date ActiveX controls without disruption. + +|Setting |Category path |Supported on |Help text | +|--------|--------------|-------------|----------| +|Turn on ActiveX control logging in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE saves log information for ActiveX controls.

If you enable this setting, IE logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don't configure this setting, IE won't log ActiveX control information.

Note that you can turn this setting on or off regardless of the **Turn off blocking of outdated ActiveX controls for IE** or **Turn off blocking of outdated ActiveX controls for IE on specific domains** settings. | +|Remove the **Run this time** button for outdated ActiveX controls in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`|Internet Explorer 8 through IE11 |This setting allows you stop users from seeing the **Run this time** button and from running specific outdated ActiveX controls in IE.

If you enable this setting, users won't see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control.

If you disable or don't configure this setting, users will see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. | +|Turn off blocking of outdated ActiveX controls for IE on specific domains |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting allows you to manage a list of domains on which IE will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in IE. Each domain entry must be formatted like one of the following:

  • **"domainname.TLD".** For example, if you want to include `*.contoso.com/*`, use "contoso.com".
  • **"hostname".** For example, if you want to include `https://example`, use "example".
  • **"file:///path/filename.htm"**. For example, use `file:///C:/Users/contoso/Desktop/index.htm`.

If you disable or don't configure this setting, the list is deleted and IE continues to block specific outdated ActiveX controls on all domains in the Internet Zone. | +|Turn off blocking of outdated ActiveX controls for IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, IE stops blocking outdated ActiveX controls.

If you disable or don't configure this setting, IE continues to block specific outdated ActiveX controls. | +|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |This functionality is only available through the registry |Internet Explorer 8 through IE11 |This setting determines whether the out-of-date ActiveX control blocking notification shows the **Update** button. This button points users to update specific out-of-date ActiveX controls in IE. | + + +If you don't want to use Group Policy, you can also turn these settings on or off using the registry. You can update the registry manually. + +|Setting |Registry setting | +|-------------------------|----------------------------------------------------------------| +|Turn on ActiveX control logging in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v AuditModeEnabled /t REG_DWORD /d 1 /f`

Where:

  • **0 or not configured.** Logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.
  • **1.** Logs ActiveX control information.
| +|Remove **Run this time** button for outdated ActiveX controls in IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v RunThisTimeEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Removes the **Run this time** button.
  • **1 or not configured.** Leaves the **Run this time** button.
| +|Turn off blocking of outdated ActiveX controls for IE on specific domains |reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v contoso.com /t REG_SZ /f

Where:

  • **contoso.com.** A single domain on which outdated ActiveX controls won't be blocked in IE. Use a new `reg add` command for each domain you wish to add to the **Allow** list.
| +|Turn off blocking of outdated ActiveX controls for IE |`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Stops blocking outdated ActiveX controls.
  • **1 or not configured.** Continues to block specific outdated ActiveX controls.
| +|Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |`reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v UpdateEnabled /t REG_DWORD /d 0 /f`

Where:

  • **0.** Removes the **Update** button
  • **1 or not configured.** Leaves the **Update** button.
+ +## Inventory your ActiveX controls +You can inventory the ActiveX controls being used in your company, by turning on the **Turn on ActiveX control logging in IE** setting: + +- **Windows 10:** Through a comma-separated values (.csv) file or through a local Windows Management Instrumentation (WMI) class. + +- **All other versions of Microsoft Windows:** Through a .csv file only. + + +### Inventory your ActiveX controls by using a .CSV file +If you decide to inventory the ActiveX controls being used in your company by turning on the **Turn on ActiveX control logging in IE** setting, IE logs the ActiveX control information to the `%LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv` file. + +Here’s a detailed example and description of what’s included in the VersionAuditLog.csv file. + +|Source URI |File path |Product version |File version |Allowed/Blocked |Reason |EPM-compatible | +|-----------|----------|----------------|-------------|----------------|-------|---------------| +|`https://contoso.com/test1.html` |C:\Windows\System32\Macromed\Flash\Flash.ocx |14.0.0.125 |14.0.0.125 |Allowed |Not in blocklist |EPM-compatible | +|`https://contoso.com/test2.html` |C:\Program Files\Java\jre6\bin\jp2iexp.dll |6.0.410.2 |6.0.410.2 |Blocked |Out of date |Not EPM-compatible | + +**Where:** +- **Source URI.** The URL of the page that loaded the ActiveX control. + +- **File path.** The location of the binary that implements the ActiveX control. + +- **Product version.** The product version of the binary that implements the ActiveX control. + +- **File version.** The file version of the binary that implements the ActiveX control. + +- **Allowed/Blocked** Whether IE blocked the ActiveX control. + +- **Enhanced Protected Mode (EPM)-compatible.** Whether the loaded ActiveX control is compatible with [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=403865).

**Note**
Enhanced Protected Mode isn’t supported on Internet Explorer 9 or earlier versions of IE. Therefore, if you’re using Internet Explorer 8 or Internet Explorer 9, all ActiveX controls will always be marked as not EPM-compatible. + +- **Reason.** The ActiveX control can be blocked or allowed for any of these reasons: + +|Reason |Corresponds to |Description | +|-------------------------|---------------|-------------------------------------------------| +|Version not in blocklist |Allowed |The version of the loaded ActiveX control is explicitly allowed by the IE version list. | +|Trusted domain |Allowed |The ActiveX control was loaded on a domain listed in the **Turn off blocking of outdated ActiveX controls for IE on specific domains** setting. | +|File doesn’t exist |Allowed |The loaded ActiveX control is missing required binaries to run correctly. | +|Out-of-date |Blocked |The loaded ActiveX control is explicitly blocked by the IE version list because it is out-of-date. | +|Not in blocklist |Allowed |The loaded ActiveX control isn’t in the IE version list. | +|Managed by policy |Allowed |The loaded ActiveX control is managed by a Group Policy setting that isn’t listed here, and will be managed in accordance with that Group Policy setting. | +|Trusted Site Zone or intranet |Allowed |The ActiveX control was loaded in the Trusted Sites Zone or the Local Intranet Zone. | +|Hardblocked |Blocked |The loaded ActiveX control is blocked in IE because it contains known security vulnerabilities. | +|Unknown |Allowed or blocked |None of the above apply. | + +### Inventory your ActiveX controls by using a local WMI class +For Windows 10 you also have the option to log your inventory info to a local WMI class. Info logged to this class includes all of info you get from the .csv file, plus the CLSID of the loaded ActiveX control or the name of any apps started from an ActiveX control. + +#### Before you begin +Before you can use WMI to inventory your ActiveX controls, you need to [download the configuration package (.zip file)](https://go.microsoft.com/fwlink/p/?LinkId=616971), which includes: + +- **ConfigureWMILogging.ps1**. A Windows PowerShell script. + +- **ActiveXWMILogging.mof**. A managed object file. + +Before running the PowerShell script, you must copy both the .ps1 and .mof file to the same directory location, on the client computer. + + **To configure IE to use WMI logging** + +1. Open your Group Policy editor and turn on the `Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX control logging in IE` setting. + +2. On the client device, start PowerShell in elevated mode (using admin privileges) and run `ConfigureWMILogging.ps1` by by-passing the PowerShell execution policy, using this command: + ``` + powershell –ExecutionPolicy Bypass .\ConfigureWMILogging.ps1 + ``` + For more info, see [about_Execution_Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). + +3. **Optional:** Set up your domain firewall for WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md). + +The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md). + diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md index dfa4a9576b..7b0af11274 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md @@ -1,73 +1,73 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback. -author: lomayor -ms.prod: ie11 -ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Problems after installing Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/16/2017 ---- - - -# Problems after installing Internet Explorer 11 -After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them. - -## Internet Explorer is in an unusable state -If IE11 gets into an unusable state on an employee's computer, you can use the **Reset Internet Explorer Settings (RIES)** feature to restore the default settings for many of the browser features, including: - -- Search scopes - -- Appearance settings - -- Toolbars - -- ActiveX® controls (resets to the opt-in state, unless they're pre-approved) - -- Branding settings created with IEAK 11 - -RIES does not: - -- Clear the Favorites list, RSS feeds, or Web slices. - -- Reset connection or proxy settings. - -- Affect the applied Administrative Template Group Policy settings. - -RIES turns off all custom toolbars, browser extensions, and customizations installed with IE11. If you change your mind, you can turn each of the customizations back on through the **Manage Add-ons** dialog box. For more information about resetting IE settings, see [How to Reset Internet Explorer Settings](https://go.microsoft.com/fwlink/p/?LinkId=214528). - -## IE is crashing or seems slow -If you notice that CPU usage is running higher than normal, or that IE is frequently crashing or slowing down, you should check your browser add-ons and video card. By default, IE11 uses graphics processing unit (GPU) rendering mode. However, some outdated video cards and video drivers don't support GPU hardware acceleration. If IE11 determines that your current video card or video driver doesn't support GPU hardware acceleration, it'll use Software Rendering mode. - - **To check your browser add-ons** - -1. Start IE11 in **No Add-ons mode** by running the **Run** command from the **Start** menu, and then typing `iexplore.exe -extoff` into the box. - -2. Check if IE still crashes.

- If the browser doesn't crash, open Internet Explorer for the desktop, click the **Tools** menu, and click **Manage Add-ons**. - -3. Click **Toolbars and Extensions**, click each toolbar or extension, clicking **Disable** to turn off all of the browser extensions and toolbars. - -4. Restart IE11. Go back to the **Manage Add-Ons** window and turn on each item, one-by-one.

- After you turn each item back on, see if IE crashes or slows down. Doing it this way will help you identify the add-on that's causing IE to crash. After you've figured out which add-on was causing the problem, turn it off until you have an update from the manufacturer. - - **To check for Software Rendering mode** - -5. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**. - -6. On the **Advanced** tab, go to the **Accelerated graphics** section, and then turn on Software Rendering mode by choosing the **Use software rendering instead of GPU rendering** box.

- If the **Use software rendering instead of GPU rendering** option is greyed out, it means that your current video card or video driver doesn't support GPU hardware acceleration. For more information, see [Windows 10 Support](https://go.microsoft.com/fwlink/?LinkId=746588). - -## Adaptive streaming and DRM playback don’t work with Windows Server 2012 R2 -IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Microsoft Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback. +author: lomayor +ms.prod: ie11 +ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Problems after installing Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/16/2017 +--- + + +# Problems after installing Internet Explorer 11 +After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them. + +## Internet Explorer is in an unusable state +If IE11 gets into an unusable state on an employee's computer, you can use the **Reset Internet Explorer Settings (RIES)** feature to restore the default settings for many of the browser features, including: + +- Search scopes + +- Appearance settings + +- Toolbars + +- ActiveX® controls (resets to the opt-in state, unless they're pre-approved) + +- Branding settings created with IEAK 11 + +RIES does not: + +- Clear the Favorites list, RSS feeds, or Web slices. + +- Reset connection or proxy settings. + +- Affect the applied Administrative Template Group Policy settings. + +RIES turns off all custom toolbars, browser extensions, and customizations installed with IE11. If you change your mind, you can turn each of the customizations back on through the **Manage Add-ons** dialog box. For more information about resetting IE settings, see [How to Reset Internet Explorer Settings](https://go.microsoft.com/fwlink/p/?LinkId=214528). + +## IE is crashing or seems slow +If you notice that CPU usage is running higher than normal, or that IE is frequently crashing or slowing down, you should check your browser add-ons and video card. By default, IE11 uses graphics processing unit (GPU) rendering mode. However, some outdated video cards and video drivers don't support GPU hardware acceleration. If IE11 determines that your current video card or video driver doesn't support GPU hardware acceleration, it'll use Software Rendering mode. + + **To check your browser add-ons** + +1. Start IE11 in **No Add-ons mode** by running the **Run** command from the **Start** menu, and then typing `iexplore.exe -extoff` into the box. + +2. Check if IE still crashes.

+ If the browser doesn't crash, open Internet Explorer for the desktop, click the **Tools** menu, and click **Manage Add-ons**. + +3. Click **Toolbars and Extensions**, click each toolbar or extension, clicking **Disable** to turn off all of the browser extensions and toolbars. + +4. Restart IE11. Go back to the **Manage Add-Ons** window and turn on each item, one-by-one.

+ After you turn each item back on, see if IE crashes or slows down. Doing it this way will help you identify the add-on that's causing IE to crash. After you've figured out which add-on was causing the problem, turn it off until you have an update from the manufacturer. + + **To check for Software Rendering mode** + +5. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**. + +6. On the **Advanced** tab, go to the **Accelerated graphics** section, and then turn on Software Rendering mode by choosing the **Use software rendering instead of GPU rendering** box.

+ If the **Use software rendering instead of GPU rendering** option is greyed out, it means that your current video card or video driver doesn't support GPU hardware acceleration. For more information, see [Windows 10 Support](https://go.microsoft.com/fwlink/?LinkId=746588). + +## Adaptive streaming and DRM playback don’t work with Windows Server 2012 R2 +IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Microsoft Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 40db70828c..f77ef953c0 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Instructions about how to clear all of the sites from your global Enterprise Mode site list. -author: lomayor -ms.prod: ie11 -ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can clear all of the sites from your global Enterprise Mode site list. - -**Important**   -This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system. - - **To clear your compatibility list** - -1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**. - -2. Click **Yes** in the warning message.

Your sites are all cleared from your list. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to clear all of the sites from your global Enterprise Mode site list. +author: lomayor +ms.prod: ie11 +ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can clear all of the sites from your global Enterprise Mode site list. + +**Important**   +This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system. + + **To clear your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**. + +2. Click **Yes** in the warning message.

Your sites are all cleared from your list. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md index d1c5e4e457..b682c46207 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md @@ -1,42 +1,42 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Instructions about how to remove sites from a local compatibility view list. -author: lomayor -ms.prod: ie11 -ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Remove sites from a local compatibility view list - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems. - - **To remove sites from a local compatibility view list** - -1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**. - -2. Pick the site to remove, and then click **Remove**.

-Sites can only be removed one at a time. If one is removed by mistake, it can be added back using this same box and the **Add** section. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to remove sites from a local compatibility view list. +author: lomayor +ms.prod: ie11 +ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove sites from a local compatibility view list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems. + + **To remove sites from a local compatibility view list** + +1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**. + +2. Pick the site to remove, and then click **Remove**.

+Sites can only be removed one at a time. If one is removed by mistake, it can be added back using this same box and the **Add** section. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md index 0331c344b2..6cfccfd925 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md @@ -1,58 +1,58 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Instructions about how to remove sites from a local Enterprise Mode site list. -author: lomayor -ms.prod: ie11 -ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Remove sites from a local Enterprise Mode site list - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems. - -**Note**
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator. - -  **To remove single sites from a local Enterprise Mode site list** - -1. Open Internet Explorer 11 and go to the site you want to remove. - -2. Click **Tools**, and then click **Enterprise Mode**.

-The checkmark disappears from next to Enterprise Mode and the site is removed from the list. - -**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again. - - **To remove all sites from a local Enterprise Mode site list** - -1. Open IE11, click **Tools**, and then click **Internet options**. - -2. Click the **Delete** button from the **Browsing history** area. - -3. Click the box next to **Cookies and website data**, and then click **Delete**. - -**Note**
This removes all of the sites from a local Enterprise Mode site list. - -   - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to remove sites from a local Enterprise Mode site list. +author: lomayor +ms.prod: ie11 +ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove sites from a local Enterprise Mode site list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems. + +**Note**
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator. + +  **To remove single sites from a local Enterprise Mode site list** + +1. Open Internet Explorer 11 and go to the site you want to remove. + +2. Click **Tools**, and then click **Enterprise Mode**.

+The checkmark disappears from next to Enterprise Mode and the site is removed from the list. + +**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again. + + **To remove all sites from a local Enterprise Mode site list** + +1. Open IE11, click **Tools**, and then click **Internet options**. + +2. Click the **Delete** button from the **Browsing history** area. + +3. Click the box next to **Cookies and website data**, and then click **Delete**. + +**Note**
This removes all of the sites from a local Enterprise Mode site list. + +   + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md index a5617dbc2c..48ead2d656 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md @@ -1,46 +1,46 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. -author: lomayor -ms.prod: ie11 -ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Save your site list to XML in the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. - - **To save your list as XML** - -1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**. - -2. Save the file to the location you specified in your Enterprise Mode registry key, set up when you turned on Enterprise Mode for use in your company. For information about the Enterprise Mode registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).

-The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. +author: lomayor +ms.prod: ie11 +ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Save your site list to XML in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. + + **To save your list as XML** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**. + +2. Save the file to the location you specified in your Enterprise Mode registry key, set up when you turned on Enterprise Mode for use in your company. For information about the Enterprise Mode registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).

+The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md index 06750c612b..b2a83dc360 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md @@ -1,53 +1,53 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Schedule approved change requests for production using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time. - -**To schedule an immediate change** -1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. - -2. The Requester clicks the **Approved** status for the change request. - - The **Schedule changes** page appears. - -3. The Requester clicks **Now**, and then clicks **Save**. - - The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes. - - -**To schedule the change for a different day or time** -1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. - -2. The Requester clicks the **Approved** status for the change request. - - The **Schedule changes** page appears. - -3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**. - - The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes. - - -## Next steps -After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Schedule approved change requests for production using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time. + +**To schedule an immediate change** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Now**, and then clicks **Save**. + + The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes. + + +**To schedule the change for a different day or time** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**. + + The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes. + + +## Next steps +After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index f78022cc56..985b416947 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Search to see if a specific site already appears in your global Enterprise Mode site list. -author: lomayor -ms.prod: ie11 -ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again. - - **To search your compatibility list** - -- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.

- The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Search to see if a specific site already appears in your global Enterprise Mode site list. +author: lomayor +ms.prod: ie11 +ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again. + + **To search your compatibility list** + +- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.

+ The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index 09b341577a..829f920161 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10. -author: lomayor -ms.prod: ie11 -ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Set the default browser using Group Policy (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Set the default browser using Group Policy -You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10. - - **To set the default browser as Internet Explorer 11** - -1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

-Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). - - ![set default associations group policy setting](images/setdefaultbrowsergp.png) - -2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.

-If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon. - -Your employees can change this setting by changing the Internet Explorer default value from the **Set Default Programs** area of the Control Panel. - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10. +author: lomayor +ms.prod: ie11 +ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Set the default browser using Group Policy (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Set the default browser using Group Policy +You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10. + + **To set the default browser as Internet Explorer 11** + +1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

+Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). + + ![set default associations group policy setting](images/setdefaultbrowsergp.png) + +2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.

+If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon. + +Your employees can change this setting by changing the Internet Explorer default value from the **Set Default Programs** area of the Control Panel. + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md index 3d3726d938..ea77e11d87 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md @@ -1,160 +1,160 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Set up and turn on Enterprise Mode logging and data collection in your organization. -author: lomayor -ms.prod: ie11 -ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Set up Enterprise Mode logging and data collection - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. - -![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) - -The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. - -![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) - -Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. - -## Using ASP to collect your data -When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. - - **To set up an endpoint server** - -1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609). - -2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.

- This lets you create an ASP form that accepts the incoming POST messages. - -3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. - - ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) - -4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. - - ![IIS Manager, setting logging options](images/ie-emie-logging.png) - -5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

- Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. - -6. Apply these changes to your default website and close the IIS Manager. - -7. Put your EmIE.asp file into the root of the web server, using this command: - - ``` - <% @ LANGUAGE=javascript %> - <% - Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode")); - %> - ``` - This code logs your POST fields to your IIS log file, where you can review all of the collected data. - - -### IIS log file information -This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. - -![Enterprise Mode log file](images/ie-emie-logfile.png) - - -## Using the GitHub sample to collect your data -Microsoft has created the [EMIE-Data-Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) that shows how to collect your Enterprise Mode reports. This sample only shows how to collect data, it doesn’t show how to aggregate the data into your Enterprise Mode site list.

-This sample starts with you turning on Enterprise Mode and logging (either through Group Policy, or by manually setting the EnterpriseMode registry key) so that your users can use Enterprise Mode locally. For the steps to do this, go to [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). - -**Note**
If you decide to manually change the registry key, you can change the **Enable** setting to `[deployment url]/api/records/`, which automatically sends your reports to this page. - -### Setting up, collecting, and viewing reports -For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report. - - **To set up the sample** - -1. Set up a server to collect your Enterprise Mode information from your users. - -2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project. - -3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file. - -4. On the **Build** menu, tap or click **Build Solution**.

- The required packages are automatically downloaded and included in the solution. - - **To set up your endpoint server** - -5. Right-click on the name, PhoneHomeSample, and click **Publish**. - - ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) - -6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. - - **Important**
- Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  - - ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) - - After you finish the publishing process, you need to test to make sure the app deployed successfully. - - **To test, deploy, and use the app** - -7. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: - - ``` "Enable"="https:///api/records/" - ``` - Where `` points to your deployment URL. - -8. After you’re sure your deployment works, you can deploy it to your users using one of the following: - - - Turn on the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting, putting your `` information into the **Options** box. - - - Deploy the registry key in Step 3 using System Center or other management software. - -9. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary. - - **To view the report results** - -- Go to `https:///List` to see the report results.

-If you’re already on the webpage, you’ll need to refresh the page to see the results. - - ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) - - -### Troubleshooting publishing errors -If you have errors while you’re publishing your project, you should try to update your packages. - - **To update your packages** - -1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. - - ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) - -2. Click **Updates** on the left side of the tool, and click the **Update All** button.

-You may need to do some additional package cleanup to remove older package versions. - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [What is Enterprise Mode?](what-is-enterprise-mode.md) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Set up and turn on Enterprise Mode logging and data collection in your organization. +author: lomayor +ms.prod: ie11 +ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Set up Enterprise Mode logging and data collection + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. + +![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) + +The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. + +![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) + +Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. + +## Using ASP to collect your data +When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. + + **To set up an endpoint server** + +1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609). + +2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.

+ This lets you create an ASP form that accepts the incoming POST messages. + +3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. + + ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) + +4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. + + ![IIS Manager, setting logging options](images/ie-emie-logging.png) + +5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

+ Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. + +6. Apply these changes to your default website and close the IIS Manager. + +7. Put your EmIE.asp file into the root of the web server, using this command: + + ``` + <% @ LANGUAGE=javascript %> + <% + Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode")); + %> + ``` + This code logs your POST fields to your IIS log file, where you can review all of the collected data. + + +### IIS log file information +This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. + +![Enterprise Mode log file](images/ie-emie-logfile.png) + + +## Using the GitHub sample to collect your data +Microsoft has created the [EMIE-Data-Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) that shows how to collect your Enterprise Mode reports. This sample only shows how to collect data, it doesn’t show how to aggregate the data into your Enterprise Mode site list.

+This sample starts with you turning on Enterprise Mode and logging (either through Group Policy, or by manually setting the EnterpriseMode registry key) so that your users can use Enterprise Mode locally. For the steps to do this, go to [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +**Note**
If you decide to manually change the registry key, you can change the **Enable** setting to `[deployment url]/api/records/`, which automatically sends your reports to this page. + +### Setting up, collecting, and viewing reports +For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report. + + **To set up the sample** + +1. Set up a server to collect your Enterprise Mode information from your users. + +2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project. + +3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file. + +4. On the **Build** menu, tap or click **Build Solution**.

+ The required packages are automatically downloaded and included in the solution. + + **To set up your endpoint server** + +5. Right-click on the name, PhoneHomeSample, and click **Publish**. + + ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) + +6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. + + **Important**
+ Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  + + ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) + + After you finish the publishing process, you need to test to make sure the app deployed successfully. + + **To test, deploy, and use the app** + +7. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: + + ``` "Enable"="https:///api/records/" + ``` + Where `` points to your deployment URL. + +8. After you’re sure your deployment works, you can deploy it to your users using one of the following: + + - Turn on the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting, putting your `` information into the **Options** box. + + - Deploy the registry key in Step 3 using System Center or other management software. + +9. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary. + + **To view the report results** + +- Go to `https:///List` to see the report results.

+If you’re already on the webpage, you’ll need to refresh the page to see the results. + + ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) + + +### Troubleshooting publishing errors +If you have errors while you’re publishing your project, you should try to update your packages. + + **To update your packages** + +1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. + + ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) + +2. Click **Updates** on the left side of the tool, and click the **Update All** button.

+You may need to do some additional package cleanup to remove older package versions. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md index 872071fdf8..469464c98f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -1,227 +1,227 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to set up the Enterprise Mode Site List Portal for your organization. -author: lomayor -ms.prod: ie11 -title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Set up the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. - -Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment. - -## Step 1 - Copy the deployment folder to the web server -You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server. - -**To download the source code** -1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server. - -2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). - - >[!Note] - >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. - -3. Open File Explorer and then open the **EMIEWebPortal/** folder. - -4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**. - -5. Type _npm i_ into the command prompt, then press **Enter**. - - Installs the npm package manager and bulk adds all the third-party libraries back into your codebase. - -6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution. - - >[!Note] - >Step 3 of this topic provides the steps to create your database. - -7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. - -## Step 2 - Create the Application Pool and website, by using IIS -Create a new Application Pool and the website, by using the IIS Manager. - -**To create a new Application Pool** -1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**. - - The **Add Application Pool** box appears. - -2. In the **Add Application Pool** box, enter the following info: - - - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_. - - - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher. - - - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content. - -3. Click **OK**. - -4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane. - - The **Advanced Settings** box appears. - -5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box. - -6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_. - -7. Right-click on the directory, click **Properties**, and then click the **Security** tab. - -8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer. - -9. Add **Everyone** to the list with **Read & execute access**. - -**To create the website** -1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**. - - The **Add Website** box appears. - -2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**. - - The **Select Application Pool** box appears. - -4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_. - -5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_. - -6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization. - -7. Clear the **Start Website immediately** check box, and then click **OK**. - -8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_. - - The **<website_name> Home** pane appears. - -9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. - - >[!Note] - >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. - -## Step 3 - Create and prep your database -Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. - -**To create and prep your database** -1. Start SQL Server Management Studio. - -2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine. - -3. Expand the instance, right-click on **Databases**, and then click **New Database**. - -4. Type a database name. For example, _EMIEDatabase_. - -5. Leave all default values for the database files, and then click **OK**. - -6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory. - -7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_. - -8. Run the query. - -## Step 4 - Map your Application Pool to a SQL Server role -Map your ApplicationPoolIdentity to your database, adding the db_owner role. - -**To map your ApplicationPoolIdentity to a SQL Server role** -1. Start SQL Server Management Studio and connect to your database. - -2. Expand the database instance and then open the server-level **Security** folder. - - > [!IMPORTANT] - > Make sure you open the **Security** folder at the server level and not for the database. - -3. Right-click **Logins**, and then click **New Login**. - - The **Login-New** dialog box appears. - -4. Type the following into the **Login name** box, based on your server instance type: - - - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_. - - - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`. - - > [!IMPORTANT] - > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID). - -5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane. - -6. Click **OK**. - -## Step 5 - Restart the Application Pool and website -Using the IIS Manager, you must restart both your Application Pool and your website. - -**To restart your Application Pool and website** -1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane. - -2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane. - -## Step 6 - Registering as an administrator -After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. - -**To register as an administrator** -1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085. - -2. Click **Register now**. - -3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box. - -4. Click **Administrator** from the **Role** box, and then click **Save**. - -5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole. - - A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. - -6. Select your name from the available list, and then click **Activate**. - -7. Go to the Enterprise Mode Site List Portal Home page and sign in. - -## Step 7 - Configure the SMTP server and port for email notification -After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system. - -**To set up your SMTP server and port for emails** -1. Open Visual Studio, and then open the web.config file from your deployment directory. - -2. Update the SMTP server and port info with your info, using this format: - - ``` - - - ``` -3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info. - -## Step 8 - Register the scheduler service -Register the EMIEScheduler tool and service for production site list changes. - -**To register the scheduler service** - -1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. - - >[!Important] - >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. - -2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. - -3. Run the command, `InstallUtil ""`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._ - - You'll be asked for your user name and password for the service. - -4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service. - -## Related topics -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) - -- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to set up the Enterprise Mode Site List Portal for your organization. +author: lomayor +ms.prod: ie11 +title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Set up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment. + +## Step 1 - Copy the deployment folder to the web server +You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server. + +**To download the source code** +1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server. + +2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). + + >[!Note] + >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. + +3. Open File Explorer and then open the **EMIEWebPortal/** folder. + +4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**. + +5. Type _npm i_ into the command prompt, then press **Enter**. + + Installs the npm package manager and bulk adds all the third-party libraries back into your codebase. + +6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution. + + >[!Note] + >Step 3 of this topic provides the steps to create your database. + +7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. + +## Step 2 - Create the Application Pool and website, by using IIS +Create a new Application Pool and the website, by using the IIS Manager. + +**To create a new Application Pool** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**. + + The **Add Application Pool** box appears. + +2. In the **Add Application Pool** box, enter the following info: + + - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_. + + - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher. + + - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content. + +3. Click **OK**. + +4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane. + + The **Advanced Settings** box appears. + +5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box. + +6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_. + +7. Right-click on the directory, click **Properties**, and then click the **Security** tab. + +8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer. + +9. Add **Everyone** to the list with **Read & execute access**. + +**To create the website** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**. + + The **Add Website** box appears. + +2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**. + + The **Select Application Pool** box appears. + +4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_. + +5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_. + +6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization. + +7. Clear the **Start Website immediately** check box, and then click **OK**. + +8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_. + + The **<website_name> Home** pane appears. + +9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. + + >[!Note] + >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. + +## Step 3 - Create and prep your database +Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. + +**To create and prep your database** +1. Start SQL Server Management Studio. + +2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine. + +3. Expand the instance, right-click on **Databases**, and then click **New Database**. + +4. Type a database name. For example, _EMIEDatabase_. + +5. Leave all default values for the database files, and then click **OK**. + +6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory. + +7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_. + +8. Run the query. + +## Step 4 - Map your Application Pool to a SQL Server role +Map your ApplicationPoolIdentity to your database, adding the db_owner role. + +**To map your ApplicationPoolIdentity to a SQL Server role** +1. Start SQL Server Management Studio and connect to your database. + +2. Expand the database instance and then open the server-level **Security** folder. + + > [!IMPORTANT] + > Make sure you open the **Security** folder at the server level and not for the database. + +3. Right-click **Logins**, and then click **New Login**. + + The **Login-New** dialog box appears. + +4. Type the following into the **Login name** box, based on your server instance type: + + - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_. + + - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`. + + > [!IMPORTANT] + > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID). + +5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane. + +6. Click **OK**. + +## Step 5 - Restart the Application Pool and website +Using the IIS Manager, you must restart both your Application Pool and your website. + +**To restart your Application Pool and website** +1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane. + +2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane. + +## Step 6 - Registering as an administrator +After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. + +**To register as an administrator** +1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085. + +2. Click **Register now**. + +3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box. + +4. Click **Administrator** from the **Role** box, and then click **Save**. + +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole. + + A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. + +6. Select your name from the available list, and then click **Activate**. + +7. Go to the Enterprise Mode Site List Portal Home page and sign in. + +## Step 7 - Configure the SMTP server and port for email notification +After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system. + +**To set up your SMTP server and port for emails** +1. Open Visual Studio, and then open the web.config file from your deployment directory. + +2. Update the SMTP server and port info with your info, using this format: + + ``` + + + ``` +3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info. + +## Step 8 - Register the scheduler service +Register the EMIEScheduler tool and service for production site list changes. + +**To register the scheduler service** + +1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. + + >[!Important] + >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. + +2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. + +3. Run the command, `InstallUtil ""`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._ + + You'll be asked for your user name and password for the service. + +4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md index 155feca2cc..2e0ad0a745 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md @@ -1,66 +1,66 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: appcompat -description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 2cd79988-17d1-4317-bee9-b3ae2dd110a0 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Setup problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Setup problems with Internet Explorer 11 -Installing Internet Explorer creates the following log files, which are stored in the Windows installation folder (typically, the C:\\Windows folder): - -- `IE11_main.log` - -- `IE11_NR_Setup.log` - -- `IE11_uninst.log` - -- `cbs*.log` - -- `WU_ IE11_LangPacks.log` - -These log files continuously record the entire process from the moment the IE setup program starts running until the last .cab file is downloaded, including error codes. The possible error codes are: - -|Error code |Description | -|-----------|-------------------------------------------| -|0 |Success | -|1460 |Timeout | -|3010 |Success, reboot required | -|40001 |USER_ERROR_CANNOT_OPEN_LOG_FILE | -|40003 |USER_ERROR_CANNOT_INITIALIZE_APPLICATION | -|40004 |USER_ERROR_OLD_OS_VERSION | -|40005 |USER_ERROR_WRONG_PLATFORM | -|40006 |USER_ERROR_BAD_SPVERSION | -|40007 |USER_ERROR_MISSING_REQUIRED_PREREQUISITE | -|40008 |USER_ERROR_IE_GREATERVERSION_INSTALLED | -|40010 |USER_ERROR_BAD_LANGUAGE | -|40012 |USER_ERROR_CRYPTO_VALIDATION_FAILED | -|40013 |USER_ERROR_ALREADY_INSTALLED | -|40015 |USER_ERROR_WRONG_OS | -|40016 |USER_ERROR_EXTRACTION_FAILED | -|40019 |USER_ERROR_WINDOWS_PRERELEASE_NOT_SUPPORTED | -|40021 |USER_ERROR_UNSUPPORTED_VIDEO_HARDWARE | -|40022 |USER_ERROR_UNSUPPORTED_VIDEO_DRIVER | -|40023 |USER_ERROR_PREREQUISITE_INSTALL_FAILED | -|40024 |USER_ERROR_NEUTRAL_CAB_DOWNLOAD_FAILED | -|40025 |USER_ERROR_NEUTRAL_CAB_INSTALL_FAILED | -|41001 |USER_ERROR_UNKNOWN | -|50005 |USER_SUCCESS_USER_CANCELLED | - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: appcompat +description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 2cd79988-17d1-4317-bee9-b3ae2dd110a0 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Setup problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Setup problems with Internet Explorer 11 +Installing Internet Explorer creates the following log files, which are stored in the Windows installation folder (typically, the C:\\Windows folder): + +- `IE11_main.log` + +- `IE11_NR_Setup.log` + +- `IE11_uninst.log` + +- `cbs*.log` + +- `WU_ IE11_LangPacks.log` + +These log files continuously record the entire process from the moment the IE setup program starts running until the last .cab file is downloaded, including error codes. The possible error codes are: + +|Error code |Description | +|-----------|-------------------------------------------| +|0 |Success | +|1460 |Timeout | +|3010 |Success, reboot required | +|40001 |USER_ERROR_CANNOT_OPEN_LOG_FILE | +|40003 |USER_ERROR_CANNOT_INITIALIZE_APPLICATION | +|40004 |USER_ERROR_OLD_OS_VERSION | +|40005 |USER_ERROR_WRONG_PLATFORM | +|40006 |USER_ERROR_BAD_SPVERSION | +|40007 |USER_ERROR_MISSING_REQUIRED_PREREQUISITE | +|40008 |USER_ERROR_IE_GREATERVERSION_INSTALLED | +|40010 |USER_ERROR_BAD_LANGUAGE | +|40012 |USER_ERROR_CRYPTO_VALIDATION_FAILED | +|40013 |USER_ERROR_ALREADY_INSTALLED | +|40015 |USER_ERROR_WRONG_OS | +|40016 |USER_ERROR_EXTRACTION_FAILED | +|40019 |USER_ERROR_WINDOWS_PRERELEASE_NOT_SUPPORTED | +|40021 |USER_ERROR_UNSUPPORTED_VIDEO_HARDWARE | +|40022 |USER_ERROR_UNSUPPORTED_VIDEO_DRIVER | +|40023 |USER_ERROR_PREREQUISITE_INSTALL_FAILED | +|40024 |USER_ERROR_NEUTRAL_CAB_DOWNLOAD_FAILED | +|40025 |USER_ERROR_NEUTRAL_CAB_INSTALL_FAILED | +|41001 |USER_ERROR_UNKNOWN | +|50005 |USER_SUCCESS_USER_CANCELLED | + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md index b04869b6fe..66bf4edda5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md @@ -1,61 +1,61 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Lists the minimum system requirements and supported languages for Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 27185e3d-c486-4e4a-9c51-5cb317c0006d -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: System requirements and language support for Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# System requirements and language support for Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 Update -- Windows 7 with Service Pack 1 (SP1) -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. - -## Minimum system requirements for IE11 -IE11 is pre-installed on Windows 8.1, Windows 10, and Windows Server 2012 R2 and is listed here for reference. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx). - -**Important**
  -IE11 isn't supported on Windows 8 or Windows Server 2012. - -Some of the components in this table might also need additional system resources. Check the component's documentation for more information. - - -| Item | Minimum requirements | -|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Computer/processor | 1 gigahertz (GHz) 32-bit (x86) or 64-bit (x64) | -| Operating system |

  • Windows 10 (32-bit or 64-bit)
  • Windows 8.1 Update (32-bit or 64-bit)
  • Windows 7 with SP1 (32-bit or 64-bit)
  • Windows Server 2012 R2
  • Windows Server 2008 R2 with SP1 (64-bit only)
| -| Memory |
  • Windows 10 (32-bit)-1 GB
  • Windows 10 (64-bit)-2 GB
  • Windows 8.1 Update (32-bit)-1 GB
  • Windows 8.1 Update (64-bit)-2 GB
  • Windows 7 with SP1 (32-bit or 64-bit)-512 MB
  • Windows Server 2012 R2-512 MB
  • Windows Server 2008 R2 with SP1 (64-bit only)-512 MB
| -| Hard drive space |
  • Windows 10 (32-bit)-16 GB
  • Windows 10 (64-bit)-20 GB
  • Windows 8.1 Update (32-bit)-16 GB
  • Windows 8.1 Update (64-bit)-20 GB
  • Windows 7 with SP1 (32-bit)-70 MB
  • Windows 7 with SP1 (64-bit)-120 MB
  • Windows Server 2012 R2-32 GB
  • Windows Server 2008 R2 with SP1 (64-bit only)-200 MB
      • | -| Drive | CD-ROM drive (if installing from a CD-ROM) | -| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | -| Peripherals | Internet connection and a compatible pointing device | - -## Support for .NET Framework -You might experience start up issues where IE11 fails to launch an application that uses managed browser hosting controls with your legacy apps. This is because, starting with Internet Explorer 10, the browser started blocking legacy apps from using the .NET Framework 1.1 and 2.0. To fix this problem, see [.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md). - -## Support for multiple languages -IE11 is available in 108 languages for Windows 8.1 and Windows 10 and in 97 languages for Windows 7 with SP1. For the list of languages and download links, see [Available language packs based on operating system](https://go.microsoft.com/fwlink/p/?LinkId=281818). - -Computers running localized versions of Windows should run the same version of IE11. For example, if your employees use the Spanish edition of Windows, you should deploy the Spanish version of IE11. On the other hand, if your employees use multiple localized versions of Windows, like Spanish, French, and Catalan, you should install IE11 in one of the languages, and then install language packs for the others. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Lists the minimum system requirements and supported languages for Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 27185e3d-c486-4e4a-9c51-5cb317c0006d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: System requirements and language support for Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# System requirements and language support for Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 Update +- Windows 7 with Service Pack 1 (SP1) +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. + +## Minimum system requirements for IE11 +IE11 is pre-installed on Windows 8.1, Windows 10, and Windows Server 2012 R2 and is listed here for reference. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx). + +**Important**
        +IE11 isn't supported on Windows 8 or Windows Server 2012. + +Some of the components in this table might also need additional system resources. Check the component's documentation for more information. + + +| Item | Minimum requirements | +|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Computer/processor | 1 gigahertz (GHz) 32-bit (x86) or 64-bit (x64) | +| Operating system |
      • Windows 10 (32-bit or 64-bit)
      • Windows 8.1 Update (32-bit or 64-bit)
      • Windows 7 with SP1 (32-bit or 64-bit)
      • Windows Server 2012 R2
      • Windows Server 2008 R2 with SP1 (64-bit only)
      | +| Memory |
      • Windows 10 (32-bit)-1 GB
      • Windows 10 (64-bit)-2 GB
      • Windows 8.1 Update (32-bit)-1 GB
      • Windows 8.1 Update (64-bit)-2 GB
      • Windows 7 with SP1 (32-bit or 64-bit)-512 MB
      • Windows Server 2012 R2-512 MB
      • Windows Server 2008 R2 with SP1 (64-bit only)-512 MB
      | +| Hard drive space |
      • Windows 10 (32-bit)-16 GB
      • Windows 10 (64-bit)-20 GB
      • Windows 8.1 Update (32-bit)-16 GB
      • Windows 8.1 Update (64-bit)-20 GB
      • Windows 7 with SP1 (32-bit)-70 MB
      • Windows 7 with SP1 (64-bit)-120 MB
      • Windows Server 2012 R2-32 GB
      • Windows Server 2008 R2 with SP1 (64-bit only)-200 MB
          • | +| Drive | CD-ROM drive (if installing from a CD-ROM) | +| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | +| Peripherals | Internet connection and a compatible pointing device | + +## Support for .NET Framework +You might experience start up issues where IE11 fails to launch an application that uses managed browser hosting controls with your legacy apps. This is because, starting with Internet Explorer 10, the browser started blocking legacy apps from using the .NET Framework 1.1 and 2.0. To fix this problem, see [.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md). + +## Support for multiple languages +IE11 is available in 108 languages for Windows 8.1 and Windows 10 and in 97 languages for Windows 7 with SP1. For the list of languages and download links, see [Available language packs based on operating system](https://go.microsoft.com/fwlink/p/?LinkId=281818). + +Computers running localized versions of Windows should run the same version of IE11. For example, if your employees use the Spanish edition of Windows, you should deploy the Spanish version of IE11. On the other hand, if your employees use multiple localized versions of Windows, like Spanish, French, and Catalan, you should install IE11 in one of the languages, and then install language packs for the others. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md index 100c1159b5..00029e6c5b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md +++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md @@ -1,135 +1,135 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. -author: lomayor -ms.author: lomayor -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: Tips and tricks to manage Internet Explorer compatibility -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# Tips and tricks to manage Internet Explorer compatibility - -Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. - -Jump to: -- [Tips for IT professionals](#tips-for-it-professionals) -- [Tips for web developers](#tips-for-web-developers) - -[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website. - -![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg) - -Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View. - -Compatibility View, first introduced with Internet Explorer 8, is basically a switch. If a webpage has no DOCTYPE, that page will be rendered in Internet Explorer 5 mode. If there is a DOCTYPE, the page will be rendered in Internet Explorer 7 mode. You can effectively get Compatibility View by specifying Internet Explorer 7 in the \ section, as this falls back to Internet Explorer 5 automatically if there's no DOCTYPE, or you can use IE7 Enterprise Mode for even better emulation. - -## Tips for IT professionals - -### Inventory your sites - -Upgrading to a new browser can be a time-consuming and potentially costly venture. To help reduce these costs, you can download the [Enterprise Site Discovery Toolkit](https://www.microsoft.com/download/details.aspx?id=44570), which can help you prioritize which sites you should be testing based on their usage in your enterprise. For example, if the data shows that no one is visiting a particular legacy web app, you may not need to test or fix it. The toolkit is supported on Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. The toolkit also gives you information about which document mode a page runs in your current browser so you can better understand how to fix that site if it breaks in a newer version of the browser. - -Once you know which sites to test and fix, the following remediation methods may help fix your compatibility issues in Internet Explorer 11 and Windows 10. - -### If you're on Internet Explorer 8 and upgrading to Internet Explorer 11: - -Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 documents modes, as well as IE8 Enterprise Mode and IE7 Enterprise Mode. - -- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 8 mode. This is because "edge" in Internet Explorer 8 meant Internet Explorer 8 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. - -- Sites without a DOCTYPE in zones other than Intranet will default to QME (or "interoperable quirks") rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. - -- Some sites may need to be added to both Enterprise Mode and Compatibility View to work. You can do this by adding the site to IE7 Enterprise Mode. - -### If you're on Internet Explorer 9 and upgrading to Internet Explorer 11: - -Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 9 document modes. - -- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 9 mode. This is because "edge" in Internet Explorer 9 meant Internet Explorer 9 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. - -- Sites without a DOCTYPE in zones other than Intranet will default to Interoperable Quirks rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. - -- If your sites worked in Internet Explorer 9, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. - -### If you're on Internet Explorer 10 and upgrading to Internet Explorer 11: - -Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 10 modes. - -- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 10 mode. This is because "edge" in Internet Explorer 10 meant Internet Explorer 10 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. - -- If your sites worked in Internet Explorer 10, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. - -### If you're on Internet Explorer 11 and upgrading to Windows 10: - -You're all set! You shouldn’t need to make any changes. - -## Tips for web developers - -If your website worked in an older version of Internet Explorer, but no longer works in Internet Explorer 11, you may need to update the site. Here are the set of steps you should take to find the appropriate remediation strategy. - -### Try document modes - -To see if the site works in the Internet Explorer 5, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, or Internet Explorer 11 document modes: - -- Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab. - - ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg) - -- Run the site in each document mode until you find the mode in which the site works. - - >[!NOTE] - >You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10. - -- If you find a mode in which your site works, you will need to add the site domain, sub-domain, or URL to the Enterprise Mode Site List for the document mode in which the site works, or ask the IT administrator to do so. You can add the *x-ua-compatible* meta tag or HTTP header as well. - -### Try IE8 Enterprise Mode - -If a document mode didn't fix your site, try IE8 Enterprise Mode, which benefits sites written for Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 document modes. - -- Enable the **Let users turn on and use Enterprise Mode from the Tools menu** policy locally on your machine. To do this: - - - Search for and run **gpedit.msc** - - - Navigate to **Computer Configuration** \> **Administrative Template** \> **Windows Components** \> **Internet Explorer**. - - - Enable the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting. - - After making this change, run **gpupdate.exe /force** to make sure the setting is applied locally. You should also make sure to disable this setting once you're done testing. Alternately, you can use a regkey; see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) for more information. - -- Restart Internet Explorer 11 and open the site you're testing, then go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. If the site works, inform the IT administrator that the site needs to be added to the IE8 Enterprise Mode section. - -### Try IE7 Enterprise Mode - -If IE8 Enterprise Mode doesn't work, IE7 Enterprise Mode will give you the Compatibility View behavior that shipped with Internet Explorer 8 with Enterprise Mode. To try this approach: - -- Go to the **Tools** menu, select **Compatibility View Settings**, and add the site to the list. - -- Go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. - -If the site works, inform the IT administrator that the site needs to be added to the IE7 Enterprise Mode section.\ - ->[!NOTE] ->Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update. - -### Update the site for modern web standards - -We recommend that enterprise customers focus their new development on established, modern web standards for better performance and interoperability across devices, and avoid developing sites in older Internet Explorer document modes. We often hear that, due to fact that the Intranet zone defaults to Compatibility View, web developers inadvertently create new sites in the Internet Explorer 7 or Internet Explorer 5 modes in the Intranet zone, depending on whether or not they used a DOCTYPE. As you move your web apps to modern standards, you can enable the **Turn on Internet Explorer Standards Mode for local intranet** Group Policy setting and add those sites that need Internet Explorer 5 or Internet Explorer 7 modes to the Site List. Of course, it is always a good idea to test the app to ensure that these settings work for your environment. - -## Related resources - -- [Document modes](https://msdn.microsoft.com/library/dn384051(v=vs.85).aspx) -- [What is Enterprise Mode?](what-is-enterprise-mode.md) -- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) -- [Enterprise Site Discovery Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=44570) -- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. +author: lomayor +ms.author: lomayor +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: Tips and tricks to manage Internet Explorer compatibility +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# Tips and tricks to manage Internet Explorer compatibility + +Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. + +Jump to: +- [Tips for IT professionals](#tips-for-it-professionals) +- [Tips for web developers](#tips-for-web-developers) + +[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website. + +![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg) + +Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View. + +Compatibility View, first introduced with Internet Explorer 8, is basically a switch. If a webpage has no DOCTYPE, that page will be rendered in Internet Explorer 5 mode. If there is a DOCTYPE, the page will be rendered in Internet Explorer 7 mode. You can effectively get Compatibility View by specifying Internet Explorer 7 in the \ section, as this falls back to Internet Explorer 5 automatically if there's no DOCTYPE, or you can use IE7 Enterprise Mode for even better emulation. + +## Tips for IT professionals + +### Inventory your sites + +Upgrading to a new browser can be a time-consuming and potentially costly venture. To help reduce these costs, you can download the [Enterprise Site Discovery Toolkit](https://www.microsoft.com/download/details.aspx?id=44570), which can help you prioritize which sites you should be testing based on their usage in your enterprise. For example, if the data shows that no one is visiting a particular legacy web app, you may not need to test or fix it. The toolkit is supported on Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. The toolkit also gives you information about which document mode a page runs in your current browser so you can better understand how to fix that site if it breaks in a newer version of the browser. + +Once you know which sites to test and fix, the following remediation methods may help fix your compatibility issues in Internet Explorer 11 and Windows 10. + +### If you're on Internet Explorer 8 and upgrading to Internet Explorer 11: + +Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 documents modes, as well as IE8 Enterprise Mode and IE7 Enterprise Mode. + +- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 8 mode. This is because "edge" in Internet Explorer 8 meant Internet Explorer 8 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. + +- Sites without a DOCTYPE in zones other than Intranet will default to QME (or "interoperable quirks") rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. + +- Some sites may need to be added to both Enterprise Mode and Compatibility View to work. You can do this by adding the site to IE7 Enterprise Mode. + +### If you're on Internet Explorer 9 and upgrading to Internet Explorer 11: + +Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 9 document modes. + +- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 9 mode. This is because "edge" in Internet Explorer 9 meant Internet Explorer 9 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. + +- Sites without a DOCTYPE in zones other than Intranet will default to Interoperable Quirks rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. + +- If your sites worked in Internet Explorer 9, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. + +### If you're on Internet Explorer 10 and upgrading to Internet Explorer 11: + +Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 10 modes. + +- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 10 mode. This is because "edge" in Internet Explorer 10 meant Internet Explorer 10 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. + +- If your sites worked in Internet Explorer 10, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. + +### If you're on Internet Explorer 11 and upgrading to Windows 10: + +You're all set! You shouldn’t need to make any changes. + +## Tips for web developers + +If your website worked in an older version of Internet Explorer, but no longer works in Internet Explorer 11, you may need to update the site. Here are the set of steps you should take to find the appropriate remediation strategy. + +### Try document modes + +To see if the site works in the Internet Explorer 5, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, or Internet Explorer 11 document modes: + +- Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab. + + ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg) + +- Run the site in each document mode until you find the mode in which the site works. + + >[!NOTE] + >You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10. + +- If you find a mode in which your site works, you will need to add the site domain, sub-domain, or URL to the Enterprise Mode Site List for the document mode in which the site works, or ask the IT administrator to do so. You can add the *x-ua-compatible* meta tag or HTTP header as well. + +### Try IE8 Enterprise Mode + +If a document mode didn't fix your site, try IE8 Enterprise Mode, which benefits sites written for Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 document modes. + +- Enable the **Let users turn on and use Enterprise Mode from the Tools menu** policy locally on your machine. To do this: + + - Search for and run **gpedit.msc** + + - Navigate to **Computer Configuration** \> **Administrative Template** \> **Windows Components** \> **Internet Explorer**. + + - Enable the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting. + + After making this change, run **gpupdate.exe /force** to make sure the setting is applied locally. You should also make sure to disable this setting once you're done testing. Alternately, you can use a regkey; see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) for more information. + +- Restart Internet Explorer 11 and open the site you're testing, then go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. If the site works, inform the IT administrator that the site needs to be added to the IE8 Enterprise Mode section. + +### Try IE7 Enterprise Mode + +If IE8 Enterprise Mode doesn't work, IE7 Enterprise Mode will give you the Compatibility View behavior that shipped with Internet Explorer 8 with Enterprise Mode. To try this approach: + +- Go to the **Tools** menu, select **Compatibility View Settings**, and add the site to the list. + +- Go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. + +If the site works, inform the IT administrator that the site needs to be added to the IE7 Enterprise Mode section.\ + +>[!NOTE] +>Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update. + +### Update the site for modern web standards + +We recommend that enterprise customers focus their new development on established, modern web standards for better performance and interoperability across devices, and avoid developing sites in older Internet Explorer document modes. We often hear that, due to fact that the Intranet zone defaults to Compatibility View, web developers inadvertently create new sites in the Internet Explorer 7 or Internet Explorer 5 modes in the Intranet zone, depending on whether or not they used a DOCTYPE. As you move your web apps to modern standards, you can enable the **Turn on Internet Explorer Standards Mode for local intranet** Group Policy setting and add those sites that need Internet Explorer 5 or Internet Explorer 7 modes to the Site List. Of course, it is always a good idea to test the app to ensure that these settings work for your environment. + +## Related resources + +- [Document modes](https://msdn.microsoft.com/library/dn384051(v=vs.85).aspx) +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) +- [Enterprise Site Discovery Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=44570) +- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md index b560483fb1..55e4491ac7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md @@ -1,52 +1,52 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer. -author: lomayor -ms.prod: ie11 -ms.assetid: 0361c1a6-3faa-42b2-a588-92439eebeeab -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Troubleshoot Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Troubleshoot Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer. - -## In this section - -|Topic |Description | -|-------|--------------| -|[Setup problems with Internet Explorer 11](setup-problems-with-ie11.md) |Guidance about how to find and understand the error log files created when setup runs. | -|[Install problems with Internet Explorer 11](install-problems-with-ie11.md) |Guidance about how to address potential problems when IE doesn’t finish installing. | -|[Problems after installing Internet Explorer 11](problems-after-installing-ie11.md) |Guidance about how to troubleshoot and help fix instability problems, where IE crashes or seems slow or where Digital Rights Management (DRM) playback doesn’t work. | -|[Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md) |Guidance about how to troubleshoot and help fix problems where branding changes aren’t distributed or where you’re experiencing proxy server setup problems. | -|[User interface problems with Internet Explorer 11](user-interface-problems-with-ie11.md) |Guidance about changes to the IE Customization Wizard, security zones, Favorites, Command, and Status bars, and the search box. | -|[Group Policy problems with Internet Explorer 11](group-policy-problems-ie11.md) |Guidance about how to find the Group Policy Object-related log files for troubleshooting. | -|[.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md) |Guidance about how to turn managed browser hosting controls back on. | -|[Enhanced Protected Mode problems with Internet Explorer](enhanced-protected-mode-problems-with-ie11.md) |Guidance about how to turn off Enhanced Protected Mode to address compatibility issues. | -|[Fix font rendering problems by turning off natural metrics](turn-off-natural-metrics.md) |Guidance about how to turn off natural metrics to address font rendering problems. | -|[Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md) |Guidance about how to turn on single-word intranet searches in the address bar. | -|[Browser cache changes and roaming profiles](browser-cache-changes-and-roaming-profiles.md) |Guidance about changes we’ve made to the browser cache to improve the performance, flexibility, reliability, and scalability and how to get the best results while using a roaming profile. | - -  - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer. +author: lomayor +ms.prod: ie11 +ms.assetid: 0361c1a6-3faa-42b2-a588-92439eebeeab +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Troubleshoot Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Troubleshoot Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer. + +## In this section + +|Topic |Description | +|-------|--------------| +|[Setup problems with Internet Explorer 11](setup-problems-with-ie11.md) |Guidance about how to find and understand the error log files created when setup runs. | +|[Install problems with Internet Explorer 11](install-problems-with-ie11.md) |Guidance about how to address potential problems when IE doesn’t finish installing. | +|[Problems after installing Internet Explorer 11](problems-after-installing-ie11.md) |Guidance about how to troubleshoot and help fix instability problems, where IE crashes or seems slow or where Digital Rights Management (DRM) playback doesn’t work. | +|[Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md) |Guidance about how to troubleshoot and help fix problems where branding changes aren’t distributed or where you’re experiencing proxy server setup problems. | +|[User interface problems with Internet Explorer 11](user-interface-problems-with-ie11.md) |Guidance about changes to the IE Customization Wizard, security zones, Favorites, Command, and Status bars, and the search box. | +|[Group Policy problems with Internet Explorer 11](group-policy-problems-ie11.md) |Guidance about how to find the Group Policy Object-related log files for troubleshooting. | +|[.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md) |Guidance about how to turn managed browser hosting controls back on. | +|[Enhanced Protected Mode problems with Internet Explorer](enhanced-protected-mode-problems-with-ie11.md) |Guidance about how to turn off Enhanced Protected Mode to address compatibility issues. | +|[Fix font rendering problems by turning off natural metrics](turn-off-natural-metrics.md) |Guidance about how to turn off natural metrics to address font rendering problems. | +|[Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md) |Guidance about how to turn on single-word intranet searches in the address bar. | +|[Browser cache changes and roaming profiles](browser-cache-changes-and-roaming-profiles.md) |Guidance about changes we’ve made to the browser cache to improve the performance, flexibility, reliability, and scalability and how to get the best results while using a roaming profile. | + +  + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md index e6bd87fc61..d193f26c68 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md @@ -1,80 +1,80 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: How to turn Enterprise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it. -author: lomayor -ms.prod: ie11 -ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Turn off Enterprise Mode - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -It’s important that you test the sites you’re adding, or considering removing, from your Enterprise Mode site list. To make this testing easier, you can turn off the site list or the entire Enterprise Mode functionality. For example, you might have an intranet site on your list that you’ve upgraded to be compatible with the new web standards . If you test the site while the site list is active, Internet Explorer 11 will automatically switch to Enterprise Mode. By turning off the site list, you can see what the page actually looks like and decide whether to remove it from your site list. - -In addition, if you no longer want your users to be able to turn Enterprise Mode on locally, you can remove Enterprise Mode from the local **Tools** menu. - -**Important**
          -Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode. - - **To turn off the site list using Group Policy** - -1. Open your Group Policy editor, like Group Policy Management Console (GPMC). - -2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.

          - Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately. - - **To turn off local control using Group Policy** - -3. Open your Group Policy editor, like Group Policy Management Console (GPMC). - -4. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**. - -5. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality. - - **To turn off the site list using the registry** - -6. Open a registry editor, such as regedit.exe. - -7. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.

          - You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers. - -8. Close all and restart all instances of Internet Explorer.

          - IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on). - - **To turn off local control using the registry** - -9. Open a registry editor, such as regedit.exe. - -10. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.

          - You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers. - -11. Close and restart all instances of IE.

          - Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on). - -## Related topics -- [What is Enterprise Mode?](what-is-enterprise-mode.md) -- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) -- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: How to turn Enterprise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it. +author: lomayor +ms.prod: ie11 +ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Turn off Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +It’s important that you test the sites you’re adding, or considering removing, from your Enterprise Mode site list. To make this testing easier, you can turn off the site list or the entire Enterprise Mode functionality. For example, you might have an intranet site on your list that you’ve upgraded to be compatible with the new web standards . If you test the site while the site list is active, Internet Explorer 11 will automatically switch to Enterprise Mode. By turning off the site list, you can see what the page actually looks like and decide whether to remove it from your site list. + +In addition, if you no longer want your users to be able to turn Enterprise Mode on locally, you can remove Enterprise Mode from the local **Tools** menu. + +**Important**
          +Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode. + + **To turn off the site list using Group Policy** + +1. Open your Group Policy editor, like Group Policy Management Console (GPMC). + +2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.

          + Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately. + + **To turn off local control using Group Policy** + +3. Open your Group Policy editor, like Group Policy Management Console (GPMC). + +4. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**. + +5. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality. + + **To turn off the site list using the registry** + +6. Open a registry editor, such as regedit.exe. + +7. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.

          + You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers. + +8. Close all and restart all instances of Internet Explorer.

          + IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on). + + **To turn off local control using the registry** + +9. Open a registry editor, such as regedit.exe. + +10. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.

          + You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers. + +11. Close and restart all instances of IE.

          + Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on). + +## Related topics +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) +- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md index c562b6862a..890640ae36 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Turn off natural metrics for Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Fix font rendering problems by turning off natural metrics (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Fix font rendering problems by turning off natural metrics -By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites. - -However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites. - - **To turn off natural metrics** - -- Add the following HTTP header to each site: `X-UA-TextLayoutMetrics: gdi` - -

          -OR-

          - -- Add the following <meta> tag to each site: `` - -Turning off natural metrics automatically turns on GDI metrics. - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Turn off natural metrics for Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Fix font rendering problems by turning off natural metrics (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Fix font rendering problems by turning off natural metrics +By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites. + +However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites. + + **To turn off natural metrics** + +- Add the following HTTP header to each site: `X-UA-TextLayoutMetrics: gdi` + +

          -OR-

          + +- Add the following <meta> tag to each site: `` + +Turning off natural metrics automatically turns on GDI metrics. + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md index ba48d04b38..1a6823e2db 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md @@ -1,75 +1,75 @@ ---- -title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros) -description: How to turn on Enterprise Mode and specify a site list. -ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1 -ms.reviewer: -manager: dansimp -ms.prod: ie11 -ms.mktglfcycl: deploy -ms.pagetype: appcompat -ms.sitesec: library -author: lomayor -ms.author: lomayor -ms.date: 08/14/2017 -ms.localizationpriority: medium - - - - - ---- - - -# Turn on Enterprise Mode and use a site list - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. - ->[!NOTE] ->We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. - - **To turn on Enterprise Mode using Group Policy** - -1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.

          - Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. - - ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png) - -2. Click **Enabled**, and then in the **Options** area, type the location to your site list. - - **To turn on Enterprise Mode using the registry** - -3. **For only the local user:** Open a registry editor, like regedit.exe and go to `HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. -

          -OR-

          - For all users on the device: Open a registry editor, like regedit.exe and go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode. - -4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example: - - ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png) - - - **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"` - - - **Local network:** `"SiteList"="\\network\shares\sites.xml"` - - - **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"` - - All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. For information about how to create and use an Enterprise Mode site list, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) - - - - - - +--- +title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros) +description: How to turn on Enterprise Mode and specify a site list. +ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1 +ms.reviewer: +audience: itpro manager: dansimp +ms.prod: ie11 +ms.mktglfcycl: deploy +ms.pagetype: appcompat +ms.sitesec: library +author: lomayor +ms.author: lomayor +ms.date: 08/14/2017 +ms.localizationpriority: medium + + + + + +--- + + +# Turn on Enterprise Mode and use a site list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. + +>[!NOTE] +>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. + + **To turn on Enterprise Mode using Group Policy** + +1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.

          + Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. + + ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png) + +2. Click **Enabled**, and then in the **Options** area, type the location to your site list. + + **To turn on Enterprise Mode using the registry** + +3. **For only the local user:** Open a registry editor, like regedit.exe and go to `HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. +

          -OR-

          + For all users on the device: Open a registry editor, like regedit.exe and go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode. + +4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example: + + ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png) + + - **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"` + + - **Local network:** `"SiteList"="\\network\shares\sites.xml"` + + - **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"` + + All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. For information about how to create and use an Enterprise Mode site list, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md index 830bb995d5..2f52fdfba2 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -1,64 +1,64 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Turn on local user control and logging for Enterprise Mode. -author: lomayor -ms.prod: ie11 -ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Turn on local control and logging for Enterprise Mode - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools. - -Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu. - - **To turn on local control of Enterprise Mode using Group Policy** - -1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. - - ![group policy editor with emie setting](images/ie-emie-editpolicy.png) - -2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. - - **To turn on local control of Enterprise Mode using the registry** - -3. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. - -4. In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**. - -5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. - - ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) - -Your **Value data** location can be any of the following types: - -- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

          **Important**
          - The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. -- **Local network location (like, https://emieposturl/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. -- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. - -For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Turn on local user control and logging for Enterprise Mode. +author: lomayor +ms.prod: ie11 +ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Turn on local control and logging for Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools. + +Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu. + + **To turn on local control of Enterprise Mode using Group Policy** + +1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. + + ![group policy editor with emie setting](images/ie-emie-editpolicy.png) + +2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. + + **To turn on local control of Enterprise Mode using the registry** + +3. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. + +4. In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**. + +5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. + + ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) + +Your **Value data** location can be any of the following types: + +- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

          **Important**
          + The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. +- **Local network location (like, https://emieposturl/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. +- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. + +For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md index 7a9a2bf652..a4121ee693 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md @@ -1,50 +1,50 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: High-level info about some of the new and updated features for Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: List of updated features and tools - Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# List of updated features and tools - Internet Explorer 11 (IE11) - -**Applies to:** - -- Windows 10 -- Windows 8.1 Update -- Windows 7 with Service Pack 1 (SP1) -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Internet Explorer 11 includes several new features and tools. This topic includes high-level info about the each of them. - -## Updated features and tools -- **Updated web standards.** WebGL, Canvas 2D L2 extensions, fullscreen API, encrypted media extensions, media source extensions, CSS flexible box layout module, mutation observers, like DOM4 and 5.3. - -- **Enhanced Protected Mode.** Extends Protected Mode to further restrict the ability of an attacker to access sensitive or personal information in personal and corporate environments. This feature is turned off by default. For more info, see [Enhanced Protected Mode problems with Internet Explorer](enhanced-protected-mode-problems-with-ie11.md). - -- **Enterprise Mode.** Enterprise Mode, a compatibility mode that runs on IE11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. For more info, see [What is Enterprise Mode?](what-is-enterprise-mode.md) - -- **Out-of-date ActiveX control blocking**. Helps to keep your ActiveX controls up-to-date, because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. For more info, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md). - -- **Do Not Track (DNT) exceptions.** IE11 lets websites ask whether to track users as they browse a website. If the user approves the request, IE records an exception to the "Do Not Track" rule and sends headers to the website that allow tracking. By respecting these headers and requesting exceptions to the default privacy settings, website owners can develop a trusted relationship with their users about privacy. For more info, see [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md). - -- **IE Administration Kit (IEAK).** Lets you create custom, branded versions of IE11. For more info and to download the tool, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). - -- **Unattend Settings.** Lets you update the Unattend.xml file, to customize the home page, favorites, search providers, feeds, Accelerators, Web Slices, and settings for top result searches. For more info, see the [Unattend Settings: Microsoft-Windows-IE-InternetExplorer](https://go.microsoft.com/fwlink/p/?LinkId=263709). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: High-level info about some of the new and updated features for Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: List of updated features and tools - Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# List of updated features and tools - Internet Explorer 11 (IE11) + +**Applies to:** + +- Windows 10 +- Windows 8.1 Update +- Windows 7 with Service Pack 1 (SP1) +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Internet Explorer 11 includes several new features and tools. This topic includes high-level info about the each of them. + +## Updated features and tools +- **Updated web standards.** WebGL, Canvas 2D L2 extensions, fullscreen API, encrypted media extensions, media source extensions, CSS flexible box layout module, mutation observers, like DOM4 and 5.3. + +- **Enhanced Protected Mode.** Extends Protected Mode to further restrict the ability of an attacker to access sensitive or personal information in personal and corporate environments. This feature is turned off by default. For more info, see [Enhanced Protected Mode problems with Internet Explorer](enhanced-protected-mode-problems-with-ie11.md). + +- **Enterprise Mode.** Enterprise Mode, a compatibility mode that runs on IE11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. For more info, see [What is Enterprise Mode?](what-is-enterprise-mode.md) + +- **Out-of-date ActiveX control blocking**. Helps to keep your ActiveX controls up-to-date, because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. For more info, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md). + +- **Do Not Track (DNT) exceptions.** IE11 lets websites ask whether to track users as they browse a website. If the user approves the request, IE records an exception to the "Do Not Track" rule and sends headers to the website that allow tracking. By respecting these headers and requesting exceptions to the default privacy settings, website owners can develop a trusted relationship with their users about privacy. For more info, see [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md). + +- **IE Administration Kit (IEAK).** Lets you create custom, branded versions of IE11. For more info and to download the tool, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). + +- **Unattend Settings.** Lets you update the Unattend.xml file, to customize the home page, favorites, search providers, feeds, Accelerators, Web Slices, and settings for top result searches. For more info, see the [Unattend Settings: Microsoft-Windows-IE-InternetExplorer](https://go.microsoft.com/fwlink/p/?LinkId=263709). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md index b7fde38f3a..ad67aa915b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md @@ -1,84 +1,84 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal. -ms.prod: ie11 -title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor -author: lomayor ---- - -# Use the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. - -The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. - -You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users. - -## Minimum system requirements for portal and test machines -Some of the components in this table might also need additional system resources. Check the component's documentation for more information. - -|Item |Description | -|-----|------------| -|Operating system |Windows 7 or later | -|Memory |16 GB RAM | -|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security | -|Active Directory (AD) |Devices must be domain-joined | -|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later | -|Visual Studio |Visual Studio 2015 or later | -|Node.js® package manager |npm Developer version or higher | -|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later | - -## Role assignments and available actions -Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table. - -|Role assignment |Available actions | -|----------------|------------------| -|Requester |

          • Create a change request


          • Validate changes in the pre-production environment


          • Rollback pre-production and production changes in case of failure


          • Send approval requests


          • View own requests


          • Sign off and close own requests
          | -|Approver

          (includes the App Manager and Group Head roles) |
          • All of the Requester actions, plus:


          • Approve requests
          | -|Administrator |
          • All of the Requester and Approver actions, plus:


          • Add employees to the portal


          • Assign employee roles


          • Approve registrations to the portal


          • Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)


          • Use the standalone Enterprise Mode Site List Manager page


          • View reports
          | - -## Enterprise Mode Site List Portal workflow by employee role -The following workflow describes how to use the Enterprise Mode Site List Portal. - -1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md) - -2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md) - -3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md) - -4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md) - -5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md) - - -## Related topics -- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) - -- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md) - -- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) - -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal. +ms.prod: ie11 +title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +author: lomayor +--- + +# Use the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users. + +## Minimum system requirements for portal and test machines +Some of the components in this table might also need additional system resources. Check the component's documentation for more information. + +|Item |Description | +|-----|------------| +|Operating system |Windows 7 or later | +|Memory |16 GB RAM | +|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security | +|Active Directory (AD) |Devices must be domain-joined | +|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later | +|Visual Studio |Visual Studio 2015 or later | +|Node.js® package manager |npm Developer version or higher | +|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later | + +## Role assignments and available actions +Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table. + +|Role assignment |Available actions | +|----------------|------------------| +|Requester |
          • Create a change request


          • Validate changes in the pre-production environment


          • Rollback pre-production and production changes in case of failure


          • Send approval requests


          • View own requests


          • Sign off and close own requests
          | +|Approver

          (includes the App Manager and Group Head roles) |
          • All of the Requester actions, plus:


          • Approve requests
          | +|Administrator |
          • All of the Requester and Approver actions, plus:


          • Add employees to the portal


          • Assign employee roles


          • Approve registrations to the portal


          • Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)


          • Use the standalone Enterprise Mode Site List Manager page


          • View reports
          | + +## Enterprise Mode Site List Portal workflow by employee role +The following workflow describes how to use the Enterprise Mode Site List Portal. + +1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md) + +2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md) + +3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md) + +4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md) + +5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md) + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md) + +- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md index ae87b553de..34f58b78f4 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md @@ -1,70 +1,70 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager. -author: lomayor -ms.prod: ie11 -ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 12/04/2017 ---- - - -# Use the Enterprise Mode Site List Manager - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. - -You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. - -## Enterprise Mode Site List Manager versions -There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system. - -|Schema version |Operating system |Enterprise Site List Manager version | -|-----------------|---------------|------------------------------------| -|Enterprise Mode schema, version 2 (v.2) |Windows 10
          -OR-
          Windows 8.1
          -OR-
          Windows 7|Uses the Enterprise Mode Site List Manager (schema v.2) and the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), the XML is saved into the v.2 version of the schema.

          For more info about the v.2 version of the schema, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).| -|Enterprise Mode schema, version 1 (v.1) |Windows 10
          -OR-
          Windows 8.1
          -OR-
          Windows 7|Uses the Enterprise Mode Site List Manager (schema v.1) and the v.1 version of the schema.

          For more info about the v.1 version of the schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)| - -## Using the Enterprise Mode Site List Manager -The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager. - -|Topic |Description | -|------|------------| -|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). | -|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). | -|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). | -|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). | -|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | -|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | - -## Related topics - - -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) -- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager. +author: lomayor +ms.prod: ie11 +ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 12/04/2017 +--- + + +# Use the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +## Enterprise Mode Site List Manager versions +There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system. + +|Schema version |Operating system |Enterprise Site List Manager version | +|-----------------|---------------|------------------------------------| +|Enterprise Mode schema, version 2 (v.2) |Windows 10
          -OR-
          Windows 8.1
          -OR-
          Windows 7|Uses the Enterprise Mode Site List Manager (schema v.2) and the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), the XML is saved into the v.2 version of the schema.

          For more info about the v.2 version of the schema, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).| +|Enterprise Mode schema, version 1 (v.1) |Windows 10
          -OR-
          Windows 8.1
          -OR-
          Windows 7|Uses the Enterprise Mode Site List Manager (schema v.1) and the v.1 version of the schema.

          For more info about the v.1 version of the schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)| + +## Using the Enterprise Mode Site List Manager +The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager. + +|Topic |Description | +|------|------------| +|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). | +|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). | +|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). | +|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). | +|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.

          This topic applies to both versions of the Enterprise Mode Site List Manager. | + +## Related topics + + +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) +- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md index 41c083dc6e..992abebb63 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md @@ -1,58 +1,58 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went. -author: lomayor -ms.prod: ie11 -ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: User interface problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# User interface problems with Internet Explorer 11 -Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes. - -## Where did features go in the Internet Explorer Customization Wizard 11? -Various installation or set up choices can prevent you from seeing certain pages in the Internet Explorer Customization Wizard 11. If, after going through the entire Wizard you still haven't found the screen you were looking for, try: - -- Making sure you picked the right version of IEAK 11 during installation. Most administrators should pick the **Internal** version, which has more screens and options available. - -- Making sure you picked all of the features you wanted from the **Feature Selection** page of the IE Customization Wizard 11. If you don't pick a feature, the associated page won't appear. - -## Where are the security zone settings? -You can see your security zone settings by opening Internet Explorer for the desktop, clicking **Internet Options** from the **Tools** menu, and then clicking **Security**. - -## Where did the Favorites, Command, and Status bars go? -For IE11, the UI has been changed to provide just the controls needed to support essential functionality, hiding anything considered non-essential, such as the **Favorites Bar**, **Command Bar**, **Menu Bar**, and **Status Bar**. This is intended to help focus users on the content of the page, rather than the browser itself. However, if you want these bars to appear, you can turn them back on using Group Policy settings. - - **To turn the toolbars back on** - -- Right click in the IE toolbar heading and choose to turn on the **Command bar**, **Favorites bar**, and **Status bar** from the menu. -

          -OR-

          - In IE, press ALT+V to show the View menu, press T to enter the Toolbars menu, and then press: - - - **C** to turn on the **Command Bar** - - - **F** to turn on the **Favorites Bar** - - - **S** to turn on the **Status Bar** - -## Where did the search box go? -IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider. - ->[!NOTE] ->Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md). - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went. +author: lomayor +ms.prod: ie11 +ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: User interface problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# User interface problems with Internet Explorer 11 +Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes. + +## Where did features go in the Internet Explorer Customization Wizard 11? +Various installation or set up choices can prevent you from seeing certain pages in the Internet Explorer Customization Wizard 11. If, after going through the entire Wizard you still haven't found the screen you were looking for, try: + +- Making sure you picked the right version of IEAK 11 during installation. Most administrators should pick the **Internal** version, which has more screens and options available. + +- Making sure you picked all of the features you wanted from the **Feature Selection** page of the IE Customization Wizard 11. If you don't pick a feature, the associated page won't appear. + +## Where are the security zone settings? +You can see your security zone settings by opening Internet Explorer for the desktop, clicking **Internet Options** from the **Tools** menu, and then clicking **Security**. + +## Where did the Favorites, Command, and Status bars go? +For IE11, the UI has been changed to provide just the controls needed to support essential functionality, hiding anything considered non-essential, such as the **Favorites Bar**, **Command Bar**, **Menu Bar**, and **Status Bar**. This is intended to help focus users on the content of the page, rather than the browser itself. However, if you want these bars to appear, you can turn them back on using Group Policy settings. + + **To turn the toolbars back on** + +- Right click in the IE toolbar heading and choose to turn on the **Command bar**, **Favorites bar**, and **Status bar** from the menu. +

          -OR-

          + In IE, press ALT+V to show the View menu, press T to enter the Toolbars menu, and then press: + + - **C** to turn on the **Command Bar** + + - **F** to turn on the **Favorites Bar** + + - **S** to turn on the **Status Bar** + +## Where did the search box go? +IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider. + +>[!NOTE] +>Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md). + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md index f003c50e45..2368c10f34 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md @@ -1,60 +1,60 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: security -description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode. -author: lomayor -ms.prod: ie11 -ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using IE7 Enterprise Mode or IE8 Enterprise Mode - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Enterprise Mode gives you a way for your legacy websites and apps to run using emulated versions of Windows Internet Explorer 7 or Windows Internet Explorer 8, while your new sites and apps run using Internet Explorer 11, including modern standards and features. - -Although it’s called IE7 Enterprise Mode, it actually turns on Enterprise Mode along with Internet Explorer 7 or Microsoft Internet Explorer 5 Compatibility View. Compatibility View chooses which document mode to use based on whether there’s a `DOCTYPE` tag in your code: - -- **DOCTYPE tag found.** Webpages render using the Internet Explorer 7 document mode. -- **No DOCTYPE tag found.** Webpages render using the Internet Explorer 5 document mode. - -**Important**
          -Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the original functionality of Enterprise Mode to be IE8 Enterprise Mode. We’ve also replaced Edge Mode with IE11 Document Mode, so you can explicitly use IE11 on Windows 10. - -## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode -For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see: - -- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) - -- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) - -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) - -- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) - -For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). - -## Related topics -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode. +author: lomayor +ms.prod: ie11 +ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using IE7 Enterprise Mode or IE8 Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode gives you a way for your legacy websites and apps to run using emulated versions of Windows Internet Explorer 7 or Windows Internet Explorer 8, while your new sites and apps run using Internet Explorer 11, including modern standards and features. + +Although it’s called IE7 Enterprise Mode, it actually turns on Enterprise Mode along with Internet Explorer 7 or Microsoft Internet Explorer 5 Compatibility View. Compatibility View chooses which document mode to use based on whether there’s a `DOCTYPE` tag in your code: + +- **DOCTYPE tag found.** Webpages render using the Internet Explorer 7 document mode. +- **No DOCTYPE tag found.** Webpages render using the Internet Explorer 5 document mode. + +**Important**
          +Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the original functionality of Enterprise Mode to be IE8 Enterprise Mode. We’ve also replaced Edge Mode with IE11 Document Mode, so you can explicitly use IE11 on Windows 10. + +## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode +For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see: + +- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) + +- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) + +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) + +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) + +For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md index b2f95cad98..d744070926 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md @@ -1,66 +1,66 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use IEAK 11 while planning, customizing, and building the custom installation package. -author: lomayor -ms.prod: ie11 -ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages -Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11. - -**Note**
          IEAK 11 works in network environments, with or without Microsoft Active Directory. - -  - -## Plan, Customize, and Build with the IEAK 11 -Consider these activities while planning, customizing, and building the custom installation package. - -### Plan -Before you begin, you should: - -- **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). - -- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, System Center System Center 2012 R2 Configuration Manager, or your network. - -- **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons. - -- **Identify trusted network servers.** Decide which servers your employees should use to install the custom IE package. These servers need to be listed as trusted sites. - -- **Set up automatic detection and configuration settings.** Decide whether to automatically customize IE11 the first time it's started. - -- **Identify custom components for uninstallation.** Decide whether to include any custom uninstallation programs. Uninstallation programs let your employees remove your custom components through **Uninstall or change a program** in the Control Panel. - -- **Identify ActiveX controls.** Decide if you'll use ActiveX controls in your company. If you already use ActiveX, you should get an inventory of your active controls. - -### Customize and build -After installing IE11 and the IEAK 11, you should: - -- **Prepare your build computer.** Create your build environment on the computer you're using to build the custom package. - -- **Create your branding and custom graphics.** If you don't have any, create custom branding and graphic files for the browser toolbar button and icons in your **Favorites** list. - -- **Specify your servers as trusted sites.** Identify your installation servers as trusted sites, in the **Trusted sites zone** of the **Internet Options** box. - -- **Turn on automatic detection and configuration settings (Optional).** Set up your network so that IE is automatically customized the first time it's started. - -- **Set up custom components for uninstallation.** Create the custom .inf file you'll use to register your custom uninstallation programs. - -- **Set up ActiveX controls.** Add any new ActiveX controls to the Axaa.adm file, using a text editor. - -- **Create a custom browser package.** Create your custom installation package, using IE Customization Wizard 11. For more information about using the wizard, see [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use IEAK 11 while planning, customizing, and building the custom installation package. +author: lomayor +ms.prod: ie11 +ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages +Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11. + +**Note**
          IEAK 11 works in network environments, with or without Microsoft Active Directory. + +  + +## Plan, Customize, and Build with the IEAK 11 +Consider these activities while planning, customizing, and building the custom installation package. + +### Plan +Before you begin, you should: + +- **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). + +- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, System Center System Center 2012 R2 Configuration Manager, or your network. + +- **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons. + +- **Identify trusted network servers.** Decide which servers your employees should use to install the custom IE package. These servers need to be listed as trusted sites. + +- **Set up automatic detection and configuration settings.** Decide whether to automatically customize IE11 the first time it's started. + +- **Identify custom components for uninstallation.** Decide whether to include any custom uninstallation programs. Uninstallation programs let your employees remove your custom components through **Uninstall or change a program** in the Control Panel. + +- **Identify ActiveX controls.** Decide if you'll use ActiveX controls in your company. If you already use ActiveX, you should get an inventory of your active controls. + +### Customize and build +After installing IE11 and the IEAK 11, you should: + +- **Prepare your build computer.** Create your build environment on the computer you're using to build the custom package. + +- **Create your branding and custom graphics.** If you don't have any, create custom branding and graphic files for the browser toolbar button and icons in your **Favorites** list. + +- **Specify your servers as trusted sites.** Identify your installation servers as trusted sites, in the **Trusted sites zone** of the **Internet Options** box. + +- **Turn on automatic detection and configuration settings (Optional).** Set up your network so that IE is automatically customized the first time it's started. + +- **Set up custom components for uninstallation.** Create the custom .inf file you'll use to register your custom uninstallation programs. + +- **Set up ActiveX controls.** Add any new ActiveX controls to the Axaa.adm file, using a text editor. + +- **Create a custom browser package.** Create your custom installation package, using IE Customization Wizard 11. For more information about using the wizard, see [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md index 6c1dd0c421..a49bf820ae 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md @@ -1,45 +1,45 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use Setup Information (.inf) files to create installation packages. -author: lomayor -ms.prod: ie11 -ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Using Setup Information (.inf) files to create packages (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using Setup Information (.inf) files to create install packages -IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959). - - **To add uninstallation instructions to the .inf files** - -- Open the Registry Editor (regedit.exe) and add these registry keys: - ``` - HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description" - HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString",,"command-line" - ``` - Where **"description"** is the name that shows up in the **Uninstall or change a program** box and **"command-line"** is the command that runs after the component is picked. -

          Note
          - Make sure your script removes the uninstallation registry key, too. Otherwise, the component name will continue to show up in the Uninstall or change a program. - -## Limitations -.Inf files have limitations: - -- You can't delete directories. - -- You can't use **RenFiles** to move a file to a different location, it only lets you rename a file in its existing location. For detailed information, see [INF RenFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298508). - -- You can't use **CopyFiles** to copy a file to another place on your hard drive, it can only copy files from the source disk to the destination directory. For information, see [INF CopyFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298510). - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use Setup Information (.inf) files to create installation packages. +author: lomayor +ms.prod: ie11 +ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Using Setup Information (.inf) files to create packages (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using Setup Information (.inf) files to create install packages +IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959). + + **To add uninstallation instructions to the .inf files** + +- Open the Registry Editor (regedit.exe) and add these registry keys: + ``` + HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description" + HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString",,"command-line" + ``` + Where **"description"** is the name that shows up in the **Uninstall or change a program** box and **"command-line"** is the command that runs after the component is picked. +

          Note
          + Make sure your script removes the uninstallation registry key, too. Otherwise, the component name will continue to show up in the Uninstall or change a program. + +## Limitations +.Inf files have limitations: + +- You can't delete directories. + +- You can't use **RenFiles** to move a file to a different location, it only lets you rename a file in its existing location. For detailed information, see [INF RenFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298508). + +- You can't use **CopyFiles** to copy a file to another place on your hard drive, it can only copy files from the source disk to the destination directory. For information, see [INF CopyFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298510). + + + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md index b0c9ec8690..5c7c0a3d23 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md @@ -1,70 +1,70 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Verify your changes using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - ->[!Important] ->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. - -The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: - -- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. - -- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. - -- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry. - -## Verify and send the change request to Approvers -The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful. - -**To verify changes and send to the Approver(s)** -1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. - -2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**. - - The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval. - - -**To rollback your pre-production changes** -1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. - -2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**. - - The change request and issue info are sent to the Administrators. - -3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment. - - After the Requester rolls back the changes, the request can be updated and re-submitted. - - -## View rolled back change requests -The original Requester and the Administrator(s) group can view the rolled back change requests. - -**To view the rolled back change request** - -- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane. - - All rolled back change requests appear, with role assignment determining which ones are visible. - -## Next steps -If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Verify your changes using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +>[!Important] +>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: + +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. + +- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. + +- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry. + +## Verify and send the change request to Approvers +The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful. + +**To verify changes and send to the Approver(s)** +1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**. + + The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval. + + +**To rollback your pre-production changes** +1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**. + + The change request and issue info are sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment. + + After the Requester rolls back the changes, the request can be updated and re-submitted. + + +## View rolled back change requests +The original Requester and the Administrator(s) group can view the rolled back change requests. + +**To view the rolled back change request** + +- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane. + + All rolled back change requests appear, with role assignment determining which ones are visible. + +## Next steps +If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md index ec478a69f7..5678e10583 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md @@ -1,45 +1,45 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# Verify the change request update in the production environment using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -## Verify and sign off on the update in the production environment -The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful. - -**To verify the changes and sign off** -- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**. - - The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off. - - -**To rollback production changes** -1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results. - -2. Add a description about the issue into the **Change description** box, and then click **Send failure details**. - - The info is sent to the Administrators. - -3. The Requester clicks **Roll back** to roll back the changes in the production environment. - - After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# Verify the change request update in the production environment using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +## Verify and sign off on the update in the production environment +The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful. + +**To verify the changes and sign off** +- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**. + + The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off. + + +**To rollback production changes** +1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results. + +2. Add a description about the issue into the **Change description** box, and then click **Send failure details**. + + The info is sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the production environment. + + After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists. + diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md index 491687cebc..3c60851368 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md @@ -1,41 +1,41 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List. - -**To view the active Enterprise Mode Site List** -1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page. - - The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. - -2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser. - - -**To export the active Enterprise Mode Site List** -1. On the **Production sites list** page, click **Export**. - -2. Save the ProductionSiteList.xlsx file. - - The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List. + +**To view the active Enterprise Mode Site List** +1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page. + + The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser. + + +**To export the active Enterprise Mode Site List** +1. On the **Production sites list** page, click **Export**. + +2. Save the ProductionSiteList.xlsx file. + + The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser. diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md index f39f6b42eb..30db2d2faa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md @@ -1,53 +1,53 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - -# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. - -**To view the reports** -1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page. - - The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. - -2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers. - -3. Click **Apply**. - - The reports all change to reflect the appropriate timeframe and group, including: - - - **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List. - - - **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field. - - - **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**. - - - **All requests by status.** Shows how many change requests exist, based on each status. - - - **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field. - - - **Request status by group.** Shows how many change requests exist, based on both group and status. - - - **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field. - - - **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**. +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + +# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. + +**To view the reports** +1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page. + + The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers. + +3. Click **Apply**. + + The reports all change to reflect the appropriate timeframe and group, including: + + - **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List. + + - **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field. + + - **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**. + + - **All requests by status.** Shows how many change requests exist, based on each status. + + - **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field. + + - **Request status by group.** Shows how many change requests exist, based on both group and status. + + - **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field. + + - **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**. diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md index 30b5c76f3c..e83c91bf67 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md @@ -1,36 +1,36 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: virtualization -description: Virtualization and compatibility with Internet Explorer 11 -author: lomayor -ms.prod: ie11 -ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Virtualization and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Virtualization and compatibility with Internet Explorer 11 -If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE. - -**Important**
          -We strongly suggest that while you're using virtualization, you also update your web apps so they run natively in the newer version of IE. For more information about how to update your code, see the [Internet Explorer 11 Compatibility Cookbook (Windows)](https://go.microsoft.com/fwlink/p/?LinkId=279707) to learn about the developer features that have been changed or deprecated since Internet Explorer 10. - -The Microsoft-supported options for virtualizing web apps are: - -- **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](https://go.microsoft.com/fwlink/p/?LinkId=271653). - -- **Client Hyper-V.** Uses the same virtualization technology previously available in Windows Server, but now installed for Windows 8.1. For more information, see [Client Hyper-V](https://go.microsoft.com/fwlink/p/?LinkId=271654).

          -For more information about virtualization options, see [Microsoft Desktop Virtualization](https://go.microsoft.com/fwlink/p/?LinkId=271662). - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: virtualization +description: Virtualization and compatibility with Internet Explorer 11 +author: lomayor +ms.prod: ie11 +ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Virtualization and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Virtualization and compatibility with Internet Explorer 11 +If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE. + +**Important**
          +We strongly suggest that while you're using virtualization, you also update your web apps so they run natively in the newer version of IE. For more information about how to update your code, see the [Internet Explorer 11 Compatibility Cookbook (Windows)](https://go.microsoft.com/fwlink/p/?LinkId=279707) to learn about the developer features that have been changed or deprecated since Internet Explorer 10. + +The Microsoft-supported options for virtualizing web apps are: + +- **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](https://go.microsoft.com/fwlink/p/?LinkId=271653). + +- **Client Hyper-V.** Uses the same virtualization technology previously available in Windows Server, but now installed for Windows 8.1. For more information, see [Client Hyper-V](https://go.microsoft.com/fwlink/p/?LinkId=271654).

          +For more information about virtualization options, see [Microsoft Desktop Virtualization](https://go.microsoft.com/fwlink/p/?LinkId=271662). + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md index b9089a1624..0212685d25 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md @@ -1,168 +1,168 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Info about the features included in Enterprise Mode with Internet Explorer 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/25/2018 ---- - - -# Enterprise Mode and the Enterprise Mode Site List - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). - -## Available dual-browser experiences -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. - -Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - ->[!TIP] -> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. - -For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. - - -## What is Enterprise Mode? -Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. - -Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. - -### Enterprise Mode features -Enterprise Mode includes the following features: - -- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. - -- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. -Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema. - -- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. - - >[!Important] - >All centrally-made decisions override any locally-made choices. - -- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. - -- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. - -## Enterprise Mode and the Enterprise Mode Site List XML file -The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11. - -Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge. - -### Site list xml file -This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. - -```xml - - - - EnterpriseSiteListManager - 10586 - 20150728.135021 - - - - IE8Enterprise - IE11 - - - default - IE11 - - - IE7Enterprise - IE11 - - - - - IE8Enterprise" - IE11 - - - IE7 - IE11 - - - IE7 - IE11 - - - -``` - -## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools -You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier. - -### Enterprise Mode Site List Manager -This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. - -There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10: - -- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. - - We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). - -- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. - - If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). - -If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. - -### Enterprise Mode Site List Portal -The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. - -In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you: - -- Manage site lists from any device supporting Windows 7 or greater. - -- Submit change requests. - -- Operate offline through an on-premise solution. - -- Provide role-based governance. - -- Test configuration settings before releasing to a live environment. - -Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. - -Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) topics. - -## Related topics - -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) - -- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) - -- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) - -- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) - -- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) - -- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) - -- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) - -- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Info about the features included in Enterprise Mode with Internet Explorer 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/25/2018 +--- + + +# Enterprise Mode and the Enterprise Mode Site List + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). + +## Available dual-browser experiences +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. + +Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. + +>[!TIP] +> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. + +For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. + + +## What is Enterprise Mode? +Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. + +### Enterprise Mode features +Enterprise Mode includes the following features: + +- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. + +- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. +Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema. + +- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. + + >[!Important] + >All centrally-made decisions override any locally-made choices. + +- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. + +- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. + +## Enterprise Mode and the Enterprise Mode Site List XML file +The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11. + +Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge. + +### Site list xml file +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. + +```xml + + + + EnterpriseSiteListManager + 10586 + 20150728.135021 + + + + IE8Enterprise + IE11 + + + default + IE11 + + + IE7Enterprise + IE11 + + + + + IE8Enterprise" + IE11 + + + IE7 + IE11 + + + IE7 + IE11 + + + +``` + +## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools +You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier. + +### Enterprise Mode Site List Manager +This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. + +There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10: + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. + + We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. + + If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. + +### Enterprise Mode Site List Portal +The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. + +In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you: + +- Manage site lists from any device supporting Windows 7 or greater. + +- Submit change requests. + +- Operate offline through an on-premise solution. + +- Provide role-based governance. + +- Test configuration settings before releasing to a live environment. + +Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) topics. + +## Related topics + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) + +- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + +- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) + +- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) + +- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) + +- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index f1e454751b..2343973365 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -1,152 +1,152 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update. -author: lomayor -ms.author: lomayor -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91 -ms.reviewer: -manager: dansimp -title: What is the Internet Explorer 11 Blocker Toolkit? (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 05/10/2018 ---- - - -# What is the Internet Explorer 11 Blocker Toolkit? - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update. - ->[!IMPORTANT] ->The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. - -## Install the toolkit - -1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745). - -2. Accept the license agreement and store the included four files on your local computer. - -3. Start an elevated Command Prompt by going to **Start**>**All Programs**>**Accessories**> right-clicking on **Command Prompt**, and then choosing **Run as Administrator**. - -4. In the Command Prompt, change to the location where you put the 4 files. - -5. In the Command Prompt, type `ie11_blocker.cmd /B` and press Enter.

          -Wait for the message, **Blocking deployment of IE11 on the local machine. The operation completed successfully.** - -6. Close the Command Prompt. - -For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](https://go.microsoft.com/fwlink/p/?LinkId=314063). - -## Automatic updates -Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. - -### Automatic delivery process -Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their current version of Internet Explorer. - -Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.  - -### Internet Explorer 11 automatic upgrades - -Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. - -Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. - -### Options for blocking automatic delivery - -If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: - -- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - - >[!NOTE] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11). - -- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. - ->[!NOTE] ->If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. - - -### Prevent automatic installation of Internet Explorer 11 with WSUS - -Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Options**. - -3. Click **Automatic Approvals**. - -4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** - - >[!NOTE] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. - -5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - - >[!NOTE] - >The properties for this rule will resemble the following:

          • When an update is in Update Rollups
          • Approve the update for all computers
          - -6. Clear the **Update Rollup** check box, and then click **OK**. - -7. Click **OK** to close the **Automatic Approvals** dialog box. - -After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Synchronizations**. - -3. Click **Synchronize Now**. - -4. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. - -5. Choose **Unapproved** in the **Approval**drop down box. - -6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. - ->[!NOTE] ->There may be multiple updates, depending on the imported language and operating system updates. - -### Optional - Reset update rollups packages to auto-approve - -1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. - -2. Expand *ComputerName*, and then click **Options**. - -3. Click **Automatic Approvals**. - -4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. - -5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - -6. Check the **Update Rollups** check box, and then click **OK**. - -7. Click **OK** to close the **Automatic Approvals** dialog box. - ->[!NOTE] ->Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. - - - -## Additional resources - -- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) - -- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.md) - -- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) - -- [Internet Explorer 11 delivery through automatic updates](ie11-delivery-through-automatic-updates.md) - -- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update. +author: lomayor +ms.author: lomayor +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91 +ms.reviewer: +audience: itpro manager: dansimp +title: What is the Internet Explorer 11 Blocker Toolkit? (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 05/10/2018 +--- + + +# What is the Internet Explorer 11 Blocker Toolkit? + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update. + +>[!IMPORTANT] +>The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. + +## Install the toolkit + +1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745). + +2. Accept the license agreement and store the included four files on your local computer. + +3. Start an elevated Command Prompt by going to **Start**>**All Programs**>**Accessories**> right-clicking on **Command Prompt**, and then choosing **Run as Administrator**. + +4. In the Command Prompt, change to the location where you put the 4 files. + +5. In the Command Prompt, type `ie11_blocker.cmd /B` and press Enter.

          +Wait for the message, **Blocking deployment of IE11 on the local machine. The operation completed successfully.** + +6. Close the Command Prompt. + +For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](https://go.microsoft.com/fwlink/p/?LinkId=314063). + +## Automatic updates +Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. + +### Automatic delivery process +Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their current version of Internet Explorer. + +Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.  + +### Internet Explorer 11 automatic upgrades + +Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. + +Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. + +### Options for blocking automatic delivery + +If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: + +- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + + >[!NOTE] + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11). + +- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. + +>[!NOTE] +>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. + + +### Prevent automatic installation of Internet Explorer 11 with WSUS + +Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** + + >[!NOTE] + >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + + >[!NOTE] + >The properties for this rule will resemble the following:

          • When an update is in Update Rollups
          • Approve the update for all computers
          + +6. Clear the **Update Rollup** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Synchronizations**. + +3. Click **Synchronize Now**. + +4. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. + +5. Choose **Unapproved** in the **Approval**drop down box. + +6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. + +>[!NOTE] +>There may be multiple updates, depending on the imported language and operating system updates. + +### Optional - Reset update rollups packages to auto-approve + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + +6. Check the **Update Rollups** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +>[!NOTE] +>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. + + + +## Additional resources + +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + +- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.md) + +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) + +- [Internet Explorer 11 delivery through automatic updates](ie11-delivery-through-automatic-updates.md) + +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md index 86d1ead8ce..e9ee67796d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md @@ -1,46 +1,46 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal. -author: lomayor -ms.prod: ie11 -title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 -ms.reviewer: -manager: dansimp -ms.author: lomayor ---- - - -# Workflow-based processes for employees using the Enterprise Mode Site List Portal - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) - -Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow. - -## In this section -|Topic |Description | -|---------------------------------------------------------------|-----------------------------------------------------------------------------------| -|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.| -|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.| -|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.| -|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.| -|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.| -|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.| -|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. | - - -## Related topics -- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) - -- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) - -- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal. +author: lomayor +ms.prod: ie11 +title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +--- + + +# Workflow-based processes for employees using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow. + +## In this section +|Topic |Description | +|---------------------------------------------------------------|-----------------------------------------------------------------------------------| +|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.| +|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.| +|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.| +|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.| +|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.| +|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.| +|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. | + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md index 0eb0c067b3..9230c868d0 100644 --- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md +++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md @@ -1,203 +1,203 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: explore -description: Frequently asked questions about Internet Explorer 11 for IT Pros -author: lomayor -ms.prod: ie11 -ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/16/2017 ---- - - -# Internet Explorer 11 - FAQ for IT Pros -Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration. - -## Frequently Asked Questions - -**Q: What operating system does IE11 run on?** - -- Windows 10 - -- Windows 8.1 - -- Windows Server 2012 R2 - -- Windows 7 with Service Pack 1 (SP1) - -- Windows Server 2008 R2 with Service Pack 1 (SP1) - - -**Q: How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?**
          -IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required. - -**Q: How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?**
          -You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956). - -**Q: How does IE11 integrate with Windows 8.1?**
          -IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences. - -**Q: What are the new or improved security features?**
          -IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default. - -**Q: How is Microsoft supporting modern web standards, such as WebGL?**
          -Microsoft is committed to providing an interoperable web by supporting modern web standards. Doing this lets developers use the same markup across web browsers, helping to reduce development and support costs.

          -Supported web standards include: - -- Web Graphics Library (WebGL) - -- Canvas 2D L2 extensions, including image smoothing using the nearest neighbor, dashed lines, and fill rules - -- Fullscreen API - -- Encrypted media extensions - -- Media source extensions - -- CSS flexible box layout module - -- And mutation observers like DOM4 and 5.3 - -For more information about specific changes and additions, see the [IE11 guide for developers](https://go.microsoft.com/fwlink/p/?LinkId=313188). - -**Q: What test tools exist to test for potential application compatibility issues?**
          -The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](https://go.microsoft.com/fwlink/p/?LinkId=313190) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge. - -**Q: Why am I having problems launching my legacy apps with Internet Explorer 11**?
          -It’s most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by: - -- **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -- **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. - -**Q: Is there a compatibility list for IE?**
          -Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864). - -**Q: What is Enterprise Mode?**
          -Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration that’s designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.

          -For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md). - -**Q: What is the Enterprise Mode Site List Manager tool?**
          -Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.

          -For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md). - -**Q: Are browser plug-ins supported in IE11?**
          -The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight. - -**Q: Is Adobe Flash supported on IE11?**
          -Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.

          -**Important**
          -The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in. - -**Q: Can I replace IE11 on Windows 8.1 with an earlier version?**
          -No. Windows 8.1 doesn't support any of the previous versions of IE. - -**Q: Are there any new Group Policy settings in IE11?**
          -IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features: - -- Turn off Page Prediction - -- Turn on the swiping motion for Internet Explorer for the desktop - -- Allow Microsoft services to provide more relevant and personalized search results - -- Turn off phone number detection - -- Allow IE to use the SPDY/3 network protocol - -- Let users turn on and use Enterprise Mode from the **Tools** menu - -- Use the Enterprise Mode IE website list - -For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md). - - -**Q: Where can I get more information about IE11 for IT pros?**
          -Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet. - - - -**Q: Can I customize settings for IE on Windows 8.1?**
          -Settings can be customized in the following ways: - -- IE11 **Settings** charm. - -- IE11-related Group Policy settings. - -- IEAK 11 for settings shared by both IE and Internet Explorer for the desktop. - -**Q: Can I make Internet Explorer for the desktop my default browsing experience?**
          -Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:

          - -|Setting |Result | -|--------|-------| -|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. | -|Always in IE11 |Links always open in IE. | -|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. | - - -**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. - -IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: - -| | | | -|---------|---------|---------| -|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | -|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | -|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | -|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | -|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | - - - - -**Q. What are the different modes available for the Internet Explorer Customization Wizard?** -The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md). - -The following table displays which pages are available in IEAK 11, based on the licensing mode: - -| **Wizard Pages** | **External** | **Internal** | -|-------------------------------------------|--------------|--------------| -| Welcome to the IEAK | Yes | Yes | -| File Locations | Yes | Yes | -| Platform Selection | Yes | Yes | -| Language Selection | Yes | Yes | -| Package Type Selection | Yes | Yes | -| Feature Selection | Yes | Yes | -| Automatic Version Synchronization | Yes | Yes | -| Custom Components | Yes | Yes | -| Corporate Install | No | Yes | -| User Experience | No | Yes | -| Browser User Interface | Yes | Yes | -| Search Providers | Yes | Yes | -| Important URLs - Home page and Support | Yes | Yes | -| Accelerators | Yes | Yes | -| Favorites, Favorites Bar, and Feeds | Yes | Yes | -| Browsing Options | No | Yes | -| First Run Wizard and Welcome Page Options | Yes | Yes | -| Compatibility View | Yes | Yes | -| Connection Manager | Yes | Yes | -| Connection Settings | Yes | Yes | -| Automatic Configuration | No | Yes | -| Proxy Settings | Yes | Yes | -| Security and Privacy Settings | No | Yes | -| Add a Root Certificate | Yes | No | -| Programs | Yes | Yes | -| Additional Settings | No | Yes | -| Wizard Complete | Yes | Yes | - - -## Related topics -- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) -- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: explore +description: Frequently asked questions about Internet Explorer 11 for IT Pros +author: lomayor +ms.prod: ie11 +ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/16/2017 +--- + + +# Internet Explorer 11 - FAQ for IT Pros +Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration. + +## Frequently Asked Questions + +**Q: What operating system does IE11 run on?** + +- Windows 10 + +- Windows 8.1 + +- Windows Server 2012 R2 + +- Windows 7 with Service Pack 1 (SP1) + +- Windows Server 2008 R2 with Service Pack 1 (SP1) + + +**Q: How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?**
          +IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required. + +**Q: How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?**
          +You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956). + +**Q: How does IE11 integrate with Windows 8.1?**
          +IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences. + +**Q: What are the new or improved security features?**
          +IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default. + +**Q: How is Microsoft supporting modern web standards, such as WebGL?**
          +Microsoft is committed to providing an interoperable web by supporting modern web standards. Doing this lets developers use the same markup across web browsers, helping to reduce development and support costs.

          +Supported web standards include: + +- Web Graphics Library (WebGL) + +- Canvas 2D L2 extensions, including image smoothing using the nearest neighbor, dashed lines, and fill rules + +- Fullscreen API + +- Encrypted media extensions + +- Media source extensions + +- CSS flexible box layout module + +- And mutation observers like DOM4 and 5.3 + +For more information about specific changes and additions, see the [IE11 guide for developers](https://go.microsoft.com/fwlink/p/?LinkId=313188). + +**Q: What test tools exist to test for potential application compatibility issues?**
          +The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](https://go.microsoft.com/fwlink/p/?LinkId=313190) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge. + +**Q: Why am I having problems launching my legacy apps with Internet Explorer 11**?
          +It’s most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by: + +- **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + +- **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + +For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. + +**Q: Is there a compatibility list for IE?**
          +Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864). + +**Q: What is Enterprise Mode?**
          +Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration that’s designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.

          +For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md). + +**Q: What is the Enterprise Mode Site List Manager tool?**
          +Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.

          +For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md). + +**Q: Are browser plug-ins supported in IE11?**
          +The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight. + +**Q: Is Adobe Flash supported on IE11?**
          +Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.

          +**Important**
          +The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in. + +**Q: Can I replace IE11 on Windows 8.1 with an earlier version?**
          +No. Windows 8.1 doesn't support any of the previous versions of IE. + +**Q: Are there any new Group Policy settings in IE11?**
          +IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features: + +- Turn off Page Prediction + +- Turn on the swiping motion for Internet Explorer for the desktop + +- Allow Microsoft services to provide more relevant and personalized search results + +- Turn off phone number detection + +- Allow IE to use the SPDY/3 network protocol + +- Let users turn on and use Enterprise Mode from the **Tools** menu + +- Use the Enterprise Mode IE website list + +For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md). + + +**Q: Where can I get more information about IE11 for IT pros?**
          +Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet. + + + +**Q: Can I customize settings for IE on Windows 8.1?**
          +Settings can be customized in the following ways: + +- IE11 **Settings** charm. + +- IE11-related Group Policy settings. + +- IEAK 11 for settings shared by both IE and Internet Explorer for the desktop. + +**Q: Can I make Internet Explorer for the desktop my default browsing experience?**
          +Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:

          + +|Setting |Result | +|--------|-------| +|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. | +|Always in IE11 |Links always open in IE. | +|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. | + + +**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: + +| | | | +|---------|---------|---------| +|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | +|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | +|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | +|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | +|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + + + +**Q. What are the different modes available for the Internet Explorer Customization Wizard?** +The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md). + +The following table displays which pages are available in IEAK 11, based on the licensing mode: + +| **Wizard Pages** | **External** | **Internal** | +|-------------------------------------------|--------------|--------------| +| Welcome to the IEAK | Yes | Yes | +| File Locations | Yes | Yes | +| Platform Selection | Yes | Yes | +| Language Selection | Yes | Yes | +| Package Type Selection | Yes | Yes | +| Feature Selection | Yes | Yes | +| Automatic Version Synchronization | Yes | Yes | +| Custom Components | Yes | Yes | +| Corporate Install | No | Yes | +| User Experience | No | Yes | +| Browser User Interface | Yes | Yes | +| Search Providers | Yes | Yes | +| Important URLs - Home page and Support | Yes | Yes | +| Accelerators | Yes | Yes | +| Favorites, Favorites Bar, and Feeds | Yes | Yes | +| Browsing Options | No | Yes | +| First Run Wizard and Welcome Page Options | Yes | Yes | +| Compatibility View | Yes | Yes | +| Connection Manager | Yes | Yes | +| Connection Settings | Yes | Yes | +| Automatic Configuration | No | Yes | +| Proxy Settings | Yes | Yes | +| Security and Privacy Settings | No | Yes | +| Add a Root Certificate | Yes | No | +| Programs | Yes | Yes | +| Additional Settings | No | Yes | +| Wizard Complete | Yes | Yes | + + +## Related topics +- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) +- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md index 67093919f3..392e7cc26e 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md @@ -1,120 +1,120 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: explore -description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. -author: lomayor -ms.author: lomayor -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions - -Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. - ->[!Important] ->If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. - -- [Automatic updates delivery process](#automatic-updates-delivery-process) - -- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) - -- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) - -## Automatic Updates delivery process - - -**Q. Which users will receive Internet Explorer 11 as an important update?** -A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). - -**Q. When is the Blocker Toolkit available?** -A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - -**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** -A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). - -**Q. How long does the blocker mechanism work?** -A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. - -**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** -A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. - -The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or -other update management solution. - -**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** -A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. - -## How the Internet Explorer 11 Blocker Toolkit works - -**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** -A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. - -**Q. What’s the registry key used to block delivery of Internet Explorer 11?** -A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 - -**Q. What’s the registry key name and values?** -The registry key name is **DoNotAllowIE11**, where: - -- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option. - -- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a - manual update. - -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** -A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. - -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** -A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. - -**Q. How does the provided script work?** -A. The script accepts one of two command line options: - -- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates. - -- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates. - -**Q. What’s the ADM template file used for?** -A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. - -**Q. Is the tool localized?** -A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. - -## Internet Explorer 11 Blocker Toolkit and other update services - -**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
          -Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center. - -**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** -A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. - -**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** -A. You only need to change your settings if: - -- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. - - -and- - -- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. - - -and- - -- You don’t want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now. - -If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation. - - -## Additional resources - -- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) - -- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) - -- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) - -- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) +--- +ms.localizationpriority: medium +ms.mktglfcycl: explore +description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. +author: lomayor +ms.author: lomayor +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions + +Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. + +>[!Important] +>If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. + +- [Automatic updates delivery process](#automatic-updates-delivery-process) + +- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) + +- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) + +## Automatic Updates delivery process + + +**Q. Which users will receive Internet Explorer 11 as an important update?** +A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). + +**Q. When is the Blocker Toolkit available?** +A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + +**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** +A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). + +**Q. How long does the blocker mechanism work?** +A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. + +**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** +A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. + +The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or +other update management solution. + +**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** +A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. + +## How the Internet Explorer 11 Blocker Toolkit works + +**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** +A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. + +**Q. What’s the registry key used to block delivery of Internet Explorer 11?** +A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 + +**Q. What’s the registry key name and values?** +The registry key name is **DoNotAllowIE11**, where: + +- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option. + +- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a + manual update. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** +A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** +A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. + +**Q. How does the provided script work?** +A. The script accepts one of two command line options: + +- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates. + +- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates. + +**Q. What’s the ADM template file used for?** +A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. + +**Q. Is the tool localized?** +A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. + +## Internet Explorer 11 Blocker Toolkit and other update services + +**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
          +Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center. + +**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** +A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. + +**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** +A. You only need to change your settings if: + +- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. + + -and- + +- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. + + -and- + +- You don’t want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now. + +If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation. + + +## Additional resources + +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) + +- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) + +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md index da2478e9e8..3af0ec2d32 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md +++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md @@ -1,120 +1,120 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. -author: lomayor -ms.author: lomayor -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: IEAK 11 - Frequently Asked Questions -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# IEAK 11 - Frequently Asked Questions - -Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful. - -**What is IEAK 11?** - -IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). - -**What are the supported operating systems?** - -You can customize and install IEAK 11 on the following supported operating systems: - -- Windows 8 - -- Windows Server 2012 - -- Windows 7 Service Pack 1 (SP1) - -- Windows Server 2008 R2 Service Pack 1 (SP1) - ->[!Note] ->IEAK 11 does not support building custom packages for Windows RT. - - -**What can I customize with IEAK 11?** - -The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. - ->[!Note] ->Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. - -**Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. - ->[!Note] ->IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). - -**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
          -Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: - -- [Internet Explorer Administration Kit Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214250) on the Internet Explorer TechCenter. - -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) - -**What are the different modes available for the Internet Explorer Customization Wizard?** -The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md). - -The following table displays which pages are available in IEAK 11, based on the licensing mode: - -| **Wizard Pages** | **External** | **Internal** | -|-------------------------------------------|--------------|--------------| -| Welcome to the IEAK | Yes | Yes | -| File Locations | Yes | Yes | -| Platform Selection | Yes | Yes | -| Language Selection | Yes | Yes | -| Package Type Selection | Yes | Yes | -| Feature Selection | Yes | Yes | -| Automatic Version Synchronization | Yes | Yes | -| Custom Components | Yes | Yes | -| Corporate Install | No | Yes | -| User Experience | No | Yes | -| Browser User Interface | Yes | Yes | -| Search Providers | Yes | Yes | -| Important URLs - Home page and Support | Yes | Yes | -| Accelerators | Yes | Yes | -| Favorites, Favorites Bar, and Feeds | Yes | Yes | -| Browsing Options | No | Yes | -| First Run Wizard and Welcome Page Options | Yes | Yes | -| Compatibility View | Yes | Yes | -| Connection Manager | Yes | Yes | -| Connection Settings | Yes | Yes | -| Automatic Configuration | No | Yes | -| Proxy Settings | Yes | Yes | -| Security and Privacy Settings | No | Yes | -| Add a Root Certificate | Yes | No | -| Programs | Yes | Yes | -| Additional Settings | No | Yes | -| Wizard Complete | Yes | Yes | - - -**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. - -IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: - -| | | | -|---------|---------|---------| -|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | -|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | -|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | -|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | -|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | - - -## Additional resources - -[Download IEAK 11](https://technet.microsoft.com/microsoft-edge/bb219517) -[IEAK 11 overview](https://technet.microsoft.com/microsoft-edge/dn532244) -[IEAK 11 product documentation](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) -[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md) +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. +author: lomayor +ms.author: lomayor +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: IEAK 11 - Frequently Asked Questions +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# IEAK 11 - Frequently Asked Questions + +Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful. + +**What is IEAK 11?** + +IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). + +**What are the supported operating systems?** + +You can customize and install IEAK 11 on the following supported operating systems: + +- Windows 8 + +- Windows Server 2012 + +- Windows 7 Service Pack 1 (SP1) + +- Windows Server 2008 R2 Service Pack 1 (SP1) + +>[!Note] +>IEAK 11 does not support building custom packages for Windows RT. + + +**What can I customize with IEAK 11?** + +The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. + +>[!Note] +>Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. + +**Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +>[!Note] +>IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). + +**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
          +Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: + +- [Internet Explorer Administration Kit Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214250) on the Internet Explorer TechCenter. + +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) + +**What are the different modes available for the Internet Explorer Customization Wizard?** +The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md). + +The following table displays which pages are available in IEAK 11, based on the licensing mode: + +| **Wizard Pages** | **External** | **Internal** | +|-------------------------------------------|--------------|--------------| +| Welcome to the IEAK | Yes | Yes | +| File Locations | Yes | Yes | +| Platform Selection | Yes | Yes | +| Language Selection | Yes | Yes | +| Package Type Selection | Yes | Yes | +| Feature Selection | Yes | Yes | +| Automatic Version Synchronization | Yes | Yes | +| Custom Components | Yes | Yes | +| Corporate Install | No | Yes | +| User Experience | No | Yes | +| Browser User Interface | Yes | Yes | +| Search Providers | Yes | Yes | +| Important URLs - Home page and Support | Yes | Yes | +| Accelerators | Yes | Yes | +| Favorites, Favorites Bar, and Feeds | Yes | Yes | +| Browsing Options | No | Yes | +| First Run Wizard and Welcome Page Options | Yes | Yes | +| Compatibility View | Yes | Yes | +| Connection Manager | Yes | Yes | +| Connection Settings | Yes | Yes | +| Automatic Configuration | No | Yes | +| Proxy Settings | Yes | Yes | +| Security and Privacy Settings | No | Yes | +| Add a Root Certificate | Yes | No | +| Programs | Yes | Yes | +| Additional Settings | No | Yes | +| Wizard Complete | Yes | Yes | + + +**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: + +| | | | +|---------|---------|---------| +|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | +|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | +|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | +|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | +|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + +## Additional resources + +[Download IEAK 11](https://technet.microsoft.com/microsoft-edge/bb219517) +[IEAK 11 overview](https://technet.microsoft.com/microsoft-edge/dn532244) +[IEAK 11 product documentation](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) +[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md) diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md index e20d675e6d..2927489c83 100644 --- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md @@ -1,45 +1,45 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices. -author: lomayor -ms.prod: ie11 -ms.assetid: 208305ad-1bcd-42f3-aca3-0ad1dda7048b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Accelerators page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Accelerators page in the IEAK 11 Wizard -The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map. - -**Note**
          -The customizations you make on this page apply only to Internet Explorer for the desktop. - - **To use the Accelerators page** - -1. Click **Import** to automatically import your existing accelerators from your current version of IE into this list. - -2. Click **Add** to add more accelerators.

          -The **Add Accelerator** box appears. - -3. Use the **Browse** button to go to your custom accelerator XML file. - -4. Check the **Set this Accelerator as the default for the category** box if you want this accelerator to be the default value that shows up for the category. - -5. Click **Edit** to change your accelerator information, click **Set Default** to make an accelerator the default value for a category, or **Remove** to delete an accelerator. - -6. Click **Next** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page or **Back** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices. +author: lomayor +ms.prod: ie11 +ms.assetid: 208305ad-1bcd-42f3-aca3-0ad1dda7048b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Accelerators page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Accelerators page in the IEAK 11 Wizard +The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map. + +**Note**
          +The customizations you make on this page apply only to Internet Explorer for the desktop. + + **To use the Accelerators page** + +1. Click **Import** to automatically import your existing accelerators from your current version of IE into this list. + +2. Click **Add** to add more accelerators.

          +The **Add Accelerator** box appears. + +3. Use the **Browse** button to go to your custom accelerator XML file. + +4. Check the **Set this Accelerator as the default for the category** box if you want this accelerator to be the default value that shows up for the category. + +5. Click **Edit** to change your accelerator information, click **Set Default** to make an accelerator the default value for a category, or **Remove** to delete an accelerator. + +6. Click **Next** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page or **Back** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md index 1e9bb4b8b3..a0d56ae1d9 100644 --- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md @@ -1,52 +1,52 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use IEAK 11 to add and approve ActiveX controls for your organization. -author: lomayor -ms.prod: ie11 -ms.assetid: 33040bd1-f0e4-4541-9fbb-16e0c76752ab -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Add and approve ActiveX controls using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Add and approve ActiveX controls using IEAK 11 -There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). - -**Note**
          -ActiveX controls are supported in Internet Explorer for the desktop for Windows 7 and Windows 8.1. They are not supported on the immersive version of Internet Explorer for Windows 8.1. - -## Scenario 1: Limited Internet-only use of ActiveX controls -While you might not care about your employees using ActiveX controls while on your intranet sites, you probably do want to limit ActiveX usage while your employee is on the Internet. By specifying and pre-approving a set of generic controls for use on the Internet, you’re able to let your employees use the Internet, but you can still limit your company’s exposure to potentially hazardous, non-approved ActiveX controls. - -For example, your employees need to access an important Internet site, such as for a business partner or service provider, but there are ActiveX controls on their page. To make sure the site is accessible and functions the way it should, you can visit the site to review the controls, adding them as new entries to your `\Windows\Downloaded Program Files` folder. Then, as part of your browser package, you can enable and approve these ActiveX controls to run on this specific site; while all additional controls are blocked. - -**To add and approve ActiveX controls** - -1. In IE, click **Tools**, and then **Internet Options**. - -2. On the **Security** tab, click the zone that needs to change, and click **Custom Level**. - -3. Go to **Run ActiveX controls and plug-ins**, and then click **Administrator approved**. - -4. Repeat the last two steps until you have configured all the zones you want. - -5. When you run the IEAK 11 Customization Wizard to create a custom package, you'll use the [Additional Settings](additional-settings-ieak11-wizard.md) page, clicking each folder to expand its contents. Then select the check boxes for the controls you want to approve. - -## Scenario 2: Restricted use of ActiveX controls -You can get a higher degree of management over ActiveX controls by listing each of them out and then allowing the browser to use only that set of controls. The biggest challenge to using this method is the extra effort you need to put into figuring out all of the controls, and then actually listing them out. Because of that, we only recommend this approach if your complete set of controls is relatively small. - -After you decide which controls you want to allow, you can specify them as approved by zone, using the process described in the first scenario. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use IEAK 11 to add and approve ActiveX controls for your organization. +author: lomayor +ms.prod: ie11 +ms.assetid: 33040bd1-f0e4-4541-9fbb-16e0c76752ab +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Add and approve ActiveX controls using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add and approve ActiveX controls using IEAK 11 +There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). + +**Note**
          +ActiveX controls are supported in Internet Explorer for the desktop for Windows 7 and Windows 8.1. They are not supported on the immersive version of Internet Explorer for Windows 8.1. + +## Scenario 1: Limited Internet-only use of ActiveX controls +While you might not care about your employees using ActiveX controls while on your intranet sites, you probably do want to limit ActiveX usage while your employee is on the Internet. By specifying and pre-approving a set of generic controls for use on the Internet, you’re able to let your employees use the Internet, but you can still limit your company’s exposure to potentially hazardous, non-approved ActiveX controls. + +For example, your employees need to access an important Internet site, such as for a business partner or service provider, but there are ActiveX controls on their page. To make sure the site is accessible and functions the way it should, you can visit the site to review the controls, adding them as new entries to your `\Windows\Downloaded Program Files` folder. Then, as part of your browser package, you can enable and approve these ActiveX controls to run on this specific site; while all additional controls are blocked. + +**To add and approve ActiveX controls** + +1. In IE, click **Tools**, and then **Internet Options**. + +2. On the **Security** tab, click the zone that needs to change, and click **Custom Level**. + +3. Go to **Run ActiveX controls and plug-ins**, and then click **Administrator approved**. + +4. Repeat the last two steps until you have configured all the zones you want. + +5. When you run the IEAK 11 Customization Wizard to create a custom package, you'll use the [Additional Settings](additional-settings-ieak11-wizard.md) page, clicking each folder to expand its contents. Then select the check boxes for the controls you want to approve. + +## Scenario 2: Restricted use of ActiveX controls +You can get a higher degree of management over ActiveX controls by listing each of them out and then allowing the browser to use only that set of controls. The biggest challenge to using this method is the extra effort you need to put into figuring out all of the controls, and then actually listing them out. Because of that, we only recommend this approach if your complete set of controls is relatively small. + +After you decide which controls you want to allow, you can specify them as approved by zone, using the process described in the first scenario. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md index 000c0238e4..72e79f106f 100644 --- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md @@ -1,29 +1,29 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK. -author: lomayor -ms.prod: ie11 -ms.assetid: 7ae4e747-49d2-4551-8790-46a61b5fe838 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Add a Root Certificate page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Add a Root Certificate page in the IEAK 11 Wizard -We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK. - -Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK. +author: lomayor +ms.prod: ie11 +ms.assetid: 7ae4e747-49d2-4551-8790-46a61b5fe838 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Add a Root Certificate page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Add a Root Certificate page in the IEAK 11 Wizard +We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK. + +Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md index 59d96545ea..2a15fe18e9 100644 --- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md @@ -1,41 +1,41 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Additional Settings page in IEAK 11 Customization Wizard for additional settings that relate to your employee’s desktop, operating system, and security. -author: lomayor -ms.prod: ie11 -ms.assetid: c90054af-7b7f-4b00-b55b-5e5569f65f25 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Additional Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Additional Settings page in the IEAK 11 Wizard -The **Additional Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you pick additional custom, corporate, and Internet settings that relate to your employee’s desktop, operating system, and security. If you don’t change a setting, it’ll be ignored. - -The additional settings appear in administration (.adm) files that are stored in your `:\Program Files\Windows IEAK 11\policies` folder. You can also create your own .adm files with options that can be configured using the wizard. Any edits you make to your own .adm file are stored as .ins files, which are used to build the .inf files for your custom install package. - -You can store your user settings in a central location so your employees that log on from computer to computer can use them. For example if you have an employee that requires low security using a computer that’s typically operated by someone that needs more restrictive permissions. - -You’ll only see this page if you are running the **Internal** version of the IE Customization Wizard 11. - -**To use the Additional Settings page** - -1. Double-click **Custom Settings**, **Corporate Settings**, or **Internet Settings**, and review the included policy or restriction settings. - -2. Pick the setting you want to change, and then update its details. - -3. Click **Next** to go to the [Wizard Complete-Next Steps](wizard-complete-ieak11-wizard.md) page or **Back** to go to the [Programs](programs-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Additional Settings page in IEAK 11 Customization Wizard for additional settings that relate to your employee’s desktop, operating system, and security. +author: lomayor +ms.prod: ie11 +ms.assetid: c90054af-7b7f-4b00-b55b-5e5569f65f25 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Additional Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Additional Settings page in the IEAK 11 Wizard +The **Additional Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you pick additional custom, corporate, and Internet settings that relate to your employee’s desktop, operating system, and security. If you don’t change a setting, it’ll be ignored. + +The additional settings appear in administration (.adm) files that are stored in your `:\Program Files\Windows IEAK 11\policies` folder. You can also create your own .adm files with options that can be configured using the wizard. Any edits you make to your own .adm file are stored as .ins files, which are used to build the .inf files for your custom install package. + +You can store your user settings in a central location so your employees that log on from computer to computer can use them. For example if you have an employee that requires low security using a computer that’s typically operated by someone that needs more restrictive permissions. + +You’ll only see this page if you are running the **Internal** version of the IE Customization Wizard 11. + +**To use the Additional Settings page** + +1. Double-click **Custom Settings**, **Corporate Settings**, or **Internet Settings**, and review the included policy or restriction settings. + +2. Pick the setting you want to change, and then update its details. + +3. Click **Next** to go to the [Wizard Complete-Next Steps](wizard-complete-ieak11-wizard.md) page or **Back** to go to the [Programs](programs-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md index 24d7df97b1..5c77b9bc67 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md @@ -1,59 +1,59 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Automatic Configuration page in the IEAK 11 Customization Wizard to add URLs to auto-configure IE. -author: lomayor -ms.prod: ie11 -ms.assetid: de5b1dbf-6e4d-4f86-ae08-932f14e606b0 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Automatic Configuration page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Automatic Configuration page in the IEAK 11 Wizard -The **Automatic Configuration** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you provide URLs to the files that’ll automatically configure Internet Explorer 11 for a group of employees or devices. - -**Note**
          -This page only appears if you’re using the **Internal** version of the wizard. - -You can set your proxy settings using Internet setting (.ins) files. You can also configure and maintain your advanced proxy settings using JScript (.js), JavaScript (.jvs), or proxy auto-configuration (.pac) script files. When you provide an auto-proxy script, IE dynamically determines whether to connect directly to a host or to use a proxy server. - -You can use the Domain Name System (DNS) and the Dynamic Host Configuration Protocol (DHCP) naming systems to detect and change a browser’s settings automatically when the employee first starts IE on the network. For more info, see [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md), or refer to the product documentation for your DNS and DHCP software packages. - -**To check the existing settings on your employee’s devices** - -1. Open IE, click **Tools**, click **Internet Options**, and then click the **Connections** tab. - -2. Click **LAN Settings** and make sure that the **Use automatic configuration script** box is selected, confirming the path and name of the file in the **Address** box. - -**To use the Automatic Configuration page** - -1. Check the **Automatically detect configuration settings** box to automatically detect browser settings. - -2. Check the **Enable Automatic Configuration** box if you plan to automatically change your IE settings after deployment, using configuration files. You can then: - - - Type the length of time (in minutes) for how often settings are to be applied in your company. Putting zero (**0**), or nothing, in this box will cause automatic configuration to only happen when the computer’s restarted. - - - Type the location to your .ins file. You can edit this file directly to make any necessary changes. - - The updates will take effect the next time your employee starts IE, or during your next scheduled update. - - - Type the location to your automatic proxy script file. - - **Note**
          - If you specify URLs for both auto-config and auto-proxy, the auto-proxy URL will be incorporated into the .ins file. The correct form for the URL is `https://share/test.ins`. - -3. Click **Next** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page or **Back** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Automatic Configuration page in the IEAK 11 Customization Wizard to add URLs to auto-configure IE. +author: lomayor +ms.prod: ie11 +ms.assetid: de5b1dbf-6e4d-4f86-ae08-932f14e606b0 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Automatic Configuration page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Automatic Configuration page in the IEAK 11 Wizard +The **Automatic Configuration** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you provide URLs to the files that’ll automatically configure Internet Explorer 11 for a group of employees or devices. + +**Note**
          +This page only appears if you’re using the **Internal** version of the wizard. + +You can set your proxy settings using Internet setting (.ins) files. You can also configure and maintain your advanced proxy settings using JScript (.js), JavaScript (.jvs), or proxy auto-configuration (.pac) script files. When you provide an auto-proxy script, IE dynamically determines whether to connect directly to a host or to use a proxy server. + +You can use the Domain Name System (DNS) and the Dynamic Host Configuration Protocol (DHCP) naming systems to detect and change a browser’s settings automatically when the employee first starts IE on the network. For more info, see [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md), or refer to the product documentation for your DNS and DHCP software packages. + +**To check the existing settings on your employee’s devices** + +1. Open IE, click **Tools**, click **Internet Options**, and then click the **Connections** tab. + +2. Click **LAN Settings** and make sure that the **Use automatic configuration script** box is selected, confirming the path and name of the file in the **Address** box. + +**To use the Automatic Configuration page** + +1. Check the **Automatically detect configuration settings** box to automatically detect browser settings. + +2. Check the **Enable Automatic Configuration** box if you plan to automatically change your IE settings after deployment, using configuration files. You can then: + + - Type the length of time (in minutes) for how often settings are to be applied in your company. Putting zero (**0**), or nothing, in this box will cause automatic configuration to only happen when the computer’s restarted. + + - Type the location to your .ins file. You can edit this file directly to make any necessary changes. + + The updates will take effect the next time your employee starts IE, or during your next scheduled update. + + - Type the location to your automatic proxy script file. + + **Note**
          + If you specify URLs for both auto-config and auto-proxy, the auto-proxy URL will be incorporated into the .ins file. The correct form for the URL is `https://share/test.ins`. + +3. Click **Next** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page or **Back** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md index 3c1997587f..e858e5228b 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md @@ -1,62 +1,62 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization. -author: lomayor -ms.prod: ie11 -ms.assetid: c6bfe7c4-f452-406f-b47e-b7f0d8c44ae1 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Set up auto detection for DHCP or DNS servers using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Set up auto detection for DHCP or DNS servers using IEAK 11 -Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac). - -Before you can set up your environment to use automatic detection, you need to turn the feature on. - -**To turn on the automatic detection feature** - -- Open Internet Explorer Administration Kit 11 (IEAK 11), run the IE Customization Wizard 11 and on the **Automatic Configuration** page, check **Automatically detect configuration settings**. For more information, see [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md). - -## Automatic detection on DHCP and DNS servers -Automatic detection works even if the browser wasn't originally set up or installed by the administrator. - -- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts. -

          Note
          - Your DHCP servers must support the DHCPINFORM message, to obtain the DHCP options. - -- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses. To use this, you have to set up either the host record or the CNAME alias record in the DNS database file. -

          Note
          - DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen. - -**To set up automatic detection for DHCP servers** - -- Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). - - **Examples:**
          - `https://www.microsoft.com/webproxy.pac`
          - `https://marketing/config.ins`
          - `https://123.4.567.8/account.pac`

          - For more detailed info about how to set up your DHCP server, see your server documentation. - -**To set up automatic detection for DNS servers** - -1. In your DNS database file, the file that’s used to associate your host (computer) names to static IP addresses in a zone, you need to create a host record named, **WPAD**. This record contains entries for all of the hosts that require static mappings, such as workstations, name servers, and mail servers. It also has the IP address to the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

          The syntax is:
          - ` IN A `
          - `corserv IN A 192.55.200.143`
          - `nameserver2 IN A 192.55.200.2`
          - `mailserver1 IN A 192.55.200.51` -

          -OR-

          - Create a canonical name (CNAME) alias record, named WPAD. This record lets you use more than one name to point to a single host, letting you host both an FTP server and a web server on the same computer. It also includes the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

          - Note
          For more info about creating a WPAD entry, see Creating a WPAD entry in DNS. - -2. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file. - -**Note**
          -IE11 creates a default URL template based on the host name,**wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization. +author: lomayor +ms.prod: ie11 +ms.assetid: c6bfe7c4-f452-406f-b47e-b7f0d8c44ae1 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Set up auto detection for DHCP or DNS servers using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Set up auto detection for DHCP or DNS servers using IEAK 11 +Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac). + +Before you can set up your environment to use automatic detection, you need to turn the feature on. + +**To turn on the automatic detection feature** + +- Open Internet Explorer Administration Kit 11 (IEAK 11), run the IE Customization Wizard 11 and on the **Automatic Configuration** page, check **Automatically detect configuration settings**. For more information, see [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md). + +## Automatic detection on DHCP and DNS servers +Automatic detection works even if the browser wasn't originally set up or installed by the administrator. + +- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts. +

          Note
          + Your DHCP servers must support the DHCPINFORM message, to obtain the DHCP options. + +- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses. To use this, you have to set up either the host record or the CNAME alias record in the DNS database file. +

          Note
          + DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen. + +**To set up automatic detection for DHCP servers** + +- Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). + + **Examples:**
          + `https://www.microsoft.com/webproxy.pac`
          + `https://marketing/config.ins`
          + `https://123.4.567.8/account.pac`

          + For more detailed info about how to set up your DHCP server, see your server documentation. + +**To set up automatic detection for DNS servers** + +1. In your DNS database file, the file that’s used to associate your host (computer) names to static IP addresses in a zone, you need to create a host record named, **WPAD**. This record contains entries for all of the hosts that require static mappings, such as workstations, name servers, and mail servers. It also has the IP address to the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

          The syntax is:
          + ` IN A `
          + `corserv IN A 192.55.200.143`
          + `nameserver2 IN A 192.55.200.2`
          + `mailserver1 IN A 192.55.200.51` +

          -OR-

          + Create a canonical name (CNAME) alias record, named WPAD. This record lets you use more than one name to point to a single host, letting you host both an FTP server and a web server on the same computer. It also includes the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

          + Note
          For more info about creating a WPAD entry, see Creating a WPAD entry in DNS. + +2. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file. + +**Note**
          +IE11 creates a default URL template based on the host name,**wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. + diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md index 336b704352..9a3f704cf0 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md @@ -1,48 +1,48 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Automatic Version Synchronization page in the IEAK 11 Customization Wizard to download the IE11 Setup file each time you run the Wizard. -author: lomayor -ms.prod: ie11 -ms.assetid: bfc7685f-843b-49c3-8b9b-07e69705840c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Automatic Version Synchronization page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Automatic Version Synchronization page in the IEAK 11 Wizard -The **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 runs the synchronization process every time you run the wizard, downloading the Internet Explorer 11 Setup file to your computer. The Setup file includes the required full and express packages. - -**Important**
          -You must run the **Automatic Version Synchronization** page once for each operating system and language combination of IE. - -The **Automatic Version Synchronization** page tells you: - -- **Version available on your machine**. The version of IE11 that’s running on the computer that’s also running the IE Customization Wizard 11. - -- **Latest version available on web**. The most recently released version of the IE Customization Wizard 11. To get this value, the wizard compares the version of IE on your computer to the latest version of IE on the **Downloads** site. If the versions are different, you’ll be asked to update your version of IE. - -- **Disk space required**. The amount of space on your hard drive needed to update the browser. - -- **Disk space available**. The amount of hard drive space available on the computer that’s running the IE Customization Wizard 11. - - -**To use the Automatic Version Synchronization page** - -1. Click **Synchronize**.

          -You might receive a security warning before downloading your Setup file, asking if you want to continue. Click **Run** to continue. - -2. Click **Next** to go to the [Custom Components](custom-components-ieak11-wizard.md) page or **Back** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Automatic Version Synchronization page in the IEAK 11 Customization Wizard to download the IE11 Setup file each time you run the Wizard. +author: lomayor +ms.prod: ie11 +ms.assetid: bfc7685f-843b-49c3-8b9b-07e69705840c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Automatic Version Synchronization page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Automatic Version Synchronization page in the IEAK 11 Wizard +The **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 runs the synchronization process every time you run the wizard, downloading the Internet Explorer 11 Setup file to your computer. The Setup file includes the required full and express packages. + +**Important**
          +You must run the **Automatic Version Synchronization** page once for each operating system and language combination of IE. + +The **Automatic Version Synchronization** page tells you: + +- **Version available on your machine**. The version of IE11 that’s running on the computer that’s also running the IE Customization Wizard 11. + +- **Latest version available on web**. The most recently released version of the IE Customization Wizard 11. To get this value, the wizard compares the version of IE on your computer to the latest version of IE on the **Downloads** site. If the versions are different, you’ll be asked to update your version of IE. + +- **Disk space required**. The amount of space on your hard drive needed to update the browser. + +- **Disk space available**. The amount of hard drive space available on the computer that’s running the IE Customization Wizard 11. + + +**To use the Automatic Version Synchronization page** + +1. Click **Synchronize**.

          +You might receive a security warning before downloading your Setup file, asking if you want to continue. Click **Run** to continue. + +2. Click **Next** to go to the [Custom Components](custom-components-ieak11-wizard.md) page or **Back** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md index 4558426d56..9bea8f5c1c 100644 --- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: A list of steps to follow before you start to create your custom browser installation packages. -author: lomayor -ms.author: lomayor -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4 -ms.reviewer: -manager: dansimp -title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 04/24/2018 ---- - - -# Before you start using IEAK 11 - -Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements: - -- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). - -- Do you meet the necessary hardware and software requirements? See [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md). - -- Have you gotten all of the URLs needed to customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md). - -- Have you reviewed the security features to determine how to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md). - -- Have you created a test lab, where you can run the test version of your browser package to make sure it runs properly? - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: A list of steps to follow before you start to create your custom browser installation packages. +author: lomayor +ms.author: lomayor +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4 +ms.reviewer: +audience: itpro manager: dansimp +title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 04/24/2018 +--- + + +# Before you start using IEAK 11 + +Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements: + +- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). + +- Do you meet the necessary hardware and software requirements? See [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md). + +- Have you gotten all of the URLs needed to customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md). + +- Have you reviewed the security features to determine how to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md). + +- Have you created a test lab, where you can run the test version of your browser package to make sure it runs properly? + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md index 9fa48060a5..7f9c6d989e 100644 --- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md @@ -1,54 +1,54 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package. -author: lomayor -ms.prod: ie11 -ms.assetid: cde600c6-29cf-4bd3-afd1-21563d2642df -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Branding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Branding .INS file to create custom branding and setup info -Info about the custom branding and setup information in your browser package. - -|Name |Value | Description | -|-----------|--------------------------------|--------------------------------------------------------------| -|Add on URL | `` |The add-on URL for the product updates command in the browser.| -|BrowserDefault|

          • **0.** Locks down Internet Explorer as the default browser.
          • **1.** Preserves the existing default browser.
          • **2.** Lets the employee decide the default browser.
          | Determines the default browser behavior. | -|CMBitmapName | `` | The file name for the Connection Manager custom bitmap. | -|CMBitmapPath | `` | The full file path to the Connection Manager custom bitmap file. | -|CMProfileName| `` | The name of the Connection Manager profile. | -|CMProfilePath| `` | The full file path to the Connection Manager profile. | -|CMUseCustom |
          • **0.** Don’t use a custom Connection Manager profile.
          • **1.** Use a custom Connection Manager profile.
          | Determines whether to use a custom Connection Manager profile. | -|CompanyName |`` |The name of the company with a valid IEAK 11 license, building this .ins file. | -|EncodeFavs |
          • **0.** Don’t encode the section.
          • **1.** Encode the section.
          |Determines whether to encode the **[Favorites]** section for versions of IE earlier than 5.0. | -|FavoritesDelete |*hexadecimal:* `0x89` |Lets you remove all existing Favorites and Quick Links. | -|FavoritesOnTop |
          • **0.** Don’t put the new item at the top of the **Favorites** menu.
          • **1.** Put the new item at the top of the **Favorites** menu.
          |Determines whether to put new favorite items at the top of the menu. | -|IE4 Welcome Msg |
          • **0.** Don’t go to a **Welcome** page the first time the browser is opened.
          • **1.** Go to a **Welcome** page the first time the browser is opened.
          |Determines whether a **Welcome** page appears. | -|Language ID |`` |Code value for the language used. | -|Language Locale |`` |The locale of the version of IE being customized, as denoted by a four-letter string — for example, EN-us for English. | -|NoIELite |
          • **0.** Don’t optimize the Active Setup Wizard.
          • **1.** Optimize the Active Setup Wizard for download, using existing files, as possible.
          |Determines whether to optimize the Active Setup Wizard for download. | -|SilentInstall |
          • **0.** Run Windows Update Setup interactively.
          • **1.** Run Windows Update Setup non-interactively, but show progress and error messages to the employee.
          |Determines whether Windows Update Setup runs interactively on the employee’s computer.

          **Note**
          This only appears for the **Internal** version of the IEAK 11. | -|StealthInstall |

          • **0.** Run Windows Update Setup showing progress and error messages to the employee.
          • **1.** Run Windows Update Setup without showing error messages to the employee.
          |Determines whether Windows Update Setup shows error messages and dialog boxes.

          **Note**
          This only appears for the **Internal** version of the IEAK 11. | -|Toolbar Bitmap |`` |Full path to the icon bitmap that appears on the browser toolbar. | -|Type |

          • **1.** Internal version. For use on a corporate intranet or network.
          • **2.** External version. For use by ISPs, ICPs, or Developers.
          |The version of IEAK 11 being used. | -|User Agent |`` |String to be appended to the default User Agent string. | -|Version |`` |Version number of the browser. For example, `6,0,0,1`. | -|WebIntegrated |
          • **0.** Don’t include the 4.x integrated shell in your custom package.
          • **1.** Include the 4.x integrated shell in your custom package.
          |Determines whether the IE 4.x integrated shell is included in this package. | -|Win32DownloadSite |`` |URL from where your employees will download the IEsetup.exe file. | -|Window_Title |`` |Customized window title for IE. | -|Window_Title_CN |`` |Company name to be appended to the window title. | -|WizardVersion |`` |Version of the IEAK that created the .ins file. For example, `6.00.0707.2800`. | - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package. +author: lomayor +ms.prod: ie11 +ms.assetid: cde600c6-29cf-4bd3-afd1-21563d2642df +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Branding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Branding .INS file to create custom branding and setup info +Info about the custom branding and setup information in your browser package. + +|Name |Value | Description | +|-----------|--------------------------------|--------------------------------------------------------------| +|Add on URL | `` |The add-on URL for the product updates command in the browser.| +|BrowserDefault|
          • **0.** Locks down Internet Explorer as the default browser.
          • **1.** Preserves the existing default browser.
          • **2.** Lets the employee decide the default browser.
          | Determines the default browser behavior. | +|CMBitmapName | `` | The file name for the Connection Manager custom bitmap. | +|CMBitmapPath | `` | The full file path to the Connection Manager custom bitmap file. | +|CMProfileName| `` | The name of the Connection Manager profile. | +|CMProfilePath| `` | The full file path to the Connection Manager profile. | +|CMUseCustom |
          • **0.** Don’t use a custom Connection Manager profile.
          • **1.** Use a custom Connection Manager profile.
          | Determines whether to use a custom Connection Manager profile. | +|CompanyName |`` |The name of the company with a valid IEAK 11 license, building this .ins file. | +|EncodeFavs |
          • **0.** Don’t encode the section.
          • **1.** Encode the section.
          |Determines whether to encode the **[Favorites]** section for versions of IE earlier than 5.0. | +|FavoritesDelete |*hexadecimal:* `0x89` |Lets you remove all existing Favorites and Quick Links. | +|FavoritesOnTop |
          • **0.** Don’t put the new item at the top of the **Favorites** menu.
          • **1.** Put the new item at the top of the **Favorites** menu.
          |Determines whether to put new favorite items at the top of the menu. | +|IE4 Welcome Msg |
          • **0.** Don’t go to a **Welcome** page the first time the browser is opened.
          • **1.** Go to a **Welcome** page the first time the browser is opened.
          |Determines whether a **Welcome** page appears. | +|Language ID |`` |Code value for the language used. | +|Language Locale |`` |The locale of the version of IE being customized, as denoted by a four-letter string — for example, EN-us for English. | +|NoIELite |
          • **0.** Don’t optimize the Active Setup Wizard.
          • **1.** Optimize the Active Setup Wizard for download, using existing files, as possible.
          |Determines whether to optimize the Active Setup Wizard for download. | +|SilentInstall |
          • **0.** Run Windows Update Setup interactively.
          • **1.** Run Windows Update Setup non-interactively, but show progress and error messages to the employee.
          |Determines whether Windows Update Setup runs interactively on the employee’s computer.

          **Note**
          This only appears for the **Internal** version of the IEAK 11. | +|StealthInstall |

          • **0.** Run Windows Update Setup showing progress and error messages to the employee.
          • **1.** Run Windows Update Setup without showing error messages to the employee.
          |Determines whether Windows Update Setup shows error messages and dialog boxes.

          **Note**
          This only appears for the **Internal** version of the IEAK 11. | +|Toolbar Bitmap |`` |Full path to the icon bitmap that appears on the browser toolbar. | +|Type |

          • **1.** Internal version. For use on a corporate intranet or network.
          • **2.** External version. For use by ISPs, ICPs, or Developers.
          |The version of IEAK 11 being used. | +|User Agent |`` |String to be appended to the default User Agent string. | +|Version |`` |Version number of the browser. For example, `6,0,0,1`. | +|WebIntegrated |
          • **0.** Don’t include the 4.x integrated shell in your custom package.
          • **1.** Include the 4.x integrated shell in your custom package.
          |Determines whether the IE 4.x integrated shell is included in this package. | +|Win32DownloadSite |`` |URL from where your employees will download the IEsetup.exe file. | +|Window_Title |`` |Customized window title for IE. | +|Window_Title_CN |`` |Company name to be appended to the window title. | +|WizardVersion |`` |Version of the IEAK that created the .ins file. For example, `6.00.0707.2800`. | + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md index 5b332edf14..ab8937ec4a 100644 --- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md @@ -1,56 +1,56 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar. -author: lomayor -ms.prod: ie11 -ms.assetid: c4a18dcd-2e9c-4b5b-bcc5-9b9361a79f0d -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Browser User Interface page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Browser User Interface page in the IEAK 11 Wizard -The **Browser User Interface** page of the Internet Explorer Customization Wizard 11 lets you change the toolbar buttons and the title bar text in IE. - -**Note**
          The customizations you make on this page apply only to Internet Explorer for the desktop. - - **To use the Browser User Interface page** - -1. Check the **Customize Title Bars** box so you can add your custom text to the **Title Bar Text** box.

          -The text shows up in the title bar as **IE provided by** <*your_custom_text*>. - -2. Check the **Delete existing toolbar buttons, if present** box so you can delete all of the toolbar buttons in your employee’s browser, except for the standard buttons installed with IE (which can’t be removed). - -**Note**
          Only Administrators can use this option. - -3. Click **Add** to add new toolbar buttons.

          - The **Browser Toolbar Button Information** box appears. - -4. In the **Toolbar caption** box, type the text that shows up when an employee hovers over your custom button. We recommend no more than 10 characters. - -5. In the **Toolbar action** box, browse to your script or executable file that runs when an employee clicks your custom button. - -6. In the **Toolbar icon** box, browse to the icon file that represents your button while active. This icon must be 20x20 pixels. - -7. Check the **This button should be shown on the toolbar by default** box so your custom button shows by default.

          - This box should be cleared if you want to offer a custom set of buttons, but want your employees to choose whether or not to use them. In this situation, your buttons will show up in the **Customize Toolbars** dialog box, under **Available toolbar buttons**. Your employees can get to this dialog box in IE by clicking **Tools** from the **Command Bar**, clicking **Toolbars**, and then clicking **Customize**. - -8. Click **OK.** - -9. Click **Edit** to change your custom toolbar button or **Remove** to delete the button. The removed button will disappear from your employee’s computer after you apply the updated customization. Only custom toolbar buttons can be removed. - -10. Click **Next** to go to the [Search Providers](search-providers-ieak11-wizard.md) page or **Back** to go to the [User Experience](user-experience-ieak11-wizard.md) page. - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar. +author: lomayor +ms.prod: ie11 +ms.assetid: c4a18dcd-2e9c-4b5b-bcc5-9b9361a79f0d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Browser User Interface page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Browser User Interface page in the IEAK 11 Wizard +The **Browser User Interface** page of the Internet Explorer Customization Wizard 11 lets you change the toolbar buttons and the title bar text in IE. + +**Note**
          The customizations you make on this page apply only to Internet Explorer for the desktop. + + **To use the Browser User Interface page** + +1. Check the **Customize Title Bars** box so you can add your custom text to the **Title Bar Text** box.

          +The text shows up in the title bar as **IE provided by** <*your_custom_text*>. + +2. Check the **Delete existing toolbar buttons, if present** box so you can delete all of the toolbar buttons in your employee’s browser, except for the standard buttons installed with IE (which can’t be removed). + +**Note**
          Only Administrators can use this option. + +3. Click **Add** to add new toolbar buttons.

          + The **Browser Toolbar Button Information** box appears. + +4. In the **Toolbar caption** box, type the text that shows up when an employee hovers over your custom button. We recommend no more than 10 characters. + +5. In the **Toolbar action** box, browse to your script or executable file that runs when an employee clicks your custom button. + +6. In the **Toolbar icon** box, browse to the icon file that represents your button while active. This icon must be 20x20 pixels. + +7. Check the **This button should be shown on the toolbar by default** box so your custom button shows by default.

          + This box should be cleared if you want to offer a custom set of buttons, but want your employees to choose whether or not to use them. In this situation, your buttons will show up in the **Customize Toolbars** dialog box, under **Available toolbar buttons**. Your employees can get to this dialog box in IE by clicking **Tools** from the **Command Bar**, clicking **Toolbars**, and then clicking **Customize**. + +8. Click **OK.** + +9. Click **Edit** to change your custom toolbar button or **Remove** to delete the button. The removed button will disappear from your employee’s computer after you apply the updated customization. Only custom toolbar buttons can be removed. + +10. Click **Next** to go to the [Search Providers](search-providers-ieak11-wizard.md) page or **Back** to go to the [User Experience](user-experience-ieak11-wizard.md) page. + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md index d6404a8966..56922b0838 100644 --- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons. -author: lomayor -ms.prod: ie11 -ms.assetid: 83af0558-9df3-4c2e-9350-44f7788efa6d -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons -Info about how to customize the Internet Explorer toolbar. - -|Name |Value |Description | -|-----------|---------------------------|-------------| -|Action0 |`` |Path and file name for the executable (.exe) file that's associated with your custom toolbar button. | -|Caption0 |`` |Text that appears as the caption for your custom toolbar button. | -|DeleteButtons |

          • **0.** Don’t delete the existing custom toolbar buttons.
          • **1.** Delete the existing custom toolbar buttons.
          |Determines whether to delete the existing custom toolbar buttons. | -|HotIcon0 |`` |An icon (.ico) file that appears highlighted on the button when the pointer is moved over it. | -|Icon0 |`` |An icon (.ico) file that appears dimmed on the button when the pointer isn’t moved over it. | -|Show0 |
          • **0.** Don’t show the button by default.
          • **1.** Show the button by default.
          |Determines whether to show the new button on the toolbar by default. | -|ToolTipText0 |`` |Tooltip text for the custom toolbar button. | - -  - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons. +author: lomayor +ms.prod: ie11 +ms.assetid: 83af0558-9df3-4c2e-9350-44f7788efa6d +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons +Info about how to customize the Internet Explorer toolbar. + +|Name |Value |Description | +|-----------|---------------------------|-------------| +|Action0 |`` |Path and file name for the executable (.exe) file that's associated with your custom toolbar button. | +|Caption0 |`` |Text that appears as the caption for your custom toolbar button. | +|DeleteButtons |
          • **0.** Don’t delete the existing custom toolbar buttons.
          • **1.** Delete the existing custom toolbar buttons.
          |Determines whether to delete the existing custom toolbar buttons. | +|HotIcon0 |`` |An icon (.ico) file that appears highlighted on the button when the pointer is moved over it. | +|Icon0 |`` |An icon (.ico) file that appears dimmed on the button when the pointer isn’t moved over it. | +|Show0 |
          • **0.** Don’t show the button by default.
          • **1.** Show the button by default.
          |Determines whether to show the new button on the toolbar by default. | +|ToolTipText0 |`` |Tooltip text for the custom toolbar button. | + +  + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md index 1b78bbee1d..d96bb1744c 100644 --- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md @@ -3,9 +3,10 @@ ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section. author: lomayor -ms.prod: ie111 +ms.prod: ie11 ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e ms.reviewer: +audience: itpro manager: dansimp ms.author: lomayor title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md index ec0d11f73c..0d0a0bde19 100644 --- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md @@ -1,26 +1,26 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[CabSigning\] .INS file setting to customize the digital signature info for your apps. -author: lomayor -ms.prod: ie11 -ms.assetid: 098707e9-d712-4297-ac68-7d910ca8f43b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the CabSigning .INS file to customize the digital signature info for your apps (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the CabSigning .INS file to customize the digital signature info for your apps -Info about how to customize the digital signature info for your apps. - -|Name |Value |Description | -|-----------|---------------------------|-------------| -|InfoURL |`` |URL that appears on the **Certificate** dialog box. | -|Name |`` |Company name associated with the certificate. | -|pvkFile |`` |File path to the privacy key file. | -|spcFile |`` |File path to the certificate file.| - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[CabSigning\] .INS file setting to customize the digital signature info for your apps. +author: lomayor +ms.prod: ie11 +ms.assetid: 098707e9-d712-4297-ac68-7d910ca8f43b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the CabSigning .INS file to customize the digital signature info for your apps (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the CabSigning .INS file to customize the digital signature info for your apps +Info about how to customize the digital signature info for your apps. + +|Name |Value |Description | +|-----------|---------------------------|-------------| +|InfoURL |`` |URL that appears on the **Certificate** dialog box. | +|Name |`` |Company name associated with the certificate. | +|pvkFile |`` |File path to the privacy key file. | +|spcFile |`` |File path to the certificate file.| + diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md index 843f8a478c..7e05be2556 100644 --- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md @@ -1,22 +1,22 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.pagetype: appcompat -description: We’re sorry. We’ve removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 51d8f80e-93a5-41e4-9478-b8321458bc30 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Compatibility View page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Compatibility View page in the IEAK 11 Wizard -We’re sorry. We’ve changed the way Compatibility View works in Internet Explorer 11 and have removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. For more info about the changes we’ve made to the Compatibility View functionality, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md). - -Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: We’re sorry. We’ve removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 51d8f80e-93a5-41e4-9478-b8321458bc30 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Compatibility View page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Compatibility View page in the IEAK 11 Wizard +We’re sorry. We’ve changed the way Compatibility View works in Internet Explorer 11 and have removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. For more info about the changes we’ve made to the Compatibility View functionality, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md). + +Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page. + diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md index 80fc96491a..3fbf4b4276 100644 --- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md @@ -1,21 +1,21 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: We’re sorry. We’ve removed all of the functionality included on the **Connection Manager** page of the Internet Explorer Customization Wizard 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 1edaa7db-cf6b-4f94-b65f-0feff3d4081a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Connection Manager page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Connection Manager page in the IEAK 11 Wizard -We're sorry. We've removed all of the functionality included on the Connection Manager page of the Internet Explorer Customization Wizard 11. - -Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: We’re sorry. We’ve removed all of the functionality included on the **Connection Manager** page of the Internet Explorer Customization Wizard 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 1edaa7db-cf6b-4f94-b65f-0feff3d4081a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Connection Manager page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Connection Manager page in the IEAK 11 Wizard +We're sorry. We've removed all of the functionality included on the Connection Manager page of the Internet Explorer Customization Wizard 11. + +Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page. + diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md index 4ef7b729f2..1d7f645f31 100644 --- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md @@ -1,41 +1,41 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Connection Settings page in IEAK 11 Customization Wizard to import and preset connection settings on your employee’s computers. -author: lomayor -ms.prod: ie11 -ms.assetid: dc93ebf7-37dc-47c7-adc3-067d07de8b78 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Connection Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Connection Settings page in the IEAK 11 Wizard -The **Connection Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you import the connection settings from your computer, to preset the connection settings on your employee’s computers. - -**Note**
          Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page. - -**To view your current connection settings** - -1. Open IE, click the **Tools** menu, click **Internet Options**, and then click the **Connections** tab. - -2. Click **Settings** to view your dial-up settings and click **LAN Settings** to view your network settings. - -**To use the Connection Settings page** - -1. Decide if you want to customize your connection settings. You can pick: - - - **Do not customize Connection Settings.** Pick this option if you don’t want to preset your employee’s connection settings. - - - **Import the current Connection Settings from this machine.** Pick this option to import your connection settings from your computer and use them as the preset for your employee’s connection settings. - - **Note**
          If you want to change any of your settings later, you can click **Modify Settings** to open the **Internet Properties** box, click the **Connection Settings** tab, and make your changes. - -2. Check the **Delete existing Dial-up Connection Settings** box to clear any existing settings on your employee’s computers. - -3. Click **Next** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page or **Back** to go to the [Connection Manager](connection-mgr-ieak11-wizard.md) page. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Connection Settings page in IEAK 11 Customization Wizard to import and preset connection settings on your employee’s computers. +author: lomayor +ms.prod: ie11 +ms.assetid: dc93ebf7-37dc-47c7-adc3-067d07de8b78 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Connection Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Connection Settings page in the IEAK 11 Wizard +The **Connection Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you import the connection settings from your computer, to preset the connection settings on your employee’s computers. + +**Note**
          Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page. + +**To view your current connection settings** + +1. Open IE, click the **Tools** menu, click **Internet Options**, and then click the **Connections** tab. + +2. Click **Settings** to view your dial-up settings and click **LAN Settings** to view your network settings. + +**To use the Connection Settings page** + +1. Decide if you want to customize your connection settings. You can pick: + + - **Do not customize Connection Settings.** Pick this option if you don’t want to preset your employee’s connection settings. + + - **Import the current Connection Settings from this machine.** Pick this option to import your connection settings from your computer and use them as the preset for your employee’s connection settings. + + **Note**
          If you want to change any of your settings later, you can click **Modify Settings** to open the **Internet Properties** box, click the **Connection Settings** tab, and make your changes. + +2. Check the **Delete existing Dial-up Connection Settings** box to clear any existing settings on your employee’s computers. + +3. Click **Next** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page or **Back** to go to the [Connection Manager](connection-mgr-ieak11-wizard.md) page. + diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md index bd63234840..2f510429c0 100644 --- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md @@ -1,26 +1,26 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package. -author: lomayor -ms.prod: ie11 -ms.assetid: 41410300-6ddd-43b2-b9e2-0108a2221355 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the ConnectionSettings .INS file to review the network connections for install (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the ConnectionSettings .INS file to review the network connections for install -Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers. - -|Name |Value |Description | -|-----------|---------------------------|-------------| -|ConnectName0 |`` |Name for the connection. | -|ConnectName1 |`` |Secondary name for the connection. | -|DeleteConnectionSettings |
          • **0.** Don’t remove the connection settings during installation.
          • **1.** Remove the connection settings during installation.

            **Note**
            This only appears for the **Internal** version of the IEAK 11.

          |Determines whether to remove the existing connection settings during installation of your custom package. | -|Option |
          • **0.** Don’t let employees import connection settings.
          • **1.** Let employees import connection settings.
          |Determines whether an employee can import connection settings into the Internet Explorer Customization Wizard. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package. +author: lomayor +ms.prod: ie11 +ms.assetid: 41410300-6ddd-43b2-b9e2-0108a2221355 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the ConnectionSettings .INS file to review the network connections for install (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the ConnectionSettings .INS file to review the network connections for install +Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers. + +|Name |Value |Description | +|-----------|---------------------------|-------------| +|ConnectName0 |`` |Name for the connection. | +|ConnectName1 |`` |Secondary name for the connection. | +|DeleteConnectionSettings |
          • **0.** Don’t remove the connection settings during installation.
          • **1.** Remove the connection settings during installation.

            **Note**
            This only appears for the **Internal** version of the IEAK 11.

          |Determines whether to remove the existing connection settings during installation of your custom package. | +|Option |
          • **0.** Don’t let employees import connection settings.
          • **1.** Let employees import connection settings.
          |Determines whether an employee can import connection settings into the Internet Explorer Customization Wizard. | + diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md index 21c49dc308..5dab4acabf 100644 --- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md @@ -1,24 +1,24 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: How to create your folder structure on the computer that you’ll use to build your custom browser package. -author: lomayor -ms.prod: ie11 -ms.assetid: e0d05a4c-099f-4f79-a069-4aa1c28a1080 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Create the build computer folder structure using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Create the build computer folder structure using IEAK 11 -Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**. - -|Name |Version |Description | -|-----------------|----------------------|---------------------------------------------------------| -|`\` |Internal and External |The main, placeholder folder used for all files built by IEAK or that you referenced in your custom package.| -|`\\Dist` |Internal only |Destination directory for your files. You’ll only need this folder if you’re creating your browser package on a network drive. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: How to create your folder structure on the computer that you’ll use to build your custom browser package. +author: lomayor +ms.prod: ie11 +ms.assetid: e0d05a4c-099f-4f79-a069-4aa1c28a1080 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Create the build computer folder structure using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Create the build computer folder structure using IEAK 11 +Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**. + +|Name |Version |Description | +|-----------------|----------------------|---------------------------------------------------------| +|`\` |Internal and External |The main, placeholder folder used for all files built by IEAK or that you referenced in your custom package.| +|`\\Dist` |Internal only |Destination directory for your files. You’ll only need this folder if you’re creating your browser package on a network drive. | + diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md index 6931f6e77d..ee5455e665 100644 --- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md @@ -1,27 +1,27 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Review this list of tasks and references before you create and deploy your Internet Explorer 11 custom install packages. -author: lomayor -ms.prod: ie11 -ms.assetid: fe71c603-bf07-41e1-a477-ade5b28c9fb3 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Tasks and references to consider before creating and deploying custom packages using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Tasks and references to consider before creating and deploying custom packages using IEAK 11 -Review this list of tasks and references to help you use the Internet Explorer Administration Kit 11 (IEAK 11) to set up, deploy, and manage Internet Explorer 11 in your company. - -|Task |References | -|----------------------------------------|--------------------------------------------------------------| -|Review concepts and requirements, including info about the version and features you'll use. |
          • [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md)
          • [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md)
          • [Before you start using IEAK 11](before-you-create-custom-pkgs-ieak11.md)
          | -|Prep your environment and get all of the info you'll need for running IEAK 11 |
          • [Create the build computer folder structure using IEAK 11](create-build-folder-structure-ieak11.md)
          • [Customize the Toolbar button and Favorites List icons using IEAK 11](guidelines-toolbar-and-favorites-list-ieak11.md)
          • [Before you install your package over your network using IEAK 11](prep-network-install-with-ieak11.md)
          • [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md)
          • [Register an uninstall app for custom components using IEAK 11](register-uninstall-app-ieak11.md)
          • [Add and approve ActiveX controls using the IEAK 11](add-and-approve-activex-controls-ieak11.md)
          • [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ieak11-wizard-custom-options.md)
          • [Security features and IEAK 11](security-and-ieak11.md)
          | -|Run the Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard |
          • [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md)
          • [Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md)
          • [Use the Language Selection page in the IEAK 11 Wizard](language-selection-ieak11-wizard.md)
          • [Use the Package Type Selection page in the IEAK 11 Wizard](pkg-type-selection-ieak11-wizard.md)
          • [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md)
          • [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](auto-version-sync-ieak11-wizard.md)
          • [Use the Custom Components page in the IEAK 11 Wizard](custom-components-ieak11-wizard.md)
          • [Use the Internal Install page in the IEAK 11 Wizard](internal-install-ieak11-wizard.md)
          • [Use the User Experience page in the IEAK 11 Wizard](user-experience-ieak11-wizard.md)
          • [Use the Browser User Interface page in the IEAK 11 Wizard](browser-ui-ieak11-wizard.md)
          • [Use the Search Providers page in the IEAK 11 Wizard](search-providers-ieak11-wizard.md)
          • [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md)
          • [Use the Accelerators page in the IEAK 11 Wizard](accelerators-ieak11-wizard.md)
          • [Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](favorites-favoritesbar-and-feeds-ieak11-wizard.md)
          • [Use the Browsing Options page in the IEAK 11 Wizard](browsing-options-ieak11-wizard.md)
          • [Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](first-run-and-welcome-page-ieak11-wizard.md)
          • [Use the Compatibility View page in the IEAK 11 Wizard](compat-view-ieak11-wizard.md)
          • [Use the Connection Manager page in the IEAK 11 Wizard](connection-mgr-ieak11-wizard.md)
          • [Use the Connection Settings page in the IEAK 11 Wizard](connection-settings-ieak11-wizard.md)
          • [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md)
          • [Use the Proxy Settings page in the IEAK 11 Wizard](proxy-settings-ieak11-wizard.md)
          • [Use the Security and Privacy Settings page in the IEAK 11 Wizard](security-and-privacy-settings-ieak11-wizard.md)
          • [Use the Add a Root Certificate page in the IEAK 11 Wizard](add-root-certificate-ieak11-wizard.md)
          • [Use the Programs page in the IEAK 11 Wizard](programs-ieak11-wizard.md)
          • [Use the Additional Settings page in the IEAK 11 Wizard](additional-settings-ieak11-wizard.md)
          • [Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](wizard-complete-ieak11-wizard.md)
          | -|Review your policy settings and create multiple versions of your install package. |
          • [Create multiple versions of your custom package using IEAK 11](create-multiple-browser-packages-ieak11.md)
          • [Use the RSoP snap-in to review policy settings](rsop-snapin-for-policy-settings-ieak11.md)

            **Note**
            For deployment instructions, additional troubleshooting, and post-installation management, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)

          | -|Review the general IEAK Customization Wizard 11 information, which applies throughout the process. |
          • [Troubleshoot custom package and IEAK 11 problems](troubleshooting-custom-browser-pkg-ieak11.md)
          • [File types used or created by IEAK 11](file-types-ieak11.md)
          • [Customize Automatic Search using IEAK 11](customize-automatic-search-for-ie.md)
          • [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md)
          • [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md)
          • [Use proxy auto-configuration (.pac) files with IEAK 11](proxy-auto-config-examples.md)
          • [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)
          | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Review this list of tasks and references before you create and deploy your Internet Explorer 11 custom install packages. +author: lomayor +ms.prod: ie11 +ms.assetid: fe71c603-bf07-41e1-a477-ade5b28c9fb3 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Tasks and references to consider before creating and deploying custom packages using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Tasks and references to consider before creating and deploying custom packages using IEAK 11 +Review this list of tasks and references to help you use the Internet Explorer Administration Kit 11 (IEAK 11) to set up, deploy, and manage Internet Explorer 11 in your company. + +|Task |References | +|----------------------------------------|--------------------------------------------------------------| +|Review concepts and requirements, including info about the version and features you'll use. |
          • [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md)
          • [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md)
          • [Before you start using IEAK 11](before-you-create-custom-pkgs-ieak11.md)
          | +|Prep your environment and get all of the info you'll need for running IEAK 11 |
          • [Create the build computer folder structure using IEAK 11](create-build-folder-structure-ieak11.md)
          • [Customize the Toolbar button and Favorites List icons using IEAK 11](guidelines-toolbar-and-favorites-list-ieak11.md)
          • [Before you install your package over your network using IEAK 11](prep-network-install-with-ieak11.md)
          • [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md)
          • [Register an uninstall app for custom components using IEAK 11](register-uninstall-app-ieak11.md)
          • [Add and approve ActiveX controls using the IEAK 11](add-and-approve-activex-controls-ieak11.md)
          • [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ieak11-wizard-custom-options.md)
          • [Security features and IEAK 11](security-and-ieak11.md)
          | +|Run the Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard |
          • [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md)
          • [Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md)
          • [Use the Language Selection page in the IEAK 11 Wizard](language-selection-ieak11-wizard.md)
          • [Use the Package Type Selection page in the IEAK 11 Wizard](pkg-type-selection-ieak11-wizard.md)
          • [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md)
          • [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](auto-version-sync-ieak11-wizard.md)
          • [Use the Custom Components page in the IEAK 11 Wizard](custom-components-ieak11-wizard.md)
          • [Use the Internal Install page in the IEAK 11 Wizard](internal-install-ieak11-wizard.md)
          • [Use the User Experience page in the IEAK 11 Wizard](user-experience-ieak11-wizard.md)
          • [Use the Browser User Interface page in the IEAK 11 Wizard](browser-ui-ieak11-wizard.md)
          • [Use the Search Providers page in the IEAK 11 Wizard](search-providers-ieak11-wizard.md)
          • [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md)
          • [Use the Accelerators page in the IEAK 11 Wizard](accelerators-ieak11-wizard.md)
          • [Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](favorites-favoritesbar-and-feeds-ieak11-wizard.md)
          • [Use the Browsing Options page in the IEAK 11 Wizard](browsing-options-ieak11-wizard.md)
          • [Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](first-run-and-welcome-page-ieak11-wizard.md)
          • [Use the Compatibility View page in the IEAK 11 Wizard](compat-view-ieak11-wizard.md)
          • [Use the Connection Manager page in the IEAK 11 Wizard](connection-mgr-ieak11-wizard.md)
          • [Use the Connection Settings page in the IEAK 11 Wizard](connection-settings-ieak11-wizard.md)
          • [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md)
          • [Use the Proxy Settings page in the IEAK 11 Wizard](proxy-settings-ieak11-wizard.md)
          • [Use the Security and Privacy Settings page in the IEAK 11 Wizard](security-and-privacy-settings-ieak11-wizard.md)
          • [Use the Add a Root Certificate page in the IEAK 11 Wizard](add-root-certificate-ieak11-wizard.md)
          • [Use the Programs page in the IEAK 11 Wizard](programs-ieak11-wizard.md)
          • [Use the Additional Settings page in the IEAK 11 Wizard](additional-settings-ieak11-wizard.md)
          • [Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](wizard-complete-ieak11-wizard.md)
          | +|Review your policy settings and create multiple versions of your install package. |
          • [Create multiple versions of your custom package using IEAK 11](create-multiple-browser-packages-ieak11.md)
          • [Use the RSoP snap-in to review policy settings](rsop-snapin-for-policy-settings-ieak11.md)

            **Note**
            For deployment instructions, additional troubleshooting, and post-installation management, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)

          | +|Review the general IEAK Customization Wizard 11 information, which applies throughout the process. |
          • [Troubleshoot custom package and IEAK 11 problems](troubleshooting-custom-browser-pkg-ieak11.md)
          • [File types used or created by IEAK 11](file-types-ieak11.md)
          • [Customize Automatic Search using IEAK 11](customize-automatic-search-for-ie.md)
          • [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md)
          • [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md)
          • [Use proxy auto-configuration (.pac) files with IEAK 11](proxy-auto-config-examples.md)
          • [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)
          | + diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md index 205ced6016..896d25732d 100644 --- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md @@ -1,38 +1,38 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package. -author: lomayor -ms.prod: ie11 -ms.assetid: 4c5f3503-8c69-4691-ae97-1523091ab333 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Create multiple versions of your custom package using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Create multiple versions of your custom package using IEAK 11 -You'll need to create multiple versions of your custom browser package if: - -- You support more than 1 version of the Windows operating system. - -- You support more than 1 language. - -- You have custom installation packages with only minor differences. For example, having a different phone number or a different set of URLs in the **Favorites** folder. - -The Internet Explorer Customization Wizard 11 stores your original settings in the Install.ins file and will show them each time you re-open the wizard. For more info about .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). - -**To create multiple versions of your browser package** - -1. Use the Internet Explorer Customization Wizard 11 to create a custom browser package. For more info about how to run the wizard, start with the [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md) topic. - -2. Go to the Cie\Custom folder and rename the Install.ins file to a name that reflects the version. Like, if you need a version for your employees in Texas, you could name the file Texas.ins. - -3. Run the wizard again, choosing the newly renamed folder as the destination directory for your output files.

          -**Important**
          Except for the **Title bar** text, **Favorites**, **Links bar**, **Home** page, and **Search bar**, we recommend that you keep all of your wizard settings the same for all of your build computers. - -4. Repeat this process until you’ve created a package for each version of your custom installation package. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package. +author: lomayor +ms.prod: ie11 +ms.assetid: 4c5f3503-8c69-4691-ae97-1523091ab333 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Create multiple versions of your custom package using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Create multiple versions of your custom package using IEAK 11 +You'll need to create multiple versions of your custom browser package if: + +- You support more than 1 version of the Windows operating system. + +- You support more than 1 language. + +- You have custom installation packages with only minor differences. For example, having a different phone number or a different set of URLs in the **Favorites** folder. + +The Internet Explorer Customization Wizard 11 stores your original settings in the Install.ins file and will show them each time you re-open the wizard. For more info about .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). + +**To create multiple versions of your browser package** + +1. Use the Internet Explorer Customization Wizard 11 to create a custom browser package. For more info about how to run the wizard, start with the [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md) topic. + +2. Go to the Cie\Custom folder and rename the Install.ins file to a name that reflects the version. Like, if you need a version for your employees in Texas, you could name the file Texas.ins. + +3. Run the wizard again, choosing the newly renamed folder as the destination directory for your output files.

          +**Important**
          Except for the **Title bar** text, **Favorites**, **Links bar**, **Home** page, and **Search bar**, we recommend that you keep all of your wizard settings the same for all of your build computers. + +4. Repeat this process until you’ve created a package for each version of your custom installation package. + diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md index 70feb9ac8a..a74479dce6 100644 --- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md +++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md @@ -1,29 +1,29 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages. -author: lomayor -ms.prod: ie11 -ms.assetid: 8257aa41-58de-4339-81dd-9f2ffcc10a08 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use Setup information (.inf) files to uninstall custom components (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use uninstallation .INF files to uninstall custom components -The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**. - -**To uninstall your custom components** - -1. Open the Registry Editor and add a new key and value to:
          `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"`

          -Where *description* is the string that’s shown in the **Uninstall or change a program** box. - -2. Add another new key and value to:
          `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString”",,"command-line"`

          -Where *command-line* is the command that’s run when the component is picked from the **Uninstall or change a program** box. - -Your uninstall script must also remove your key from under the **Uninstall** registry key, so that your component no longer appears in the **Uninstall or change a program** after uninstallation. You can also run just a section of an .inf file by using the Setupx.dll InstallHinfSection entry point. To make this work, your installation script must copy the .inf file to the Windows\Inf folder for your custom component. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages. +author: lomayor +ms.prod: ie11 +ms.assetid: 8257aa41-58de-4339-81dd-9f2ffcc10a08 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use Setup information (.inf) files to uninstall custom components (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use uninstallation .INF files to uninstall custom components +The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**. + +**To uninstall your custom components** + +1. Open the Registry Editor and add a new key and value to:
          `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"`

          +Where *description* is the string that’s shown in the **Uninstall or change a program** box. + +2. Add another new key and value to:
          `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString”",,"command-line"`

          +Where *command-line* is the command that’s run when the component is picked from the **Uninstall or change a program** box. + +Your uninstall script must also remove your key from under the **Uninstall** registry key, so that your component no longer appears in the **Uninstall or change a program** after uninstallation. You can also run just a section of an .inf file by using the Setupx.dll InstallHinfSection entry point. To make this work, your installation script must copy the .inf file to the Windows\Inf folder for your custom component. + diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md index 515a597c8f..faf527ba94 100644 --- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md @@ -1,60 +1,60 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE. -author: lomayor -ms.prod: ie11 -ms.assetid: 38a2b90f-c324-4dc8-ad30-8cd3e3e901d7 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Custom Components page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Custom Components page in the IEAK 11 Wizard -The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](https://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component. - -**Important**
          You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md). - -**To use the Custom Component page** - -1. Click **Add**.

          -The **Add a Custom Component** box appears. - -2. Type in the name of your component and then browse to the location of your file (either .cab or .exe). - -3. Pick when to install the component. This can be before IE, after IE, or after the computer restarts.

          -**Important**
          You should install your component before IE if you need to run a batch file to configure your employee settings. You should install your component after IE if you plan to install software updates.  - -4. Check the **Only install if IE is installed successfully** box if your component should only install if IE installs successfully. For example, if you’re installing a security update that requires IE. - -5. If your component is a .cab file, you must provide the extraction command into the **Command** box. - -6. If your component has its own globally unique identifier (GUID), replace the value in the **GUID** box. Otherwise, keep the automatically generated GUID. - -7. Describe your component using up to 511 characters in the **Description** box. - -8. Type any command-line options that need to run while installing your component into the **Parameters** box. For example, if you want your component to install silently, without prompts. For more info about using options, see [IExpress command-line options](iexpress-command-line-options.md). - -9. Type the value that Microsoft Update Setup uses to check that the component installed successfully into the **Uninstall Key** box. This check is done by comparing your value to the value in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` key. - -10. Type a numeric serial number for your component into the **Version** box, using this format: *xxxx*, *xxxxxx*, *xxxx*, *xxxx*. - -11. Click **Add**.

          -The boxes clear and you can add another component. Click **Cancel** to go back to the **Custom Components** page. - -12. Click **Edit** to change your custom component information, **Verify** to make sure the component is digitally signed, or **Remove** to delete the component from your custom installation package. - -13. Click **Next** to go to the [Internal Install](internal-install-ieak11-wizard.md) page or **Back** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE. +author: lomayor +ms.prod: ie11 +ms.assetid: 38a2b90f-c324-4dc8-ad30-8cd3e3e901d7 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Custom Components page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Custom Components page in the IEAK 11 Wizard +The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](https://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component. + +**Important**
          You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md). + +**To use the Custom Component page** + +1. Click **Add**.

          +The **Add a Custom Component** box appears. + +2. Type in the name of your component and then browse to the location of your file (either .cab or .exe). + +3. Pick when to install the component. This can be before IE, after IE, or after the computer restarts.

          +**Important**
          You should install your component before IE if you need to run a batch file to configure your employee settings. You should install your component after IE if you plan to install software updates.  + +4. Check the **Only install if IE is installed successfully** box if your component should only install if IE installs successfully. For example, if you’re installing a security update that requires IE. + +5. If your component is a .cab file, you must provide the extraction command into the **Command** box. + +6. If your component has its own globally unique identifier (GUID), replace the value in the **GUID** box. Otherwise, keep the automatically generated GUID. + +7. Describe your component using up to 511 characters in the **Description** box. + +8. Type any command-line options that need to run while installing your component into the **Parameters** box. For example, if you want your component to install silently, without prompts. For more info about using options, see [IExpress command-line options](iexpress-command-line-options.md). + +9. Type the value that Microsoft Update Setup uses to check that the component installed successfully into the **Uninstall Key** box. This check is done by comparing your value to the value in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` key. + +10. Type a numeric serial number for your component into the **Version** box, using this format: *xxxx*, *xxxxxx*, *xxxx*, *xxxx*. + +11. Click **Add**.

          +The boxes clear and you can add another component. Click **Cancel** to go back to the **Custom Components** page. + +12. Click **Edit** to change your custom component information, **Verify** to make sure the component is digitally signed, or **Remove** to delete the component from your custom installation package. + +13. Click **Next** to go to the [Internal Install](internal-install-ieak11-wizard.md) page or **Back** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md index ecca772d78..b40640dffa 100644 --- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md @@ -1,24 +1,24 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file. -author: lomayor -ms.prod: ie11 -ms.assetid: 9c74e239-65c5-4aa5-812f-e0ed80c5c2b0 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the CustomBranding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the CustomBranding .INS file to create custom branding and setup info -Provide the URL to your branding cabinet (.cab) file. - - -| Name | Value | Description | -|----------|------------------|------------------------------------------------------------------------------------------------------------------------| -| Branding | `` | The location of your branding cabinet (.cab) file. For example, https://www.<your_server>.net/cabs/branding.cab. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file. +author: lomayor +ms.prod: ie11 +ms.assetid: 9c74e239-65c5-4aa5-812f-e0ed80c5c2b0 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the CustomBranding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the CustomBranding .INS file to create custom branding and setup info +Provide the URL to your branding cabinet (.cab) file. + + +| Name | Value | Description | +|----------|------------------|------------------------------------------------------------------------------------------------------------------------| +| Branding | `` | The location of your branding cabinet (.cab) file. For example, https://www.<your_server>.net/cabs/branding.cab. | + diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md index 20a747a5db..5f3eac4aaa 100644 --- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md +++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md @@ -1,103 +1,103 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: manage -description: Customize Automatic Search in Internet Explorer so that your employees can type a single word into the Address box to search for frequently used pages. -author: lomayor -ms.prod: ie11 -ms.assetid: 694e2f92-5e08-49dc-b83f-677d61fa918a -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Customize Automatic Search using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Customize Automatic Search for Internet Explorer using IEAK 11 -Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers. - -Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employee’s ability to add or remove search providers. - -## Automatic Search Configuration -You can customize Automatic Search so that your employees can type a single word into the **Address** box to search for frequently used pages. For example, you can let a commonly used webpage about invoices appear if an employee types *invoice* into the **Address** box, even if the URL doesn’t include the term. If a website can’t be associated with the term, or if there are multiple matches, a webpage appears showing the top search results. - -**To set up Automatic Search** - -1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: https://ieautosearch/response.asp?MT=%1&srch=%2.

          - For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).

          - **Important**
          If you aren’t using IIS in your company, you’ll need to remap this URL to your script file’s location. - -2. On the **Additional Settings** page of the IEAK 11, click **Internet Settings**, and then click **Advanced Settings**. - -3. Go to the section labeled **Searching** and type *intranet* into the **Search Provider Keyword** box. - -**To redirect to a different site than the one provided by the search results** - -- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Just go to the most likely site**. - -**To disable Automatic Search** - -- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Do not search from the address bar**. - -### Automatic Search parameters -You must replace the Automatic Search script file parameters, *%1* and *%2* so they’re part of the actual URL. - -|Parameter |Value | -|----------|--------------------------------------------------------| -|1% |The text string typed by an employee into the **Address** bar. | -|2% |The type of search chosen by an employee. This can include:

          • **3.** Display the results and go to the most likely site.
          • **2.** Go to the most likely site.
          • **1.** Display the results in the main window.
          • **0.** Don't search from the **Address** box.
          | - -### Sample Automatic Search script -This is a VBScript-based sample of an .asp Automatic Search script. - -``` -<%@ Language=VBScript %> -<% -' search holds the words typed in the Address bar -' by the user, without the "go" or -' "find" or any delimiters like -' "+" for spaces. -' If the user typed -' "Apple pie," search = "Apple pie." -' If the user typed -' "find Apple pie," search = "Apple pie." - -search = Request.QueryString("MT") -search = UCase(search) -searchOption = Request.QueryString("srch") - -' This is a simple if/then/else -' to redirect the browser to the site -' of your choice based on what the -' user typed. -' Example: expense report is an intranet page -' about filling out an expense report - -if (search = "NEW HIRE") then -Response.Redirect("https://admin/hr/newhireforms.htm") -elseif (search = "LIBRARY CATALOG") then -Response.Redirect("https://library/catalog") -elseif (search = "EXPENSE REPORT") then -Response.Redirect("https://expense") -elseif (search = "LUNCH MENU") then -Response.Redirect("https://cafe/menu/") -else - -' If there is not a match, use the -' default IE autosearch server -Response.Redirect("https://auto.search.msn.com/response.asp?MT=" -+ search + "&srch=" + searchOption + -"&prov=&utf8") -end if -%> -``` - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: manage +description: Customize Automatic Search in Internet Explorer so that your employees can type a single word into the Address box to search for frequently used pages. +author: lomayor +ms.prod: ie11 +ms.assetid: 694e2f92-5e08-49dc-b83f-677d61fa918a +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Customize Automatic Search using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Customize Automatic Search for Internet Explorer using IEAK 11 +Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers. + +Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employee’s ability to add or remove search providers. + +## Automatic Search Configuration +You can customize Automatic Search so that your employees can type a single word into the **Address** box to search for frequently used pages. For example, you can let a commonly used webpage about invoices appear if an employee types *invoice* into the **Address** box, even if the URL doesn’t include the term. If a website can’t be associated with the term, or if there are multiple matches, a webpage appears showing the top search results. + +**To set up Automatic Search** + +1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: https://ieautosearch/response.asp?MT=%1&srch=%2.

          + For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).

          + **Important**
          If you aren’t using IIS in your company, you’ll need to remap this URL to your script file’s location. + +2. On the **Additional Settings** page of the IEAK 11, click **Internet Settings**, and then click **Advanced Settings**. + +3. Go to the section labeled **Searching** and type *intranet* into the **Search Provider Keyword** box. + +**To redirect to a different site than the one provided by the search results** + +- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Just go to the most likely site**. + +**To disable Automatic Search** + +- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Do not search from the address bar**. + +### Automatic Search parameters +You must replace the Automatic Search script file parameters, *%1* and *%2* so they’re part of the actual URL. + +|Parameter |Value | +|----------|--------------------------------------------------------| +|1% |The text string typed by an employee into the **Address** bar. | +|2% |The type of search chosen by an employee. This can include:

          • **3.** Display the results and go to the most likely site.
          • **2.** Go to the most likely site.
          • **1.** Display the results in the main window.
          • **0.** Don't search from the **Address** box.
          | + +### Sample Automatic Search script +This is a VBScript-based sample of an .asp Automatic Search script. + +``` +<%@ Language=VBScript %> +<% +' search holds the words typed in the Address bar +' by the user, without the "go" or +' "find" or any delimiters like +' "+" for spaces. +' If the user typed +' "Apple pie," search = "Apple pie." +' If the user typed +' "find Apple pie," search = "Apple pie." + +search = Request.QueryString("MT") +search = UCase(search) +searchOption = Request.QueryString("srch") + +' This is a simple if/then/else +' to redirect the browser to the site +' of your choice based on what the +' user typed. +' Example: expense report is an intranet page +' about filling out an expense report + +if (search = "NEW HIRE") then +Response.Redirect("https://admin/hr/newhireforms.htm") +elseif (search = "LIBRARY CATALOG") then +Response.Redirect("https://library/catalog") +elseif (search = "EXPENSE REPORT") then +Response.Redirect("https://expense") +elseif (search = "LUNCH MENU") then +Response.Redirect("https://cafe/menu/") +else + +' If there is not a match, use the +' default IE autosearch server +Response.Redirect("https://auto.search.msn.com/response.asp?MT=" ++ search + "&srch=" + searchOption + +"&prov=&utf8") +end if +%> +``` + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md index c1eb4899a4..d3bee115a5 100644 --- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md @@ -1,28 +1,28 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components. -author: lomayor -ms.prod: ie11 -ms.assetid: 53148422-d784-44dc-811d-ef814b86a4c6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the ExtRegInf .INS file to specify your installation files and mode (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the ExtRegInf .INS file to specify installation files and mode -Info about how to specify your Setup information (.inf) files and the installation mode for your custom components. - -|Name |Value |Description | -|-----------|---------|------------------------------------------------------------------------------------------------------------------| -|Chat |*string* |The name of the .inf file and the install mode for components. For example, *,chat.inf,DefaultInstall. | -|Conf |*string* |The name of the .inf file and the install mode for components. For example, *,conf.inf,DefaultInstall. | -|Inetres |*string* |The name of the .inf file and the install mode for components. For example, *,inetres.inf,DefaultInstall. | -|Inetset |*string* |The name of the .inf file and the install mode for components. For example, *,inetset.inf,DefaultInstall. | -|Subs |*string* |The name of the .inf file and the install mode for components. For example, *,subs.inf,DefaultInstall. | -|ConnectionSettings |*string* |The name of the .inf file and the install mode for components. For example, *,connect.inf,DefaultInstall. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components. +author: lomayor +ms.prod: ie11 +ms.assetid: 53148422-d784-44dc-811d-ef814b86a4c6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the ExtRegInf .INS file to specify your installation files and mode (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the ExtRegInf .INS file to specify installation files and mode +Info about how to specify your Setup information (.inf) files and the installation mode for your custom components. + +|Name |Value |Description | +|-----------|---------|------------------------------------------------------------------------------------------------------------------| +|Chat |*string* |The name of the .inf file and the install mode for components. For example, *,chat.inf,DefaultInstall. | +|Conf |*string* |The name of the .inf file and the install mode for components. For example, *,conf.inf,DefaultInstall. | +|Inetres |*string* |The name of the .inf file and the install mode for components. For example, *,inetres.inf,DefaultInstall. | +|Inetset |*string* |The name of the .inf file and the install mode for components. For example, *,inetset.inf,DefaultInstall. | +|Subs |*string* |The name of the .inf file and the install mode for components. For example, *,subs.inf,DefaultInstall. | +|ConnectionSettings |*string* |The name of the .inf file and the install mode for components. For example, *,connect.inf,DefaultInstall. | + diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md index eb28e056bb..e077a6fbed 100644 --- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md @@ -1,109 +1,109 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package. -author: lomayor -ms.prod: ie11 -ms.assetid: 84afa831-5642-4b8f-b7df-212a53ec8fc7 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard -The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add: - -- **Links.** Used so your employees can quickly connect with your important websites. These links can appear in the **Links** folder or on the **Favorites Bar**. - -- **Web Slices.** Used so your employees can subscribe to a section of a webpage, tracking information as it changes, such as for weather reports, stock prices, or the progress of an auction item. - -- **Feeds.** Used so your employees can quickly access your recommended RSS feeds. While you can’t import a folder of RSS feeds, you can add new links. - -Although we provide default items in the **Favorites, Favorites Bar, and Feeds** area, you can remove any of the items, add more items, or add new folders and links as part of your custom package. The customizations you make on this page only apply to Internet Explorer for the desktop. - -**To work with Favorites** - -1. To import your existing folder of links, pick **Favorites**, and then click **Import**. - -2. Go to your existing link folder, most likely in the `\Users\\Favorites` folder, and then click **OK**.

          -The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites** folder. - -3. To add a new favorite link, pick **Favorites**, and then click **Add URL**.

          -The **Details** box appears. - -4. Type the new link name in the **Name** box. - -5. Type the new URL in the **URL** box. - -6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box. - -7. Click **OK**. - -8. To add a new **Favorites** folder, pick **Favorites**, and then click **Add Folder**.

          -The **Details** box appears. - -9. Type the folder name into the **Name** box, and then click **OK**. - -10. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites** item. - -11. If you have multiple **Favorites** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. - -12. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. - -13. Continue with the next procedures in this topic to add additional **Favorites Bar** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. - -**To work with the Favorites Bar** - -1. To import your existing folder of links, pick **Favorites Bar**, and then click **Import**. - -2. Go to your existing link folder, most likely in the `\Users\\Favorites\Favorites Bar` folder, and then click **OK**.

          -The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites Bar** folder. - -3. To add a new link to the **Favorites Bar**, pick **Favorites Bar**, and then click **Add URL**.

          -The **Details** box appears. - -4. Type the new quick link name in the **Name** box. - -5. Type the new URL in the **URL** box. - -6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box. - -7. Pick whether your link is a simple **Link**, a **Feed**, or a **Web Slice**, and then click **OK**. - -8. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites Bar** item. - -9. If you have multiple **Favorites Bar** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. - -10. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. - -11. Continue with the next procedures in this topic to add additional **Favorites** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. - -**To work with RSS Feeds** - -1. To add a new link to the **RSS Feeds**, pick **Favorites Bar**, and then click **Add URL**.

          -The **Details** box appears. - -2. Type the new link name in the **Name** box. - -3. Type the new URL in the **URL** box, and then click **OK**. - -4. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **RSS Feeds** item. - -5. If you have multiple **RSS Feeds** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. - -6. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. - -7. Continue with the next procedures in this topic to add additional **Favorites** or **Favorites Bar** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package. +author: lomayor +ms.prod: ie11 +ms.assetid: 84afa831-5642-4b8f-b7df-212a53ec8fc7 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard +The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add: + +- **Links.** Used so your employees can quickly connect with your important websites. These links can appear in the **Links** folder or on the **Favorites Bar**. + +- **Web Slices.** Used so your employees can subscribe to a section of a webpage, tracking information as it changes, such as for weather reports, stock prices, or the progress of an auction item. + +- **Feeds.** Used so your employees can quickly access your recommended RSS feeds. While you can’t import a folder of RSS feeds, you can add new links. + +Although we provide default items in the **Favorites, Favorites Bar, and Feeds** area, you can remove any of the items, add more items, or add new folders and links as part of your custom package. The customizations you make on this page only apply to Internet Explorer for the desktop. + +**To work with Favorites** + +1. To import your existing folder of links, pick **Favorites**, and then click **Import**. + +2. Go to your existing link folder, most likely in the `\Users\\Favorites` folder, and then click **OK**.

          +The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites** folder. + +3. To add a new favorite link, pick **Favorites**, and then click **Add URL**.

          +The **Details** box appears. + +4. Type the new link name in the **Name** box. + +5. Type the new URL in the **URL** box. + +6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box. + +7. Click **OK**. + +8. To add a new **Favorites** folder, pick **Favorites**, and then click **Add Folder**.

          +The **Details** box appears. + +9. Type the folder name into the **Name** box, and then click **OK**. + +10. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites** item. + +11. If you have multiple **Favorites** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. + +12. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. + +13. Continue with the next procedures in this topic to add additional **Favorites Bar** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. + +**To work with the Favorites Bar** + +1. To import your existing folder of links, pick **Favorites Bar**, and then click **Import**. + +2. Go to your existing link folder, most likely in the `\Users\\Favorites\Favorites Bar` folder, and then click **OK**.

          +The links are imported and added to the **Favorites, Favorites Bar, and Feeds** page, beneath the **Favorites Bar** folder. + +3. To add a new link to the **Favorites Bar**, pick **Favorites Bar**, and then click **Add URL**.

          +The **Details** box appears. + +4. Type the new quick link name in the **Name** box. + +5. Type the new URL in the **URL** box. + +6. Optionally, you can add a 16x16 pixel icon to your link by adding the location in the **Icon** box. + +7. Pick whether your link is a simple **Link**, a **Feed**, or a **Web Slice**, and then click **OK**. + +8. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **Favorites Bar** item. + +9. If you have multiple **Favorites Bar** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. + +10. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. + +11. Continue with the next procedures in this topic to add additional **Favorites** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. + +**To work with RSS Feeds** + +1. To add a new link to the **RSS Feeds**, pick **Favorites Bar**, and then click **Add URL**.

          +The **Details** box appears. + +2. Type the new link name in the **Name** box. + +3. Type the new URL in the **URL** box, and then click **OK**. + +4. Click **Edit** to change any of your new information, **Test URL** to test each of your links to make sure they go to the right place, or **Remove** to delete a **RSS Feeds** item. + +5. If you have multiple **RSS Feeds** links, you can update their order in the list. Check the **Add to the top of the list** box, click the link you want to move, and then click **Move Up** or **Move Down**. + +6. Check the **Disable IE Suggested Sites** box to disable the Suggested Sites feature. By turning this on, your employees won’t receive suggested sites based on the sites that they visit. + +7. Continue with the next procedures in this topic to add additional **Favorites** or **Favorites Bar** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md index 634f7bef2e..cd9cbf7a91 100644 --- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md @@ -1,26 +1,26 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs. -author: lomayor -ms.prod: ie11 -ms.assetid: 55de376a-d442-478e-8978-3b064407b631 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the FavoritesEx .INS file for your Favorites icon and URLs (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the FavoritesEx .INS file for your Favorites icon and URLs -Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site. - -|Name |Value |Description | -|----------------|-----------------------|--------------------------------------------------------------------------| -|IconFile1 |`` |An icon (.ico file) that represents the **Favorites** item you’re adding. | -|Offline1 |

          • **0.** Makes the **Favorites** item unavailable for offline browsing.
          • **1.** Makes the **Favorites** item available for offline browsing.
          |Determines if the **Favorites** item is available for offline browsing. | -|Title1 |`` |Title for the **Favorites** item. | -|Url1 |`` |URL to the **Favorites** item. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs. +author: lomayor +ms.prod: ie11 +ms.assetid: 55de376a-d442-478e-8978-3b064407b631 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the FavoritesEx .INS file for your Favorites icon and URLs (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the FavoritesEx .INS file for your Favorites icon and URLs +Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site. + +|Name |Value |Description | +|----------------|-----------------------|--------------------------------------------------------------------------| +|IconFile1 |`` |An icon (.ico file) that represents the **Favorites** item you’re adding. | +|Offline1 |
          • **0.** Makes the **Favorites** item unavailable for offline browsing.
          • **1.** Makes the **Favorites** item available for offline browsing.
          |Determines if the **Favorites** item is available for offline browsing. | +|Title1 |`` |Title for the **Favorites** item. | +|Url1 |`` |URL to the **Favorites** item. | + diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md index 226ffcfaad..78294cd509 100644 --- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md @@ -1,64 +1,64 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company. -author: lomayor -ms.prod: ie11 -ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Feature Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Feature Selection page in the IEAK 11 Wizard -The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including: - -- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics. - -- **Internal Install.** Lets you decide to install the latest updates, run the malicious Software Removal Tool, and set IE11 as the default browser. - -- **Connection Manager.** Lets you import your Connection Manager Profiles, created by the Connection Manager Administration Kit (CMAK). - -- **Browser User Interface.** Lets you change the toolbar buttons, the title bar, and the general look of the browser. - -- **Search Providers.** Lets you add, remove, and pick a new default search provider for IE11. - -- **Important URLs – Home Page and Support.** Lets you choose multiple **Home** pages that open in different tabs in IE. You can also use this page to change the **Welcome** and **Online Support** pages. - -- **Accelerators.** Lets you import, add, edit, or remove Accelerators, the contextual services that give you quick access to external services from any webpage. - -- **Favorites, Favorites Bar, and Feeds.** Lets you pick which favorites, web slices, and feeds are installed with your custom installation package. - -- **Browsing Options.** Lets you pick how you delete items in the Favorites, Favorites Bar, and Feeds folders, and whether to add the Microsoft default items. - -- **Compatibility View.** Lets you decide whether IE renders content using compatibility mode or standards mode. - -- **Connections Customization.** Lets you set up and deploy custom connections. - -- **Security Zones and Content Ratings.** Lets you control what your employees can view and what’s downloaded to their computer. - -- **Programs.** Lets you pick the default program that’s used automatically by email, HTML, newsgroups, Internet calls, calendars, and contact lists. - -- **Additional Settings.** Lets you pre-set and lockdown specific functionality on your employee’s computer. - -**Note**
          Your choices on this page determine what wizard pages appear. - -**To use the Feature Selection page** - -1. Check the box next to each feature you want to include in your custom installation package.

          -You can also click **Select All** to add, or **Clear All** to remove, all of the features. - -2. Click **Next** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page or **Back** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company. +author: lomayor +ms.prod: ie11 +ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Feature Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Feature Selection page in the IEAK 11 Wizard +The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including: + +- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics. + +- **Internal Install.** Lets you decide to install the latest updates, run the malicious Software Removal Tool, and set IE11 as the default browser. + +- **Connection Manager.** Lets you import your Connection Manager Profiles, created by the Connection Manager Administration Kit (CMAK). + +- **Browser User Interface.** Lets you change the toolbar buttons, the title bar, and the general look of the browser. + +- **Search Providers.** Lets you add, remove, and pick a new default search provider for IE11. + +- **Important URLs – Home Page and Support.** Lets you choose multiple **Home** pages that open in different tabs in IE. You can also use this page to change the **Welcome** and **Online Support** pages. + +- **Accelerators.** Lets you import, add, edit, or remove Accelerators, the contextual services that give you quick access to external services from any webpage. + +- **Favorites, Favorites Bar, and Feeds.** Lets you pick which favorites, web slices, and feeds are installed with your custom installation package. + +- **Browsing Options.** Lets you pick how you delete items in the Favorites, Favorites Bar, and Feeds folders, and whether to add the Microsoft default items. + +- **Compatibility View.** Lets you decide whether IE renders content using compatibility mode or standards mode. + +- **Connections Customization.** Lets you set up and deploy custom connections. + +- **Security Zones and Content Ratings.** Lets you control what your employees can view and what’s downloaded to their computer. + +- **Programs.** Lets you pick the default program that’s used automatically by email, HTML, newsgroups, Internet calls, calendars, and contact lists. + +- **Additional Settings.** Lets you pre-set and lockdown specific functionality on your employee’s computer. + +**Note**
          Your choices on this page determine what wizard pages appear. + +**To use the Feature Selection page** + +1. Check the box next to each feature you want to include in your custom installation package.

          +You can also click **Select All** to add, or **Clear All** to remove, all of the features. + +2. Click **Next** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page or **Back** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md index 028e5960f1..2fa0b58cc8 100644 --- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders. -author: lomayor -ms.prod: ie11 -ms.assetid: bd0620e1-0e07-4560-95ac-11888c2c389e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the File Locations page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the File Locations page in the IEAK 11 Wizard -The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including: - -- Where you’ll create and store your custom installation package. - -- Where you’ll download and store Internet Explorer 11. - -**Important**
          -You can create a custom installation package on your hard drive and move it to an Internet or intranet server, or you can create it directly on a server. If you create the package on a web server that’s running from your hard drive, use the path to the web server as the destination folder location. Whatever location you choose, it must be protected by appropriate access control lists (ACLs). If the location is not protected, the custom package may be tampered with. - -**To use the File Locations page** - -1. Browse to the location where you’ll store your finished custom IE installation package and the related subfolders.

          -**Note**
          Subfolders are created for each language version, based on operating system and media type. For example, if your destination folder is `C:\Inetpub\Wwwroot\Cie\Dist`, then the English-language version is created as `C:\Inetpub\Wwwroot\Cie\Dist\Flat\Win32\En` subfolders. - -2. Click **Advanced Options**.

          -The **Advanced Options** box opens and lets you change how the wizard downloads and gets files, and how it imports settings from your .ins file. - -3. Check the box letting IE Customization Wizard 11 look for the latest components, using Automatic Version Synchronization.

          -This option lets the wizard connect to the IE **Downloads** page to look for updated versions of IE since you last ran the wizard.

          -**Important**
          -You must run Automatic Version Synchronization at least once to check for updated components. - -4. Browse to your .ins file location, and then click **Open**.

          -By importing settings from an .ins file, you can re-use existing configurations. This saves you time if your packages have the same or similar settings. - -5. Browse to your component download folder.

          -Automatic Version Synchronization automatically checks the component download folder to see if you have the latest version of IE. To keep this folder up-to-date, you shouldn’t change its location. However, if you want to keep both a previous version of IE and the latest version, we recommend you download the components to a different location. - -6. Click **OK** to close the **Advanced Options** box, and then click **Next** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders. +author: lomayor +ms.prod: ie11 +ms.assetid: bd0620e1-0e07-4560-95ac-11888c2c389e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the File Locations page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the File Locations page in the IEAK 11 Wizard +The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including: + +- Where you’ll create and store your custom installation package. + +- Where you’ll download and store Internet Explorer 11. + +**Important**
          +You can create a custom installation package on your hard drive and move it to an Internet or intranet server, or you can create it directly on a server. If you create the package on a web server that’s running from your hard drive, use the path to the web server as the destination folder location. Whatever location you choose, it must be protected by appropriate access control lists (ACLs). If the location is not protected, the custom package may be tampered with. + +**To use the File Locations page** + +1. Browse to the location where you’ll store your finished custom IE installation package and the related subfolders.

          +**Note**
          Subfolders are created for each language version, based on operating system and media type. For example, if your destination folder is `C:\Inetpub\Wwwroot\Cie\Dist`, then the English-language version is created as `C:\Inetpub\Wwwroot\Cie\Dist\Flat\Win32\En` subfolders. + +2. Click **Advanced Options**.

          +The **Advanced Options** box opens and lets you change how the wizard downloads and gets files, and how it imports settings from your .ins file. + +3. Check the box letting IE Customization Wizard 11 look for the latest components, using Automatic Version Synchronization.

          +This option lets the wizard connect to the IE **Downloads** page to look for updated versions of IE since you last ran the wizard.

          +**Important**
          +You must run Automatic Version Synchronization at least once to check for updated components. + +4. Browse to your .ins file location, and then click **Open**.

          +By importing settings from an .ins file, you can re-use existing configurations. This saves you time if your packages have the same or similar settings. + +5. Browse to your component download folder.

          +Automatic Version Synchronization automatically checks the component download folder to see if you have the latest version of IE. To keep this folder up-to-date, you shouldn’t change its location. However, if you want to keep both a previous version of IE and the latest version, we recommend you download the components to a different location. + +6. Click **OK** to close the **Advanced Options** box, and then click **Next** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md index ff726343d3..5dd8eff9da 100644 --- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11). -author: lomayor -ms.prod: ie11 -ms.assetid: e5735074-3e9b-4a00-b1a7-b8fd8baca327 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: File types used or created by IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# File types used or created by IEAK 11 -A list of the file types used or created by tools in IEAK 11: - -|File type |Description | -|----------|-------------------------| -|.adm | An admin file (located at `:\Program Files\Windows IEAK 11\policies`), used by Group Policy to define the system policies and restrictions for Windows. You can use the IEAK 11 to change these settings. | -|.bat |An ASCII text file that contains a sequence of operating system commands, including the parameters and operators supported by the batch command language. When you run the batch file from a command prompt, the computer processes each command sequentially. | -|.bmp, .gif, .jpeg, and .jpg |Image files you can use to customize your toolbar button and favorites list icons. For info, see the [Customize the Toolbar button and Favorites List icons using IEAK 11](guidelines-toolbar-and-favorites-list-ieak11.md) page. | -|.cab |A compressed cabinet (.cab) file, created by the Internet Explorer Customization Wizard 11 to store your custom component files. We highly recommend that your .cab files be signed for security purposes. For more info, see the [Security features and IEAK 11](security-and-ieak11.md) page. | -|.cif |A component info file (IESetup.cif), identifying the new or updated components you're going to install with Internet Explorer. Each component file has an associated *ComponentID* that's used by Windows Update Setup to determine whether a new component or an update exists. | -|.cmp |Connection profile files that are created by the Connection Manager Administration Kit (CMAK). | -|.cms |Service provider files, created by the CMAK tool to specify the configuration of the phone book and many of the other functions of your service profiles. | -|.exe |Executable files that control the setup process, by installing the .cab files that install the custom browser package on your employee's devices. | -|.inf |Setup information files that provide installation instructions for your custom browser packages. For more info, see the [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md) page. | -|.ins |Internet Settings files that specify how to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file. For more info, see the [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md) page. | -|.pac |Proxy auto-configuration script files that determine whether to connect directly to a host or to use a proxy server. For more info, see the [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md) page. | -|.js and .jvs |JScript and JavaScript files that let you configure and maintain your advanced proxy settings. For more info, see the [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md) page. | -|.pvk |A file format used by some certification authorities to store the private key of the digital certificate. The public part of the digital certificate is stored in an SPC file, while the private part is stored in the PVK file. For more info, see the **Understanding certificates** section of the [Security features and IEAK 11](security-and-ieak11.md) page. | -|.sed |Connection profile files, created by the CMAK tool, including the instructions for building the self-extracting executable (.exe) file for your service profiles.

          **Important**
          You must never edit a .sed file. | -|.spc |The software publishing certificate file, which includes:

          • The name and other identifying information of the owner of the certificate.
          • The public key associated with the certificate.
          • The serial number.
          • The length of time the certificate is valid.
          • The digital signature of the certification authority that issued the certificate.
          | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11). +author: lomayor +ms.prod: ie11 +ms.assetid: e5735074-3e9b-4a00-b1a7-b8fd8baca327 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: File types used or created by IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# File types used or created by IEAK 11 +A list of the file types used or created by tools in IEAK 11: + +|File type |Description | +|----------|-------------------------| +|.adm | An admin file (located at `:\Program Files\Windows IEAK 11\policies`), used by Group Policy to define the system policies and restrictions for Windows. You can use the IEAK 11 to change these settings. | +|.bat |An ASCII text file that contains a sequence of operating system commands, including the parameters and operators supported by the batch command language. When you run the batch file from a command prompt, the computer processes each command sequentially. | +|.bmp, .gif, .jpeg, and .jpg |Image files you can use to customize your toolbar button and favorites list icons. For info, see the [Customize the Toolbar button and Favorites List icons using IEAK 11](guidelines-toolbar-and-favorites-list-ieak11.md) page. | +|.cab |A compressed cabinet (.cab) file, created by the Internet Explorer Customization Wizard 11 to store your custom component files. We highly recommend that your .cab files be signed for security purposes. For more info, see the [Security features and IEAK 11](security-and-ieak11.md) page. | +|.cif |A component info file (IESetup.cif), identifying the new or updated components you're going to install with Internet Explorer. Each component file has an associated *ComponentID* that's used by Windows Update Setup to determine whether a new component or an update exists. | +|.cmp |Connection profile files that are created by the Connection Manager Administration Kit (CMAK). | +|.cms |Service provider files, created by the CMAK tool to specify the configuration of the phone book and many of the other functions of your service profiles. | +|.exe |Executable files that control the setup process, by installing the .cab files that install the custom browser package on your employee's devices. | +|.inf |Setup information files that provide installation instructions for your custom browser packages. For more info, see the [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md) page. | +|.ins |Internet Settings files that specify how to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file. For more info, see the [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md) page. | +|.pac |Proxy auto-configuration script files that determine whether to connect directly to a host or to use a proxy server. For more info, see the [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md) page. | +|.js and .jvs |JScript and JavaScript files that let you configure and maintain your advanced proxy settings. For more info, see the [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md) page. | +|.pvk |A file format used by some certification authorities to store the private key of the digital certificate. The public part of the digital certificate is stored in an SPC file, while the private part is stored in the PVK file. For more info, see the **Understanding certificates** section of the [Security features and IEAK 11](security-and-ieak11.md) page. | +|.sed |Connection profile files, created by the CMAK tool, including the instructions for building the self-extracting executable (.exe) file for your service profiles.

          **Important**
          You must never edit a .sed file. | +|.spc |The software publishing certificate file, which includes:

          • The name and other identifying information of the owner of the certificate.
          • The public key associated with the certificate.
          • The serial number.
          • The length of time the certificate is valid.
          • The digital signature of the certification authority that issued the certificate.
          | + diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md index 292da104da..68b255a273 100644 --- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system. -author: lomayor -ms.prod: ie11 -ms.assetid: 85f856a6-b707-48a9-ba99-3a6e898276a9 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard -The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system. - -- **Windows 8.1 Update and newer.** No longer includes a **Welcome** page, so if you pick the **Use Internet Explorer 11 Welcome Page** or the **Use a custom Welcome page** option, IEAK creates an initial **Home** page that loads before all other **Home** pages, as the first tab. This only applies to the Internet Explorer for the desktop. - -- **Windows 7 SP1.** You can disable the first run page for Windows 7 SP1 and then pick a custom **Welcome** page to show instead. If you don’t customize the settings on this page, your employees will see the default IE **Welcome** page. - -**To use the First Run Wizard and Welcome Page Options page** - -1. Check the **Use IE11 First Run wizard (recommended)** box to use the default First Run wizard in IE.

          -Clearing this box lets you use the IE11 **Welcome** page or your custom **Welcome** page. - -2. If you cleared the First Run wizard box, you can decide which **Welcome** page to use: - - - **Use IE11 Welcome Page.** Check this box if you want to use the default IE11 **Welcome** page. - - - **Use a custom Welcome Page.** Check this box if you want to use a custom **Welcome** page. If you choose this option, you need to add the URL to your custom page. - -3. Click **Next** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page or **Back** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system. +author: lomayor +ms.prod: ie11 +ms.assetid: 85f856a6-b707-48a9-ba99-3a6e898276a9 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard +The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system. + +- **Windows 8.1 Update and newer.** No longer includes a **Welcome** page, so if you pick the **Use Internet Explorer 11 Welcome Page** or the **Use a custom Welcome page** option, IEAK creates an initial **Home** page that loads before all other **Home** pages, as the first tab. This only applies to the Internet Explorer for the desktop. + +- **Windows 7 SP1.** You can disable the first run page for Windows 7 SP1 and then pick a custom **Welcome** page to show instead. If you don’t customize the settings on this page, your employees will see the default IE **Welcome** page. + +**To use the First Run Wizard and Welcome Page Options page** + +1. Check the **Use IE11 First Run wizard (recommended)** box to use the default First Run wizard in IE.

          +Clearing this box lets you use the IE11 **Welcome** page or your custom **Welcome** page. + +2. If you cleared the First Run wizard box, you can decide which **Welcome** page to use: + + - **Use IE11 Welcome Page.** Check this box if you want to use the default IE11 **Welcome** page. + + - **Use a custom Welcome Page.** Check this box if you want to use a custom **Welcome** page. If you choose this option, you need to add the URL to your custom page. + +3. Click **Next** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page or **Back** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md index 10181210d7..d811730cee 100644 --- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md @@ -1,28 +1,28 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons. -author: lomayor -ms.prod: ie11 -ms.assetid: bddc8f23-9ac1-449d-ad71-f77f43ae3b5c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Customize the toolbar button and Favorites List icons using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Customize the Toolbar button and Favorites List icons using IEAK 11 -Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics. - -**Important**
          Check your license agreement to make sure this customization is available. - -|Graphic |Type and description | -|-----------------------|----------------------------------------------------------------------| -|Browser toolbar button |2 icon (.ico) files with color images for active and inactive states. | -|Favorites List icons |1 icon (.ico) file for each new URL. | - -Your icons must use the .ico file extension, no other image file extension works. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons. +author: lomayor +ms.prod: ie11 +ms.assetid: bddc8f23-9ac1-449d-ad71-f77f43ae3b5c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Customize the toolbar button and Favorites List icons using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Customize the Toolbar button and Favorites List icons using IEAK 11 +Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics. + +**Important**
          Check your license agreement to make sure this customization is available. + +|Graphic |Type and description | +|-----------------------|----------------------------------------------------------------------| +|Browser toolbar button |2 icon (.ico) files with color images for active and inactive states. | +|Favorites List icons |1 icon (.ico) file for each new URL. | + +Your icons must use the .ico file extension, no other image file extension works. + diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md index 1572c07bcb..59cb1d693e 100644 --- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md @@ -1,52 +1,52 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11. -author: lomayor -ms.prod: ie11 -ms.assetid: c50b86dc-7184-43d1-8daf-e750eb88dabb -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Hardware and software requirements for Internet Explorer 11 and the IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Hardware and software requirements for Internet Explorer 11 and the IEAK 11 -Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page. - -## Hardware requirements -Before you start the Internet Explorer Customization Wizard 11, you must check to see how much disk space you have on the drive you're going to use to build the IE11 install package. This drive can be on the same device as the one running the wizard; it just needs to have a secure destination folder. - -Before you start to create your install package, you must meet all of the [Internet Explorer 11 requirements](../ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md), plus: - -- Up to 100 megabytes (MB) of disk space, depending on how many components you include in the installation package. - -- An additional 100 MB of disk space for each custom installation package built. Different media types are considered separate packages. - -## Software requirements -The device you're going to use to build your install packages must be running Internet Explorer 11, on one of these operating systems: - -- Windows 10

          However, you must use the Windows 8.1 target platform and only the "Configuration-only package" is available. - -- Windows 8.1 - -- Windows Server 2012 R2 - -- Windows® 7 Service Pack 1 (SP1) - -- Windows Server 2008 R2 (SP1) - -**Important**
          -The device you're going to use to run IEAK 11 must be running the same version of the operating system as the device where you'll build your install packages. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11. +author: lomayor +ms.prod: ie11 +ms.assetid: c50b86dc-7184-43d1-8daf-e750eb88dabb +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Hardware and software requirements for Internet Explorer 11 and the IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Hardware and software requirements for Internet Explorer 11 and the IEAK 11 +Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page. + +## Hardware requirements +Before you start the Internet Explorer Customization Wizard 11, you must check to see how much disk space you have on the drive you're going to use to build the IE11 install package. This drive can be on the same device as the one running the wizard; it just needs to have a secure destination folder. + +Before you start to create your install package, you must meet all of the [Internet Explorer 11 requirements](../ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md), plus: + +- Up to 100 megabytes (MB) of disk space, depending on how many components you include in the installation package. + +- An additional 100 MB of disk space for each custom installation package built. Different media types are considered separate packages. + +## Software requirements +The device you're going to use to build your install packages must be running Internet Explorer 11, on one of these operating systems: + +- Windows 10

          However, you must use the Windows 8.1 target platform and only the "Configuration-only package" is available. + +- Windows 8.1 + +- Windows Server 2012 R2 + +- Windows® 7 Service Pack 1 (SP1) + +- Windows Server 2008 R2 (SP1) + +**Important**
          +The device you're going to use to run IEAK 11 must be running the same version of the operating system as the device where you'll build your install packages. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md index 705f4822e4..26d3c2806d 100644 --- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md @@ -1,32 +1,32 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component. -author: lomayor -ms.prod: ie11 -ms.assetid: e673f7b1-c3aa-4072-92b0-20c6dc3d9277 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the HideCustom .INS file to hide the GUID for each custom component (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the HideCustom .INS file to hide the GUID for each custom component -Info about whether to hide the globally unique identifier (GUID) for each of your custom components. - -|Name |Value |Description | -|------|-------------------------------------------------------------------------------------|-----------------------------------------------| -|GUID |

          • **0.** Component isn't hidden.
          • **1.** Component is hidden.
          |Determines whether this is a hidden component. | - - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component. +author: lomayor +ms.prod: ie11 +ms.assetid: e673f7b1-c3aa-4072-92b0-20c6dc3d9277 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the HideCustom .INS file to hide the GUID for each custom component (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the HideCustom .INS file to hide the GUID for each custom component +Info about whether to hide the globally unique identifier (GUID) for each of your custom components. + +|Name |Value |Description | +|------|-------------------------------------------------------------------------------------|-----------------------------------------------| +|GUID |
          • **0.** Component isn't hidden.
          • **1.** Component is hidden.
          |Determines whether this is a hidden component. | + + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md index 2e6aff92eb..66973a3a25 100644 --- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md +++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md @@ -1,68 +1,68 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Reference about the command-line options and return codes for Internet Explorer Setup. -author: lomayor -ms.prod: ie11 -ms.assetid: 40c23024-cb5d-4902-ad1b-6e8a189a699f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Internet Explorer Setup command-line options and return codes (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Internet Explorer Setup command-line options and return codes -You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization. - -## IE Setup command-line options -These command-line options work with IE Setup: - -`[/help] [/passive | /quiet] [/update-no] [/no-default] [/nobackup] [/ieak-full: | /ieak-branding: ] [/norestart | /forcerestart] [/log: ` - -|Parameter (Setup modes) |Description | -|------------------------|-------------------------------------------------------------------------------------------------| -|`/passive` |Runs the install without requiring input from the employee, showing progress and error messages. | -|`/quiet` |Identical to `/passive`, but doesn't show any of the progress or error messages to the employee. | -

          - -|Parameter (Setup options) |Description | -|--------------------------|-------------------------------------------------------------------------------------------------| -|`/update-no` |Doesn't look for Internet Explorer updates. | -|`/no-default` |Doesn't make Internet Explorer the default browser. | -|`/no-backup` |Doesn't back up the files necessary to uninstall IE. | -|`/ieak-full` |Reserved for use by the IEAK 11. | -|`/ieak-branding` |Reserved for use by the IEAK 11. | -

          - -|Parameter (Restart options) |Description | -|----------------------------|--------------------------------------------| -|`/norestart` |Doesn't restart after installation. | -|`/forcerestart` |Restarts after installation. | -

          - -|Parameter (miscellaneous options) |Description | -|----------------------------------|--------------------------------------------| -|`/help` |Provides help info. Can't be used with any other option. | -|`/log ` |Creates a log file about the installation process, at the specified location. | - - -## Windows Setup return and status codes -Windows Setup needs to tell you whether IE successfully installed. However, because IE11wzd.exe is packaged inside your IE11setup.exe file, the return codes can’t be sent directly back to you. Instead, Setup needs to return the information (both success and failure) to the `HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\InstallInfo` registry branch. - -|Subkey |Data type |Value | -|---------|----------|---------------------------------------| -|Complete |String |0 = Success | -|Complete |String |0x80100003 = Files are missing for the requested installation. | -|Complete |String |0x80100001 = Setup partially succeeded. One or more components weren’t downloaded or installed. Check the **FailedComponents** subkey for the list of components. | -|Complete |String |0x80100002 = Setup partially succeeded, but the employee cancelled Setup. One or more components weren’t downloaded or installed. Check the **FailedComponents** subkey for the list of components. | -|FailedComponents |MultiSZ |``Null``Component1 | -|InstallStatus |Binary |0 = Install completed successfully. | -|InstallStatus |Binary |1 = Suspend Setup.
          The employee cancelled Setup and is then asked to confirm:

          • 2 = No, don’t cancel. Resume Setup.
          • 3 = Yes, cancel confirmed. Quit Setup as soon as possible.

          **Important**
          If the cancellation is confirmed, Setup will quit as soon as all of the in-progress tasks are done, like copying or extracting files. | - -## Related topics -- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md) -- [Express Wizard command-line options](iexpress-command-line-options.md) - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Reference about the command-line options and return codes for Internet Explorer Setup. +author: lomayor +ms.prod: ie11 +ms.assetid: 40c23024-cb5d-4902-ad1b-6e8a189a699f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Internet Explorer Setup command-line options and return codes (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Internet Explorer Setup command-line options and return codes +You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization. + +## IE Setup command-line options +These command-line options work with IE Setup: + +`[/help] [/passive | /quiet] [/update-no] [/no-default] [/nobackup] [/ieak-full: | /ieak-branding: ] [/norestart | /forcerestart] [/log: ` + +|Parameter (Setup modes) |Description | +|------------------------|-------------------------------------------------------------------------------------------------| +|`/passive` |Runs the install without requiring input from the employee, showing progress and error messages. | +|`/quiet` |Identical to `/passive`, but doesn't show any of the progress or error messages to the employee. | +

          + +|Parameter (Setup options) |Description | +|--------------------------|-------------------------------------------------------------------------------------------------| +|`/update-no` |Doesn't look for Internet Explorer updates. | +|`/no-default` |Doesn't make Internet Explorer the default browser. | +|`/no-backup` |Doesn't back up the files necessary to uninstall IE. | +|`/ieak-full` |Reserved for use by the IEAK 11. | +|`/ieak-branding` |Reserved for use by the IEAK 11. | +

          + +|Parameter (Restart options) |Description | +|----------------------------|--------------------------------------------| +|`/norestart` |Doesn't restart after installation. | +|`/forcerestart` |Restarts after installation. | +

          + +|Parameter (miscellaneous options) |Description | +|----------------------------------|--------------------------------------------| +|`/help` |Provides help info. Can't be used with any other option. | +|`/log ` |Creates a log file about the installation process, at the specified location. | + + +## Windows Setup return and status codes +Windows Setup needs to tell you whether IE successfully installed. However, because IE11wzd.exe is packaged inside your IE11setup.exe file, the return codes can’t be sent directly back to you. Instead, Setup needs to return the information (both success and failure) to the `HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\InstallInfo` registry branch. + +|Subkey |Data type |Value | +|---------|----------|---------------------------------------| +|Complete |String |0 = Success | +|Complete |String |0x80100003 = Files are missing for the requested installation. | +|Complete |String |0x80100001 = Setup partially succeeded. One or more components weren’t downloaded or installed. Check the **FailedComponents** subkey for the list of components. | +|Complete |String |0x80100002 = Setup partially succeeded, but the employee cancelled Setup. One or more components weren’t downloaded or installed. Check the **FailedComponents** subkey for the list of components. | +|FailedComponents |MultiSZ |``Null``Component1 | +|InstallStatus |Binary |0 = Install completed successfully. | +|InstallStatus |Binary |1 = Suspend Setup.
          The employee cancelled Setup and is then asked to confirm:

          • 2 = No, don’t cancel. Resume Setup.
          • 3 = Yes, cancel confirmed. Quit Setup as soon as possible.

          **Important**
          If the cancellation is confirmed, Setup will quit as soon as all of the in-progress tasks are done, like copying or extracting files. | + +## Related topics +- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md) +- [Express Wizard command-line options](iexpress-command-line-options.md) + diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md index c876d926bb..956404de2f 100644 --- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md +++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md @@ -1,51 +1,51 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. Use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. -author: lomayor -ms.author: lomayor -ms.manager: dougkim -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: Internet Explorer Administration Kit (IEAK) information and downloads -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# Internet Explorer Administration Kit (IEAK) information and downloads - ->Applies to: Windows 10 - -The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md). - - -## Internet Explorer Administration Kit 11 (IEAK 11) - -[IEAK 11 documentation](index.md) - -[IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) - -[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) - -[Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](before-you-create-custom-pkgs-ieak11.md) - -## Download IEAK - -To download, choose to **Open** the download or **Save** it to your hard drive first. - - -| | | | -|---------|---------|---------| -|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) | -|[Chinese (Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) | -|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) | -|[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) | -|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. Use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. +author: lomayor +ms.author: lomayor +ms.manager: dougkim +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: Internet Explorer Administration Kit (IEAK) information and downloads +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# Internet Explorer Administration Kit (IEAK) information and downloads + +>Applies to: Windows 10 + +The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md). + + +## Internet Explorer Administration Kit 11 (IEAK 11) + +[IEAK 11 documentation](index.md) + +[IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) + +[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) + +[Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](before-you-create-custom-pkgs-ieak11.md) + +## Download IEAK + +To download, choose to **Open** the download or **Save** it to your hard drive first. + + +| | | | +|---------|---------|---------| +|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) | +|[Chinese (Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) | +|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) | +|[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) | +|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md index 16275db551..8890f6d65b 100644 --- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md +++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md @@ -1,44 +1,44 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Review the options available to help you customize your browser install packages for deployment to your employee's devices. -author: lomayor -ms.prod: ie11 -ms.assetid: 4b804da3-c3ac-4b60-ab1c-99536ff6e31b -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options -Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices. - -## IE Customization Wizard 11 options -IEAK 11 lets you customize a lot of Internet Explorer 11, including the IE and Internet Explorer for the desktop experiences. For more info about the experiences, see [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). For info about which pages appear in the **Internal** or **External** version of IE Customization Wizard 11, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). - -|Internet Explorer Customization Wizard 11 page |Browser experience |Description | -|-----------------------------------------------|------------------------------------|-----------------------------| -|[Custom Components](custom-components-ieak11-wizard.md) |Internet Explorer for the desktop |Add up to 10 additional components that your employees can install at the same time they install IE. | -|[Internal install](internal-install-ieak11-wizard.md) |Internet Explorer for the desktop |Choose to set IE11 as the default browser.

          **Note**
          This only applies to IE11 on Windows 7 SP1 | -|[User Experience](user-experience-ieak11-wizard.md) |Internet Explorer for the desktop |Control the installation and restart experience for your employees.

          This only applies to IE11 on Windows 7 SP1 | -|[Browser user interface](browser-ui-ieak11-wizard.md) |Internet Explorer for the desktop |Customize your title bars and toolbar buttons. | -|[Search Providers](search-providers-ieak11-wizard.md) |Both |Import and add Search providers. | -|[Important URLs – Home page and Support](important-urls-home-page-and-support-ieak11-wizard.md) |The **Support** page is supported by both experiences. The **Home** page is only supported on Internet Explorer for the desktop. |Add URLs for your **Home** and **Support** pages. | -|[Accelerators](accelerators-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add default accelerators. | -|[Favorites, Favorites Bar and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add items to the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder.

          **Note**
          You can turn off the entire **Suggested Sites** feature from this page. | -|[Browsing Options](browsing-options-ieak11-wizard.md) |Doesn't apply. The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page. |Choose how to manage items in the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder. You can also turn off the Microsoft-default Favorites, Web slices, links, feeds, and accelerators. | -|[First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) |Internet Explorer for the desktop |Decide if the First Run wizard appears the first time an employee starts IE. You can also use the IE11 **Welcome** page, or link to a custom **Welcome** page. | -|[Compatibility View](compat-view-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. For more information, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md). | -|[Connection Manager](connection-mgr-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. | -|[Connection Settings](connection-settings-ieak11-wizard.md) |Both |Choose whether to customize your connection settings. You can also choose to delete old dial-up connection settings. | -|[Automatic Configuration](auto-config-ieak11-wizard.md) |Both |Choose whether to automatically detect configuration settings and whether to turn on and customize automatic configuration. | -|[Proxy Settings](proxy-settings-ieak11-wizard.md) |Both |Turn on and set up your proxy servers.

          **Note**
          We don't support Gopher Server anymore. | -|[Add a Root Certification](add-root-certificate-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. | -|[Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) |The **Security Zones and Privacy** settings are supported by both experiences. The **Content Ratings** are only supported on Internet Explorer for the desktop. |Decide if you want to:

          • Customize your security zones and privacy settings

            • -OR-

          • Import your current security zones and privacy settings

            • -AND-

          • Customize your content ratings settings

            • -OR-

          • Import your current content ratings settings
          | -|[Programs](programs-ieak11-wizard.md) |Internet Explorer for the desktop |Decide your default programs or import your current settings. | -|[Additional Settings](additional-settings-ieak11-wizard.md) |Both |Decide how to set up multiple IE settings that appear in the **Internet Options** box. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Review the options available to help you customize your browser install packages for deployment to your employee's devices. +author: lomayor +ms.prod: ie11 +ms.assetid: 4b804da3-c3ac-4b60-ab1c-99536ff6e31b +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options +Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices. + +## IE Customization Wizard 11 options +IEAK 11 lets you customize a lot of Internet Explorer 11, including the IE and Internet Explorer for the desktop experiences. For more info about the experiences, see [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). For info about which pages appear in the **Internal** or **External** version of IE Customization Wizard 11, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). + +|Internet Explorer Customization Wizard 11 page |Browser experience |Description | +|-----------------------------------------------|------------------------------------|-----------------------------| +|[Custom Components](custom-components-ieak11-wizard.md) |Internet Explorer for the desktop |Add up to 10 additional components that your employees can install at the same time they install IE. | +|[Internal install](internal-install-ieak11-wizard.md) |Internet Explorer for the desktop |Choose to set IE11 as the default browser.

          **Note**
          This only applies to IE11 on Windows 7 SP1 | +|[User Experience](user-experience-ieak11-wizard.md) |Internet Explorer for the desktop |Control the installation and restart experience for your employees.

          This only applies to IE11 on Windows 7 SP1 | +|[Browser user interface](browser-ui-ieak11-wizard.md) |Internet Explorer for the desktop |Customize your title bars and toolbar buttons. | +|[Search Providers](search-providers-ieak11-wizard.md) |Both |Import and add Search providers. | +|[Important URLs – Home page and Support](important-urls-home-page-and-support-ieak11-wizard.md) |The **Support** page is supported by both experiences. The **Home** page is only supported on Internet Explorer for the desktop. |Add URLs for your **Home** and **Support** pages. | +|[Accelerators](accelerators-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add default accelerators. | +|[Favorites, Favorites Bar and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) |Internet Explorer for the desktop |Import and add items to the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder.

          **Note**
          You can turn off the entire **Suggested Sites** feature from this page. | +|[Browsing Options](browsing-options-ieak11-wizard.md) |Doesn't apply. The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page. |Choose how to manage items in the **Favorites** folder, the **Favorites Bar**, and the **Feeds** folder. You can also turn off the Microsoft-default Favorites, Web slices, links, feeds, and accelerators. | +|[First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) |Internet Explorer for the desktop |Decide if the First Run wizard appears the first time an employee starts IE. You can also use the IE11 **Welcome** page, or link to a custom **Welcome** page. | +|[Compatibility View](compat-view-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. For more information, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md). | +|[Connection Manager](connection-mgr-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. | +|[Connection Settings](connection-settings-ieak11-wizard.md) |Both |Choose whether to customize your connection settings. You can also choose to delete old dial-up connection settings. | +|[Automatic Configuration](auto-config-ieak11-wizard.md) |Both |Choose whether to automatically detect configuration settings and whether to turn on and customize automatic configuration. | +|[Proxy Settings](proxy-settings-ieak11-wizard.md) |Both |Turn on and set up your proxy servers.

          **Note**
          We don't support Gopher Server anymore. | +|[Add a Root Certification](add-root-certificate-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. | +|[Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) |The **Security Zones and Privacy** settings are supported by both experiences. The **Content Ratings** are only supported on Internet Explorer for the desktop. |Decide if you want to:

          • Customize your security zones and privacy settings

            • -OR-

          • Import your current security zones and privacy settings

            • -AND-

          • Customize your content ratings settings

            • -OR-

          • Import your current content ratings settings
          | +|[Programs](programs-ieak11-wizard.md) |Internet Explorer for the desktop |Decide your default programs or import your current settings. | +|[Additional Settings](additional-settings-ieak11-wizard.md) |Both |Decide how to set up multiple IE settings that appear in the **Internet Options** box. | + diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md index 00e0667eb1..d36ca26c63 100644 --- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md +++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md @@ -1,43 +1,43 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Reference about the command-line options for the IExpress Wizard. -author: lomayor -ms.prod: ie11 -ms.assetid: aa16d738-1067-403c-88b3-bada12cf9752 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: IExpress Wizard command-line options (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -**Applies to:** -- Windows Server 2008 R2 with SP1 - -# IExpress Wizard command-line options -Use command-line options with the IExpress Wizard (IExpress.exe) to control your Internet Explorer custom browser package extraction process. - -These command-line options work with IExpress:
          -`Ie11setup /c:"ie11wzd "` - -|Parameter |Action | -|----------|--------------------------------------------------------------------------------------------| -|`/q` |Specifies quiet mode, hiding all of the prompts, while files are being extracted. This option won’t suppress prompts during Setup. | -|`/q:u` |Specifies user-quiet mode, letting some of the progress and error messages appear to the employee. | -|`/q:a` |Specifies administrator-quiet mode, hiding all of the progress and error messages from the employee. | -|`/t:` |Specifies where to store your extracted files. | -|`/c:` |Extracts all of the files without installing them. If `t:/` isn’t used, you’ll be prompted for a storage folder. | -|`/c:` |Specifies the UNC path and name of the Setup .inf or .exe file. | -|`/r:n` |Never restarts the computer after installation. | -|`/r:a` |Always restarts the computer after installation. | -|`/r:s` |Restarts the computer after installation without prompting the employee. | - -For more information, see [Command-line switches for IExpress software update packages](https://go.microsoft.com/fwlink/p/?LinkId=317973). - -## Related topics -- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md) -- [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md) - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Reference about the command-line options for the IExpress Wizard. +author: lomayor +ms.prod: ie11 +ms.assetid: aa16d738-1067-403c-88b3-bada12cf9752 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: IExpress Wizard command-line options (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +**Applies to:** +- Windows Server 2008 R2 with SP1 + +# IExpress Wizard command-line options +Use command-line options with the IExpress Wizard (IExpress.exe) to control your Internet Explorer custom browser package extraction process. + +These command-line options work with IExpress:
          +`Ie11setup /c:"ie11wzd "` + +|Parameter |Action | +|----------|--------------------------------------------------------------------------------------------| +|`/q` |Specifies quiet mode, hiding all of the prompts, while files are being extracted. This option won’t suppress prompts during Setup. | +|`/q:u` |Specifies user-quiet mode, letting some of the progress and error messages appear to the employee. | +|`/q:a` |Specifies administrator-quiet mode, hiding all of the progress and error messages from the employee. | +|`/t:` |Specifies where to store your extracted files. | +|`/c:` |Extracts all of the files without installing them. If `t:/` isn’t used, you’ll be prompted for a storage folder. | +|`/c:` |Specifies the UNC path and name of the Setup .inf or .exe file. | +|`/r:n` |Never restarts the computer after installation. | +|`/r:a` |Always restarts the computer after installation. | +|`/r:s` |Restarts the computer after installation without prompting the employee. | + +For more information, see [Command-line switches for IExpress software update packages](https://go.microsoft.com/fwlink/p/?LinkId=317973). + +## Related topics +- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md) +- [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md) + diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md index 8590dc3ff7..ced5d1a708 100644 --- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md +++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md @@ -1,72 +1,72 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the IExpress Wizard on Windows Server 2008 R2 with SP1 to create self-extracting files to run your custom Internet Explorer Setup program. -author: lomayor -ms.prod: ie11 -ms.assetid: 5100886d-ec88-4c1c-8cd7-be00da874c57 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: IExpress Wizard for Windows Server 2008 R2 with SP1 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# IExpress Wizard for Windows Server 2008 R2 with SP1 -Use the IExpress Wizard and its associated command-line options to create self-extracting files that automatically run your custom Internet Explorer Setup (.inf or .exe file) program that’s contained inside. - -## IExpress Wizard location -The IExpress Wizard (Iexpress.exe) is included as part of Windows Server 2008 R2 with Service Pack 1 (SP1), in the `:\Windows\System32` folder. The wizard uses a self-extraction directive (.sed) file to store your package’s information. When you run the wizard, you have the option to start with an existing .sed file or to create a new one. - -## IExpress Wizard features -The IExpress Wizard: - -- Performs silent, unattended installations of your custom IE packages. - -- Supports upgrading IE without removing previous installations. - -- Supports repeated updating or performing clean installations of the same IE build. - -## IExpress Wizard settings -The IExpress Wizard lets you: - -- Decide whether the self-installing package is for administrators or for general employees. - -- Set multiple ways to run the installation command, such as in normal or silent mode. - -- Determine whether the IExpress dynamic-link libraries (.dll files) are updated on an employee’s computer. - -- Determine the compatibility of the installation package, based on the operating system version range, the browser version range, or any application version range. - -- Update and add files to the IExpress package, using the UPDFILE tool, without having to rebuild the package. - -- Replace Runonce with RunOnceEx (if the newer version of Iernonce.dll exists); giving you control over the job run order and status display. - -- Let corporate administrators set up support for roaming employees. - -- Let Internet Content Providers (ICPs) and Internet Service Providers (ISPs) generate packages for preconfigured desktops with custom, current content. - -- Save disk space by cleaning up the hard drive when running in Setup, uninstallation, and maintenance modes. - -- Provide support for multiple download sites. - -- Provide support for internal and external development, customization, expandability, and enhanced debugging. - -- Provide support for the extended character set, beyond single-byte characters (SBCS). - -- Provide support for using the .inf file format to download Internet components. For more information, see [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md). - -## Related topics -- [IExpress command-line options](iexpress-command-line-options.md) -- [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md) - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the IExpress Wizard on Windows Server 2008 R2 with SP1 to create self-extracting files to run your custom Internet Explorer Setup program. +author: lomayor +ms.prod: ie11 +ms.assetid: 5100886d-ec88-4c1c-8cd7-be00da874c57 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: IExpress Wizard for Windows Server 2008 R2 with SP1 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# IExpress Wizard for Windows Server 2008 R2 with SP1 +Use the IExpress Wizard and its associated command-line options to create self-extracting files that automatically run your custom Internet Explorer Setup (.inf or .exe file) program that’s contained inside. + +## IExpress Wizard location +The IExpress Wizard (Iexpress.exe) is included as part of Windows Server 2008 R2 with Service Pack 1 (SP1), in the `:\Windows\System32` folder. The wizard uses a self-extraction directive (.sed) file to store your package’s information. When you run the wizard, you have the option to start with an existing .sed file or to create a new one. + +## IExpress Wizard features +The IExpress Wizard: + +- Performs silent, unattended installations of your custom IE packages. + +- Supports upgrading IE without removing previous installations. + +- Supports repeated updating or performing clean installations of the same IE build. + +## IExpress Wizard settings +The IExpress Wizard lets you: + +- Decide whether the self-installing package is for administrators or for general employees. + +- Set multiple ways to run the installation command, such as in normal or silent mode. + +- Determine whether the IExpress dynamic-link libraries (.dll files) are updated on an employee’s computer. + +- Determine the compatibility of the installation package, based on the operating system version range, the browser version range, or any application version range. + +- Update and add files to the IExpress package, using the UPDFILE tool, without having to rebuild the package. + +- Replace Runonce with RunOnceEx (if the newer version of Iernonce.dll exists); giving you control over the job run order and status display. + +- Let corporate administrators set up support for roaming employees. + +- Let Internet Content Providers (ICPs) and Internet Service Providers (ISPs) generate packages for preconfigured desktops with custom, current content. + +- Save disk space by cleaning up the hard drive when running in Setup, uninstallation, and maintenance modes. + +- Provide support for multiple download sites. + +- Provide support for internal and external development, customization, expandability, and enhanced debugging. + +- Provide support for the extended character set, beyond single-byte characters (SBCS). + +- Provide support for using the .inf file format to download Internet components. For more information, see [Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md). + +## Related topics +- [IExpress command-line options](iexpress-command-line-options.md) +- [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md) + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md index 0ecb9dcb7f..6e1ac8e67a 100644 --- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Important URLs - Home Page and Support page in the IEAK 11 Customization Wizard to choose one or more **Home** pages and an online support page for your customized version of IE. -author: lomayor -ms.prod: ie11 -ms.assetid: 19e34879-ba9d-41bf-806a-3b9b9b752fc1 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard -The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE. - -**To use the Important URLS – Home Page and Support page** - -1. In the **Add a homepage URL** box, type the URL to the page your employees go to when they click the **Home** button, and then click **Add**.

          -If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses https://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**. - -2. Check the **Retain previous Home Page (Upgrade)** box if you have employees with previous versions of IE, who need to keep their **Home** page settings when the browser is updated. - -3. Check the **Online support page URL** box to type in the URL to your own support page. Customizing the support page is only supported in Internet Explorer for the desktop. - -4. Click **Next** to go to the [Accelerators](accelerators-ieak11-wizard.md) page or **Back** to go to the [Search Providers](search-providers-ieak11-wizard.md) page. - - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Important URLs - Home Page and Support page in the IEAK 11 Customization Wizard to choose one or more **Home** pages and an online support page for your customized version of IE. +author: lomayor +ms.prod: ie11 +ms.assetid: 19e34879-ba9d-41bf-806a-3b9b9b752fc1 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard +The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE. + +**To use the Important URLS – Home Page and Support page** + +1. In the **Add a homepage URL** box, type the URL to the page your employees go to when they click the **Home** button, and then click **Add**.

          +If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses https://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**. + +2. Check the **Retain previous Home Page (Upgrade)** box if you have employees with previous versions of IE, who need to keep their **Home** page settings when the browser is updated. + +3. Check the **Online support page URL** box to type in the URL to your own support page. Customizing the support page is only supported in Internet Explorer for the desktop. + +4. Click **Next** to go to the [Accelerators](accelerators-ieak11-wizard.md) page or **Back** to go to the [Search Providers](search-providers-ieak11-wizard.md) page. + + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index 74c0cbdb1c..ea51efa9dc 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -45,4 +45,4 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) \ No newline at end of file +- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md index d6ec147ebd..59969fe56f 100644 --- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates. -author: lomayor -ms.prod: ie11 -ms.assetid: 33d078e3-75b8-455b-9126-f0d272ed676f -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Internal Install page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Internal Install page in the IEAK 11 Wizard -The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines. - -**Note**
          The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7. - -**To use the Internal Install page** - -1. Pick either: - - - **Allow user to choose.** Lets your employees pick their own default browser.

          -OR-

          - - - **Do not set IE as the default browser.** Won’t set IE as the default browser. However, your employees can still make IE the default. - -2. Click **Next** to go to the [User Experience](user-experience-ieak11-wizard.md) page or **Back** to go to the [Custom Components](custom-components-ieak11-wizard.md). - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates. +author: lomayor +ms.prod: ie11 +ms.assetid: 33d078e3-75b8-455b-9126-f0d272ed676f +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Internal Install page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Internal Install page in the IEAK 11 Wizard +The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines. + +**Note**
          The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7. + +**To use the Internal Install page** + +1. Pick either: + + - **Allow user to choose.** Lets your employees pick their own default browser.

          -OR-

          + + - **Do not set IE as the default browser.** Won’t set IE as the default browser. However, your employees can still make IE the default. + +2. Click **Next** to go to the [User Experience](user-experience-ieak11-wizard.md) page or **Back** to go to the [Custom Components](custom-components-ieak11-wizard.md). + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md index 5b910085bb..58fd70a9aa 100644 --- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md @@ -1,23 +1,23 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package. -author: lomayor -ms.prod: ie11 -ms.assetid: 4eca2de5-7071-45a2-9c99-75115be00d06 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the ISP_Security .INS file to add your root certificate (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the ISP_Security .INS file to add your root certificate -Info about where you store the root certificate you’re adding to your custom package. - -|Name |Value |Description | -|---------------|-----------------------|------------------------------------------------------------------------------------------| -|RootCertPath |`` |Location and name of the root certificate you want to add to your custom install package. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package. +author: lomayor +ms.prod: ie11 +ms.assetid: 4eca2de5-7071-45a2-9c99-75115be00d06 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the ISP_Security .INS file to add your root certificate (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the ISP_Security .INS file to add your root certificate +Info about where you store the root certificate you’re adding to your custom package. + +|Name |Value |Description | +|---------------|-----------------------|------------------------------------------------------------------------------------------| +|RootCertPath |`` |Location and name of the root certificate you want to add to your custom install package. | + diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md index 3132ba6558..a266fcba98 100644 --- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Language Selection page in the IEAK 11 Customization Wizard to choose the language for your IEAK 11 custom package. -author: lomayor -ms.prod: ie11 -ms.assetid: f9d4ab57-9b1d-4cbc-9398-63f4938df1f6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Language Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Language Selection page in the IEAK 11 Wizard -The **Language Selection** page of the Internet Explorer Customization Wizard 11 lets you choose the language for your Internet Explorer Administration Kit 11 (IEAK 11) custom package. You can create custom Internet Explorer 11 packages in any of the languages your operating system version is available in. - -**Important**
          Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly. - -**To use the Language Selection page** - -1. Pick the language you want your custom IE11 installation package to use.

          -You can support as many languages as you want, but each localized version must be in its own install package.

          -**Note**
          To keep your settings across multiple versions of the package, you can pick the same destination folder for all versions. The different language versions are then saved in separate subfolders within that destination folder. Like, for an English version, `C:\Cie\Build1\Flat\Win32_WIN8\en-US\` and for a German version, `C:\Cie\Build1\Flat\Win32_WIN8\de-DE\`. - -2. Click **Next** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page or **Back** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Language Selection page in the IEAK 11 Customization Wizard to choose the language for your IEAK 11 custom package. +author: lomayor +ms.prod: ie11 +ms.assetid: f9d4ab57-9b1d-4cbc-9398-63f4938df1f6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Language Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Language Selection page in the IEAK 11 Wizard +The **Language Selection** page of the Internet Explorer Customization Wizard 11 lets you choose the language for your Internet Explorer Administration Kit 11 (IEAK 11) custom package. You can create custom Internet Explorer 11 packages in any of the languages your operating system version is available in. + +**Important**
          Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly. + +**To use the Language Selection page** + +1. Pick the language you want your custom IE11 installation package to use.

          +You can support as many languages as you want, but each localized version must be in its own install package.

          +**Note**
          To keep your settings across multiple versions of the package, you can pick the same destination folder for all versions. The different language versions are then saved in separate subfolders within that destination folder. Like, for an English version, `C:\Cie\Build1\Flat\Win32_WIN8\en-US\` and for a German version, `C:\Cie\Build1\Flat\Win32_WIN8\de-DE\`. + +2. Click **Next** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page or **Back** to go to the [Platform Selection](platform-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 2631d361e7..7a6e3d009f 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -4,9 +4,10 @@ ms.mktglfcycl: plan description: Learn about the version of the IEAK 11 you should run, based on your license agreement. author: lomayor ms.author: lomayor -ms.prod: ie11, ieak11 +ms.prod: ie11 ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15 ms.reviewer: +audience: itpro manager: dansimp title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md index 1d64dec04f..2aa91f6753 100644 --- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md @@ -1,23 +1,23 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available. -author: lomayor -ms.prod: ie11 -ms.assetid: c57bae60-d520-49a9-a77d-da43f7ebe5b8 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Media .INS file to specify your install media (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Media .INS file to specify your install media -The types of media on which your custom install package is available. - -|Name |Value |Description | -|-----|------|-----------------| -|Build_LAN |

          • **0.** Don’t create the LAN-based installation package.
          • **1.** Create the LAN-based installation package.
          |Determines whether you want to create a LAN-based installation package. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available. +author: lomayor +ms.prod: ie11 +ms.assetid: c57bae60-d520-49a9-a77d-da43f7ebe5b8 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Media .INS file to specify your install media (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Media .INS file to specify your install media +The types of media on which your custom install package is available. + +|Name |Value |Description | +|-----|------|-----------------| +|Build_LAN |
          • **0.** Don’t create the LAN-based installation package.
          • **1.** Create the LAN-based installation package.
          |Determines whether you want to create a LAN-based installation package. | + diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md index eb1096749e..6cd52f789f 100644 --- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package. -author: lomayor -ms.prod: ie11 -ms.assetid: dd91f788-d05e-4f45-9fd5-d951abf04f2c -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Package Type Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Package Type Selection page in the IEAK 11 Wizard -The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it. - -**Important**
          You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1. - -**To use the File Locations page** - -1. Check the **Full Installation Package** box if you’re going to build your package on, or move your package to, a local area network (LAN). This media package includes the Internet Explorer 11 installation files, and is named **IE11-Setup-Full.exe**, in the `\\FLAT\\` folder.

          -OR-

            - -2. Check the **Configuration-only package** box if you want to update an existing installation of IE11. This media package is named **IE11- Setup-Branding.exe**, in the `\\BrndOnly\\` folder.

          -You can distribute this file on any media format or server. It customizes the IE11 features without re-installing IE.

          -**Important**
          You can’t include custom components in a configuration-only package. - -3. Click **Next** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page or **Back** to go to the [Language Selection](language-selection-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package. +author: lomayor +ms.prod: ie11 +ms.assetid: dd91f788-d05e-4f45-9fd5-d951abf04f2c +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Package Type Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Package Type Selection page in the IEAK 11 Wizard +The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it. + +**Important**
          You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1. + +**To use the File Locations page** + +1. Check the **Full Installation Package** box if you’re going to build your package on, or move your package to, a local area network (LAN). This media package includes the Internet Explorer 11 installation files, and is named **IE11-Setup-Full.exe**, in the `\\FLAT\\` folder.

          -OR-

            + +2. Check the **Configuration-only package** box if you want to update an existing installation of IE11. This media package is named **IE11- Setup-Branding.exe**, in the `\\BrndOnly\\` folder.

          +You can distribute this file on any media format or server. It customizes the IE11 features without re-installing IE.

          +**Important**
          You can’t include custom components in a configuration-only package. + +3. Click **Next** to go to the [Feature Selection](feature-selection-ieak11-wizard.md) page or **Back** to go to the [Language Selection](language-selection-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md index 3cb96c9aa2..efbae636fc 100644 --- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md @@ -1,35 +1,35 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package. -author: lomayor -ms.prod: ie11 -ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Platform Selection page in the IEAK 11 Wizard -The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package. - -**To use the Platform Selection page** - -1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.

          -You must create individual packages for each supported operating system.

          -**Note**
          To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md). - -2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package. +author: lomayor +ms.prod: ie11 +ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Platform Selection page in the IEAK 11 Wizard +The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package. + +**To use the Platform Selection page** + +1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.

          +You must create individual packages for each supported operating system.

          +**Note**
          To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md). + +2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md index 4579a356b2..56252cfd10 100644 --- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md @@ -1,35 +1,35 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network. -author: lomayor -ms.prod: ie11 -ms.assetid: 2c66d22a-4a94-47cc-82ab-7274abe1dfd6 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Before you install your package over your network using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Before you install your package over your network using IEAK 11 -Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site. - -**To lower your intranet security** - -1. In Internet Explorer 11, click **Tools**, **Internet Options**, and then the **Security** tab. - -2. Click **Local intranet**, and then **Sites**. - -3. Uncheck **Automatically detect intranet network**, uncheck **Include all network paths (UNC)**, and then click **OK**. - -**To make your server a trusted site** - -1. From the **Security** tab, click **Trusted sites**, and then **Sites**. - -2. Type the location of the server with the downloadable custom browser package, and then click **Add**. - -3. Repeat this step for every server that will include the custom browser package for download. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network. +author: lomayor +ms.prod: ie11 +ms.assetid: 2c66d22a-4a94-47cc-82ab-7274abe1dfd6 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Before you install your package over your network using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Before you install your package over your network using IEAK 11 +Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site. + +**To lower your intranet security** + +1. In Internet Explorer 11, click **Tools**, **Internet Options**, and then the **Security** tab. + +2. Click **Local intranet**, and then **Sites**. + +3. Uncheck **Automatically detect intranet network**, uncheck **Include all network paths (UNC)**, and then click **OK**. + +**To make your server a trusted site** + +1. From the **Security** tab, click **Trusted sites**, and then **Sites**. + +2. Type the location of the server with the downloadable custom browser package, and then click **Add**. + +3. Repeat this step for every server that will include the custom browser package for download. + diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md index f3e5a30959..a4d2c384bb 100644 --- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services. -author: lomayor -ms.prod: ie11 -ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Programs page in the IEAK 11 Wizard -The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer. - -**Important**
          The customizations you make on this page only apply to Internet Explorer for the desktop. - -**To use the Programs page** - -1. Determine whether you want to customize your connection settings. You can pick: - - - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.

          -OR-

          - - - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.

          **Note**
          If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes. - -2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services. +author: lomayor +ms.prod: ie11 +ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Programs page in the IEAK 11 Wizard +The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer. + +**Important**
          The customizations you make on this page only apply to Internet Explorer for the desktop. + +**To use the Programs page** + +1. Determine whether you want to customize your connection settings. You can pick: + + - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.

          -OR-

          + + - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.

          **Note**
          If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes. + +2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md index 03b4bfee50..347e753856 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md @@ -1,181 +1,181 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. -author: lomayor -ms.prod: ie11 -ms.assetid: 6c94708d-71bd-44bd-a445-7e6763b374ae -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use proxy auto-configuration (.pac) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use proxy auto-configuration (.pac) files with IEAK 11 -These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info. - -Included examples: -- [Example 1: Connect directly if the host is local](#example-1-connect-directly-if-the-host-is-local) -- [Example 2: Connect directly if the host is inside the firewall](#example-2-connect-directly-if-the-host-is-inside-the-firewall) -- [Example 3: Connect directly if the host name is resolvable](#example-3-connect-directly-if-the-host-name-is-resolvable) -- [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet) -- [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain) -- [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol) -- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address) -- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address) -- [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name) -- [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week) - - -## Example 1: Connect directly if the host is local -In this example, if the host is local, it can connect directly. However, if the server isn't local, it must connect through a proxy server. Specifically, the `isPlainHostName` function looks to see if there are any periods (.) in the host name. If the function finds periods, it means the host isn’t local and it returns false. Otherwise, the function returns true. - -``` javascript -function FindProxyForURL(url, host) - { - if (isPlainHostName(host)) - return "DIRECT"; - else - return "PROXY proxy:80"; - } -``` -## Example 2: Connect directly if the host is inside the firewall -In this example, if the host is inside the firewall, it can connect directly. However, if the server is outside the firewall, it must connect through a proxy server. Specifically, the `localHostOrDomainIs` function only runs for URLs in the local domain. If the host domain name matches the provided domain information, the `dnsDomainIs` function returns true. - -``` javascript -function FindProxyForURL(url, host) - { - if ((isPlainHostName(host) || - dnsDomainIs(host, ".company.com")) && - !localHostOrDomainIs(host, "www.company.com") && - !localHostOrDoaminIs(host, "home.company.com")) - return "DIRECT"; - else - return "PROXY proxy:80"; -} -``` -## Example 3: Connect directly if the host name is resolvable -In this example, if the host name can be resolved, it can connect directly. However, if the name can’t be resolved, the server must connect through a proxy server. Specifically, this function requests the DNS server to resolve the host name it's passed. If the name can be resolved, a direct connection is made. If it can't, the connection is made using a proxy. This is particularly useful when an internal DNS server is used to resolve all internal host names. - -**Important**
          The `isResolvable` function queries a Domain Name System (DNS) server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. - -``` javascript -function FindProxyForURL(url, host) - { - if (isResolvable(host)) - return "DIRECT"; - else - return "PROXY proxy:80"; - } -``` - -## Example 4: Connect directly if the host is in specified subnet -In this example, if the host is in a specified subnet, it can connect directly. However, if the server is outside of the specified subnet, it must connect through a proxy server. Specifically, the `isInNet` (host, pattern, mask) function returns true if the host IP address matches the specified pattern. The mask indicates which part of the IP address to match (255=match, 0=ignore). - -**Important**
          The `isInNet` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. - -``` javascript -function FindProxyForURL(url, host) - { - if (isInNet(host, "999.99.9.9", "255.0.255.0")) - return "DIRECT"; - else - return "PROXY proxy:80"; - } -``` -## Example 5: Determine the connection type based on the host domain -In this example, if the host is local, the server can connect directly. However, if the host isn’t local, this function determines which proxy to use based on the host domain. Specifically, the `shExpMatch(str, shexp)` function returns true if `str` matches the `shexp` using shell expression patterns. This is particularly useful when the host domain name is one of the criteria for proxy selection. - -``` javascript -function FindProxyForURL(url, host) - { - if (isPlainHostName(host)) - return "DIRECT"; - else if (shExpMatch(host, "*.com")) - return "PROXY comproxy:80"; - else if (shExpMatch(host, "*.edu")) - return "PROXY eduproxy:80"; - else - return "PROXY proxy"; - } -``` -## Example 6: Determine the connection type based on the protocol -In this example, the in-use protocol is extracted from the server and used to make a proxy selection. If no protocol match occurs, the server is directly connected. Specifically the `substring` function extracts the specified number of characters from a string. This is particularly useful when protocol is one of the criteria for proxy selection. - -``` javascript -function FindProxyForURL(url, host) - { - if (url.substring(0, 5) == "http:") { - return "PROXY proxy:80"; - } - else if (url.substring(0, 4) == "ftp:") { - return "PROXY fproxy:80"; - } - else if (url.substring(0, 6) == "https:") { - return "PROXY secproxy:8080"; - } - else { - return "DIRECT"; - } - } -``` -## Example 7: Determine the proxy server based on the host name matching the IP address -In this example, the proxy server is selected by translating the host name into an IP address and then comparing the address to a specified string. - -**Important** 
          The `dnsResolve` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. - -``` javascript -function FindProxyForURL(url, host) - { - if (dnsResolve(host) == "999.99.99.999") { // = https://secproxy - return "PROXY secproxy:8080"; - } - else { - return "PROXY proxy:80"; - } - } -``` -## Example 8: Connect using a proxy server if the host IP address matches the specified IP address -In this example, the proxy server is selected by explicitly getting the IP address and then comparing it to a specified string. If no protocol match occurs, the server makes a direct connection. Specifically, the `myIpAddress` function returns the IP address (in integer-period format) for the host that the browser is running on. - -``` javascript -function FindProxyForURL(url, host) - { - if (myIpAddress() == "999.99.999.99") { - return "PROXY proxy:80"; - } - else { - return "DIRECT"; - } - } -``` -## Example 9: Connect using a proxy server if there are periods in the host name -In this example, the function looks to see if there are periods (.) in the host name. If there are any periods, the connection occurs using a proxy server. If there are no periods, a direct connection occurs. Specifically, the `dnsDomainLevels` function returns an integer equal to the number of periods in the host name. - -**Note**
          This is another way to determine connection types based on host name characteristics. - -``` javascript -function FindProxyForURL(url, host) - { - if (dnsDomainLevels(host) > 0) { // if the number of periods in host > 0 - return "PROXY proxy:80"; - } - return "DIRECT"; - } -``` -## Example 10: Connect using a proxy server based on specific days of the week -In this example, the function decides whether to connect to a proxy server, based on the days of the week. Connecting on days that don’t fall between the specified date parameters let the server make a direct connection. Specifically the `weekdayRange(day1 [,day2] [,GMT] )` function returns whether the current system time falls within the range specified by the parameters `day1`, `day2`, and `GMT`. Only the first parameter is required. The GMT parameter presumes time values are in Greenwich Mean Time rather than the local time zone. This function is particularly useful for situations where you want to use a proxy server for heavy traffic times, but allow a direct connection when traffic is light. - -``` javascript -function FindProxyForURL(url, host) - { - if(weekdayRange("WED", "SAT", "GMT")) - return "PROXY proxy:80"; - else - return "DIRECT"; - } -``` - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. +author: lomayor +ms.prod: ie11 +ms.assetid: 6c94708d-71bd-44bd-a445-7e6763b374ae +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use proxy auto-configuration (.pac) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use proxy auto-configuration (.pac) files with IEAK 11 +These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info. + +Included examples: +- [Example 1: Connect directly if the host is local](#example-1-connect-directly-if-the-host-is-local) +- [Example 2: Connect directly if the host is inside the firewall](#example-2-connect-directly-if-the-host-is-inside-the-firewall) +- [Example 3: Connect directly if the host name is resolvable](#example-3-connect-directly-if-the-host-name-is-resolvable) +- [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet) +- [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain) +- [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol) +- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address) +- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address) +- [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name) +- [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week) + + +## Example 1: Connect directly if the host is local +In this example, if the host is local, it can connect directly. However, if the server isn't local, it must connect through a proxy server. Specifically, the `isPlainHostName` function looks to see if there are any periods (.) in the host name. If the function finds periods, it means the host isn’t local and it returns false. Otherwise, the function returns true. + +``` javascript +function FindProxyForURL(url, host) + { + if (isPlainHostName(host)) + return "DIRECT"; + else + return "PROXY proxy:80"; + } +``` +## Example 2: Connect directly if the host is inside the firewall +In this example, if the host is inside the firewall, it can connect directly. However, if the server is outside the firewall, it must connect through a proxy server. Specifically, the `localHostOrDomainIs` function only runs for URLs in the local domain. If the host domain name matches the provided domain information, the `dnsDomainIs` function returns true. + +``` javascript +function FindProxyForURL(url, host) + { + if ((isPlainHostName(host) || + dnsDomainIs(host, ".company.com")) && + !localHostOrDomainIs(host, "www.company.com") && + !localHostOrDoaminIs(host, "home.company.com")) + return "DIRECT"; + else + return "PROXY proxy:80"; +} +``` +## Example 3: Connect directly if the host name is resolvable +In this example, if the host name can be resolved, it can connect directly. However, if the name can’t be resolved, the server must connect through a proxy server. Specifically, this function requests the DNS server to resolve the host name it's passed. If the name can be resolved, a direct connection is made. If it can't, the connection is made using a proxy. This is particularly useful when an internal DNS server is used to resolve all internal host names. + +**Important**
          The `isResolvable` function queries a Domain Name System (DNS) server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. + +``` javascript +function FindProxyForURL(url, host) + { + if (isResolvable(host)) + return "DIRECT"; + else + return "PROXY proxy:80"; + } +``` + +## Example 4: Connect directly if the host is in specified subnet +In this example, if the host is in a specified subnet, it can connect directly. However, if the server is outside of the specified subnet, it must connect through a proxy server. Specifically, the `isInNet` (host, pattern, mask) function returns true if the host IP address matches the specified pattern. The mask indicates which part of the IP address to match (255=match, 0=ignore). + +**Important**
          The `isInNet` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. + +``` javascript +function FindProxyForURL(url, host) + { + if (isInNet(host, "999.99.9.9", "255.0.255.0")) + return "DIRECT"; + else + return "PROXY proxy:80"; + } +``` +## Example 5: Determine the connection type based on the host domain +In this example, if the host is local, the server can connect directly. However, if the host isn’t local, this function determines which proxy to use based on the host domain. Specifically, the `shExpMatch(str, shexp)` function returns true if `str` matches the `shexp` using shell expression patterns. This is particularly useful when the host domain name is one of the criteria for proxy selection. + +``` javascript +function FindProxyForURL(url, host) + { + if (isPlainHostName(host)) + return "DIRECT"; + else if (shExpMatch(host, "*.com")) + return "PROXY comproxy:80"; + else if (shExpMatch(host, "*.edu")) + return "PROXY eduproxy:80"; + else + return "PROXY proxy"; + } +``` +## Example 6: Determine the connection type based on the protocol +In this example, the in-use protocol is extracted from the server and used to make a proxy selection. If no protocol match occurs, the server is directly connected. Specifically the `substring` function extracts the specified number of characters from a string. This is particularly useful when protocol is one of the criteria for proxy selection. + +``` javascript +function FindProxyForURL(url, host) + { + if (url.substring(0, 5) == "http:") { + return "PROXY proxy:80"; + } + else if (url.substring(0, 4) == "ftp:") { + return "PROXY fproxy:80"; + } + else if (url.substring(0, 6) == "https:") { + return "PROXY secproxy:8080"; + } + else { + return "DIRECT"; + } + } +``` +## Example 7: Determine the proxy server based on the host name matching the IP address +In this example, the proxy server is selected by translating the host name into an IP address and then comparing the address to a specified string. + +**Important** 
          The `dnsResolve` function queries a DNS server. References to Object Model objects, properties, or methods cause the proxy auto-configuration file to fail silently. For example, the references `window.open(...)`, `alert(...)`, and `password(...)` all cause the proxy auto-configuration file to fail. + +``` javascript +function FindProxyForURL(url, host) + { + if (dnsResolve(host) == "999.99.99.999") { // = https://secproxy + return "PROXY secproxy:8080"; + } + else { + return "PROXY proxy:80"; + } + } +``` +## Example 8: Connect using a proxy server if the host IP address matches the specified IP address +In this example, the proxy server is selected by explicitly getting the IP address and then comparing it to a specified string. If no protocol match occurs, the server makes a direct connection. Specifically, the `myIpAddress` function returns the IP address (in integer-period format) for the host that the browser is running on. + +``` javascript +function FindProxyForURL(url, host) + { + if (myIpAddress() == "999.99.999.99") { + return "PROXY proxy:80"; + } + else { + return "DIRECT"; + } + } +``` +## Example 9: Connect using a proxy server if there are periods in the host name +In this example, the function looks to see if there are periods (.) in the host name. If there are any periods, the connection occurs using a proxy server. If there are no periods, a direct connection occurs. Specifically, the `dnsDomainLevels` function returns an integer equal to the number of periods in the host name. + +**Note**
          This is another way to determine connection types based on host name characteristics. + +``` javascript +function FindProxyForURL(url, host) + { + if (dnsDomainLevels(host) > 0) { // if the number of periods in host > 0 + return "PROXY proxy:80"; + } + return "DIRECT"; + } +``` +## Example 10: Connect using a proxy server based on specific days of the week +In this example, the function decides whether to connect to a proxy server, based on the days of the week. Connecting on days that don’t fall between the specified date parameters let the server make a direct connection. Specifically the `weekdayRange(day1 [,day2] [,GMT] )` function returns whether the current system time falls within the range specified by the parameters `day1`, `day2`, and `GMT`. Only the first parameter is required. The GMT parameter presumes time values are in Greenwich Mean Time rather than the local time zone. This function is particularly useful for situations where you want to use a proxy server for heavy traffic times, but allow a direct connection when traffic is light. + +``` javascript +function FindProxyForURL(url, host) + { + if(weekdayRange("WED", "SAT", "GMT")) + return "PROXY proxy:80"; + else + return "DIRECT"; + } +``` + diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md index 8210cccc8e..5b10604a11 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md @@ -1,30 +1,30 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server. -author: lomayor -ms.prod: ie11 -ms.assetid: 30b03c2f-e3e5-48d2-9007-e3fd632f3c18 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Proxy .INS file to specify a proxy server (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Proxy .INS file to specify a proxy server -Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server. - -|Name |Value |Description | -|-----|------|------------| -|FTP_Proxy_Server |`` |The host name for the FTP proxy server. | -|Gopher_Proxy_Server |`` |We no longer support Gopher Server. | -|HTTP_Proxy_Server |`` |The host name for the HTTP proxy server. | -|Proxy_Enable |

          • **0.** Don’t use a proxy server.
          • **1.** Use a proxy server.
          |Determines whether to use a proxy server. | -|Proxy_Override |`` |The host name for the proxy server. For example, ``. | -|Secure_Proxy_Server |`` |The host name for the secure proxy server. | -|Socks_Proxy_Server |`` |The host name for the SOCKS proxy server. | -|Use_Same_Proxy |
          • **0.** Don’t use the same proxy server for all services.
          • **1.** Use the same proxy server for all services.
          |Determines whether to use a single proxy server for all services. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server. +author: lomayor +ms.prod: ie11 +ms.assetid: 30b03c2f-e3e5-48d2-9007-e3fd632f3c18 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Proxy .INS file to specify a proxy server (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Proxy .INS file to specify a proxy server +Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server. + +|Name |Value |Description | +|-----|------|------------| +|FTP_Proxy_Server |`` |The host name for the FTP proxy server. | +|Gopher_Proxy_Server |`` |We no longer support Gopher Server. | +|HTTP_Proxy_Server |`` |The host name for the HTTP proxy server. | +|Proxy_Enable |
          • **0.** Don’t use a proxy server.
          • **1.** Use a proxy server.
          |Determines whether to use a proxy server. | +|Proxy_Override |`` |The host name for the proxy server. For example, ``. | +|Secure_Proxy_Server |`` |The host name for the secure proxy server. | +|Socks_Proxy_Server |`` |The host name for the SOCKS proxy server. | +|Use_Same_Proxy |
          • **0.** Don’t use the same proxy server for all services.
          • **1.** Use the same proxy server for all services.
          |Determines whether to use a single proxy server for all services. | + diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md index 76a1a40aac..8ee40e8323 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md @@ -1,55 +1,55 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services. -author: lomayor -ms.prod: ie11 -ms.assetid: 1fa1eee3-e97d-41fa-a48c-4a6e0dc8b544 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Proxy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Proxy Settings page in the IEAK 11 Wizard -The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package. - -Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings. - -**To use the Proxy Settings page** - -1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services. - -2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.

          -Proxy locations that don’t begin with a protocol (like, https:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `https://proxy`. - -3. Type the port for each service. The default value is *80*. - -4. Check the **Use the same proxy server for all addresses** box to use the same proxy server settings for all of your services. - -5. Type any services that shouldn’t use a proxy server into the **Do not use proxy server for addresses beginning with** box.

          -When filling out your exceptions, keep in mind: - - - Proxy bypass entries can begin with a protocol type, such as https://, https://, or ftp://. However, if a protocol type is used, the exception entry applies only to requests for that protocol. - - - Protocol values are not case sensitive and you can use a wildcard character (*) in place of zero or more characters. - - - You must use a semicolon between your entries. - - - This list is limited to **2064** characters. - -6. Check the **Do not use proxy server for local (intranet) addresses** to bypass your proxy servers for all addresses on your intranet. - -7. Click **Next** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page or **Back** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services. +author: lomayor +ms.prod: ie11 +ms.assetid: 1fa1eee3-e97d-41fa-a48c-4a6e0dc8b544 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Proxy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Proxy Settings page in the IEAK 11 Wizard +The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package. + +Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings. + +**To use the Proxy Settings page** + +1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services. + +2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.

          +Proxy locations that don’t begin with a protocol (like, https:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `https://proxy`. + +3. Type the port for each service. The default value is *80*. + +4. Check the **Use the same proxy server for all addresses** box to use the same proxy server settings for all of your services. + +5. Type any services that shouldn’t use a proxy server into the **Do not use proxy server for addresses beginning with** box.

          +When filling out your exceptions, keep in mind: + + - Proxy bypass entries can begin with a protocol type, such as https://, https://, or ftp://. However, if a protocol type is used, the exception entry applies only to requests for that protocol. + + - Protocol values are not case sensitive and you can use a wildcard character (*) in place of zero or more characters. + + - You must use a semicolon between your entries. + + - This list is limited to **2064** characters. + +6. Check the **Do not use proxy server for local (intranet) addresses** to bypass your proxy servers for all addresses on your intranet. + +7. Click **Next** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page or **Back** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md index a58ac249bf..0a26a051db 100644 --- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md @@ -1,28 +1,28 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Learn how to register an uninstall app for your custom components, using IEAK 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 4da1d408-af4a-4c89-a491-d6f005fd5005 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Register an uninstall app for custom components using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.date: 07/27/2017 ---- - - -# Register an uninstall app for custom components using IEAK 11 -Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel. - -## Register your uninstallation program -While you’re running your custom component setup process, your app can add information to the subkeys in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` registry key, registering your uninstallation program. - -**Note**
          IE11 also uses this registry key to verify that the component installed successfully during setup. - -|Subkey |Data type |Value | -|-------|----------|-----------| -|DisplayName |*string* |Friendly name for your uninstall app. This name must match your **Uninstall Key** in the **Add a Custom Component** page of the Internet Explorer Customization Wizard 11. For more info, see the [Custom Components](custom-components-ieak11-wizard.md) page. | -|UninstallString |*string* |Full command-line text, including the path, to uninstall your component. You must not use a batch file or a sub-process. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Learn how to register an uninstall app for your custom components, using IEAK 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 4da1d408-af4a-4c89-a491-d6f005fd5005 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Register an uninstall app for custom components using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.date: 07/27/2017 +--- + + +# Register an uninstall app for custom components using IEAK 11 +Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel. + +## Register your uninstallation program +While you’re running your custom component setup process, your app can add information to the subkeys in the `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ApplicationName` registry key, registering your uninstallation program. + +**Note**
          IE11 also uses this registry key to verify that the component installed successfully during setup. + +|Subkey |Data type |Value | +|-------|----------|-----------| +|DisplayName |*string* |Friendly name for your uninstall app. This name must match your **Uninstall Key** in the **Add a Custom Component** page of the Internet Explorer Customization Wizard 11. For more info, see the [Custom Components](custom-components-ieak11-wizard.md) page. | +|UninstallString |*string* |Full command-line text, including the path, to uninstall your component. You must not use a batch file or a sub-process. | + diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md index c740428fd7..db2bad72cd 100644 --- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md @@ -1,46 +1,46 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: manage -description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings. -author: lomayor -ms.prod: ie11 -ms.assetid: 0f21b320-e879-4a06-8589-aae6fc264666 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the RSoP snap-in to review policy settings (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings -After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479). - -**To add the RSoP snap-in** - -1. On the **Start** screen, type *MMC*.

          -The Microsoft Management Console opens. - -2. Click **File**, and then click **Add/Remove Snap-in**. - -3. In the **Available snap-ins** window, go down to the **Resultant Set of Policy** snap-in option, click **Add**, and then click **OK**.

          -You’re now ready to use the RSoP snap-in from the console. - -**To use the RSoP snap-in** - -1. Right-click **Resultant Set of Policy** and then click **Generate RSoP Data**.

          -You’ll only need to go through the resulting RSoP Wizard first time you run the snap-in. - -2. Click **Next** on the **Welcome** screen. - -3. Under **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, click **IE**, and then click the feature you want to review the policy settings for. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: manage +description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings. +author: lomayor +ms.prod: ie11 +ms.assetid: 0f21b320-e879-4a06-8589-aae6fc264666 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the RSoP snap-in to review policy settings (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings +After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479). + +**To add the RSoP snap-in** + +1. On the **Start** screen, type *MMC*.

          +The Microsoft Management Console opens. + +2. Click **File**, and then click **Add/Remove Snap-in**. + +3. In the **Available snap-ins** window, go down to the **Resultant Set of Policy** snap-in option, click **Add**, and then click **OK**.

          +You’re now ready to use the RSoP snap-in from the console. + +**To use the RSoP snap-in** + +1. Right-click **Resultant Set of Policy** and then click **Generate RSoP Data**.

          +You’ll only need to go through the resulting RSoP Wizard first time you run the snap-in. + +2. Click **Next** on the **Welcome** screen. + +3. Under **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, click **IE**, and then click the feature you want to review the policy settings for. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md index 24fb8137bc..2f2c8052cf 100644 --- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md @@ -1,56 +1,56 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default. -author: lomayor -ms.prod: ie11 -ms.assetid: 48cfaba5-f4c0-493c-b656-445311b7bc52 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Search Providers page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Search Providers page in the IEAK 11 Wizard -The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE. - -**Note**
          The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK. - -**To use the Search Providers page** - -1. Click **Import** to automatically import your existing search providers from your current version of IE into this list. - -2. Click **Add** to add more providers.

          -The **Search Provider** box appears. - -3. In the **Display Name** box, type the text that appears in the **Search Options** menu for the search provider. - -4. In the **URL** box, type the full URL to the search provider, including the https:// prefix. - -5. In the **Favicon URL** box, type the full URL to any icon to associate with your provider. - -6. In the **Suggestions URL (XML)** box, type the associated search suggestions in XML format. - -7. In the **Suggestions URL (JSON)** box, type the associated search suggestions in JavaScript Object Notation format. - -8. In the **Accelerator Preview URL** box, type the associated Accelerator preview URL for each provider, if it’s necessary. - -9. Check the **Display Search Suggestions for this provider** box to turn on search suggestions for the provider, and then click **OK**. - -10. Check the **Search Guide URL Customization** box if you’re going to add your search providers to a custom webpage for your employees. Then, type the URL to the custom webpage in the text box. - -11. Click **Edit** to change your search provider information, click **Set Default** to make a search provider the default for your employees, or **Remove** to delete a search provider. - -12. Click **Next** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page or **Back** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default. +author: lomayor +ms.prod: ie11 +ms.assetid: 48cfaba5-f4c0-493c-b656-445311b7bc52 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Search Providers page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Search Providers page in the IEAK 11 Wizard +The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE. + +**Note**
          The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK. + +**To use the Search Providers page** + +1. Click **Import** to automatically import your existing search providers from your current version of IE into this list. + +2. Click **Add** to add more providers.

          +The **Search Provider** box appears. + +3. In the **Display Name** box, type the text that appears in the **Search Options** menu for the search provider. + +4. In the **URL** box, type the full URL to the search provider, including the https:// prefix. + +5. In the **Favicon URL** box, type the full URL to any icon to associate with your provider. + +6. In the **Suggestions URL (XML)** box, type the associated search suggestions in XML format. + +7. In the **Suggestions URL (JSON)** box, type the associated search suggestions in JavaScript Object Notation format. + +8. In the **Accelerator Preview URL** box, type the associated Accelerator preview URL for each provider, if it’s necessary. + +9. Check the **Display Search Suggestions for this provider** box to turn on search suggestions for the provider, and then click **OK**. + +10. Check the **Search Guide URL Customization** box if you’re going to add your search providers to a custom webpage for your employees. Then, type the URL to the custom webpage in the text box. + +11. Click **Edit** to change your search provider information, click **Set Default** to make a search provider the default for your employees, or **Remove** to delete a search provider. + +12. Click **Next** to go to the [Important URLs - Home Page and Support](important-urls-home-page-and-support-ieak11-wizard.md) page or **Back** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md index 8a9dc3eaf9..9db3006a23 100644 --- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md @@ -1,65 +1,65 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: plan -description: Learn about the security features available in Internet Explorer 11 and IEAK 11. -author: lomayor -ms.prod: ie11 -ms.assetid: 5b64c9cb-f8da-411a-88e4-fa69dea473e2 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Security features and IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Security features and IEAK 11 -Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet. - -## Enhanced Protection Mode -Extends Protected Mode to further restrict the ability of an attacker to access sensitive or personal information in personal and corporate environments, including: - -- Restricting access to higher-level processes in the AppContainer. - -- Improving security against memory safety exploits in 64-bit tab processes. - -This feature is turned off by default. For more info, see [Enhanced Protected Mode problems with Internet Explorer](../ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md). - -## Certificates and Digital Signatures -Web browsers have security features that help protect users from downloading harmful programs. Depending on the security level and the platform that you are using, the user may be prevented from, or warned against, downloading programs that are not digitally signed. Digital signatures show users where programs come from, verify that the programs have not been altered, and ensure that users do not receive unnecessary warnings when installing the custom browser. - -Because of this, the custom .cab files created by the Internet Explorer Customization Wizard should be signed, unless you pre-configure the Local intranet zone with a Low security setting. Any custom components you distribute with your browser package for these platforms should also be signed. - -### Understanding digital certificates -To sign your package and custom programs digitally, you must first obtain a digital certificate. You can obtain a certificate from a certification authority or a privately-controlled certificate server. For more info about obtaining certificates or setting up a certificate server, see the following: - -- Microsoft-trusted certification authorities ([Windows root certificate program requirements](https://go.microsoft.com/fwlink/p/?LinkId=759697)). - -- Certificates overview documentation ([Certificates](https://go.microsoft.com/fwlink/p/?LinkId=759698)). - -- Microsoft Active Directory Certificate Services ( [Active Directory Certificate Services](https://go.microsoft.com/fwlink/p/?LinkId=259521)). - -- Enterprise public key infrastructure (PKI) snap-in documentation ([Enterprise PKI](https://go.microsoft.com/fwlink/p/?LinkId=259526)). - -After you get a certificate, you should note the public and private keys, which are a matched set of keys that are created by the software publisher for encryption and decryption. They are generated on your device at the time the certificate is requested, and your private key is never sent to the certification authority or any other party. - -### Understanding code signing -Code signing varies, depening on how you plan to distribute your custom install package. - -- **If you plan to distribute custom packages over the Internet**, you must sign all custom components and the CMAK profile package (if used). Before you start the Internet Explorer Customization Wizard, make sure that both are signed. Typically, their respective manufacturers will have signed them. Otherwise, you can sign these using the Sign Tool (SignTool.exe) ( [SignTool.exe (Sign Tool)](https://go.microsoft.com/fwlink/p/?LinkId=71298)) or use the File Signing Tool (Signcode.exe) ([Signcode.exe (File Signing Tool)](https://go.microsoft.com/fwlink/p/?LinkId=71299)). You should read the documentation included with these tools for more info about all of the signing options.

          -In addition, after you run the Internet Explorer Customization Wizard, we highly recommend that you sign the IEAK package and the branding.cab file (if you are using it separately from the package). You can do this also using the tools mentioned above. For more information, download Code-Signing Best Practices ([Code-Signing Best Practices](https://go.microsoft.com/fwlink/p/?LinkId=71300)). - -- **If you plan to distribute your custom packages over an intranet**, sign the custom files or preconfigure the Local intranet zone with a Low security setting, because the default security setting does not allow users to download unsigned programs or code. - -### Understanding your private key -Your device creates two keys during the enrollment process of your digital certificate. One is a public key, which is sent to anyone you want to communicate with, and one is a private key, which is stored on your local device and must be kept secret. You use the private key to encrypt your data and the corresponding public key to decrypt it. - -You must keep your private key, private. To do this, we recommend: - -- **Separate test and release signing.** Set up a parallel code signing infrastructure, using test certificates created by an internal test root certificate authority. This helps to ensure that your certificates aren’t stored on an insecure build system, reducing the likelihood that they will be compromised. - -- **Tamper-proof storage.** Save your private keys on secure, tamper-proof hardware devices. - -- **Security.** Protect your private keys using physical security measures, such as cameras and card readers. - +--- +ms.localizationpriority: medium +ms.mktglfcycl: plan +description: Learn about the security features available in Internet Explorer 11 and IEAK 11. +author: lomayor +ms.prod: ie11 +ms.assetid: 5b64c9cb-f8da-411a-88e4-fa69dea473e2 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Security features and IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Security features and IEAK 11 +Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet. + +## Enhanced Protection Mode +Extends Protected Mode to further restrict the ability of an attacker to access sensitive or personal information in personal and corporate environments, including: + +- Restricting access to higher-level processes in the AppContainer. + +- Improving security against memory safety exploits in 64-bit tab processes. + +This feature is turned off by default. For more info, see [Enhanced Protected Mode problems with Internet Explorer](../ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md). + +## Certificates and Digital Signatures +Web browsers have security features that help protect users from downloading harmful programs. Depending on the security level and the platform that you are using, the user may be prevented from, or warned against, downloading programs that are not digitally signed. Digital signatures show users where programs come from, verify that the programs have not been altered, and ensure that users do not receive unnecessary warnings when installing the custom browser. + +Because of this, the custom .cab files created by the Internet Explorer Customization Wizard should be signed, unless you pre-configure the Local intranet zone with a Low security setting. Any custom components you distribute with your browser package for these platforms should also be signed. + +### Understanding digital certificates +To sign your package and custom programs digitally, you must first obtain a digital certificate. You can obtain a certificate from a certification authority or a privately-controlled certificate server. For more info about obtaining certificates or setting up a certificate server, see the following: + +- Microsoft-trusted certification authorities ([Windows root certificate program requirements](https://go.microsoft.com/fwlink/p/?LinkId=759697)). + +- Certificates overview documentation ([Certificates](https://go.microsoft.com/fwlink/p/?LinkId=759698)). + +- Microsoft Active Directory Certificate Services ( [Active Directory Certificate Services](https://go.microsoft.com/fwlink/p/?LinkId=259521)). + +- Enterprise public key infrastructure (PKI) snap-in documentation ([Enterprise PKI](https://go.microsoft.com/fwlink/p/?LinkId=259526)). + +After you get a certificate, you should note the public and private keys, which are a matched set of keys that are created by the software publisher for encryption and decryption. They are generated on your device at the time the certificate is requested, and your private key is never sent to the certification authority or any other party. + +### Understanding code signing +Code signing varies, depening on how you plan to distribute your custom install package. + +- **If you plan to distribute custom packages over the Internet**, you must sign all custom components and the CMAK profile package (if used). Before you start the Internet Explorer Customization Wizard, make sure that both are signed. Typically, their respective manufacturers will have signed them. Otherwise, you can sign these using the Sign Tool (SignTool.exe) ( [SignTool.exe (Sign Tool)](https://go.microsoft.com/fwlink/p/?LinkId=71298)) or use the File Signing Tool (Signcode.exe) ([Signcode.exe (File Signing Tool)](https://go.microsoft.com/fwlink/p/?LinkId=71299)). You should read the documentation included with these tools for more info about all of the signing options.

          +In addition, after you run the Internet Explorer Customization Wizard, we highly recommend that you sign the IEAK package and the branding.cab file (if you are using it separately from the package). You can do this also using the tools mentioned above. For more information, download Code-Signing Best Practices ([Code-Signing Best Practices](https://go.microsoft.com/fwlink/p/?LinkId=71300)). + +- **If you plan to distribute your custom packages over an intranet**, sign the custom files or preconfigure the Local intranet zone with a Low security setting, because the default security setting does not allow users to download unsigned programs or code. + +### Understanding your private key +Your device creates two keys during the enrollment process of your digital certificate. One is a public key, which is sent to anyone you want to communicate with, and one is a private key, which is stored on your local device and must be kept secret. You use the private key to encrypt your data and the corresponding public key to decrypt it. + +You must keep your private key, private. To do this, we recommend: + +- **Separate test and release signing.** Set up a parallel code signing infrastructure, using test certificates created by an internal test root certificate authority. This helps to ensure that your certificates aren’t stored on an insecure build system, reducing the likelihood that they will be compromised. + +- **Tamper-proof storage.** Save your private keys on secure, tamper-proof hardware devices. + +- **Security.** Protect your private keys using physical security measures, such as cameras and card readers. + diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md index 8dd5b81f5a..007b61208d 100644 --- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md @@ -1,43 +1,43 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings. -author: lomayor -ms.prod: ie11 -ms.assetid: cb7cd1df-6a79-42f6-b3a1-8ae467053f82 -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Security and Privacy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Security and Privacy Settings page in the IEAK 11 Wizard -The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting. - -**To use the Security and Privacy Settings page** - -1. Decide if you want to customize your security zones and privacy settings. You can pick: - - - **Do not customize security zones and privacy.** Pick this option if you don’t want to customize your security zones and privacy settings. - - - **Import the current security zones and privacy.** Pick this option to import your security zone and privacy settings from your computer and use them as the preset for your employee’s settings.

          **Note**
          To change your settings, click **Modify Settings** to open the **Internet Properties** box, and then click the **Security** and **Privacy** tabs to make your changes. - -2. Decide if you want to customize your content ratings. You can pick: - - - **Do not customize content ratings.** Pick this option if you don’t want to customize content ratings. - - - **Import the current content ratings settings.** Pick this option to import your content rating settings from your computer and use them as the preset for your employee’s settings.

          **Note**
          Not all Internet content is rated. If you choose to allow users to view unrated sites, some of those sites could contain inappropriate material. To change your settings, click **Modify Settings** to open the **Content Advisor** box, where you can make your changes. - -3. Click **Next** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page or **Back** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings. +author: lomayor +ms.prod: ie11 +ms.assetid: cb7cd1df-6a79-42f6-b3a1-8ae467053f82 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Security and Privacy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Security and Privacy Settings page in the IEAK 11 Wizard +The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting. + +**To use the Security and Privacy Settings page** + +1. Decide if you want to customize your security zones and privacy settings. You can pick: + + - **Do not customize security zones and privacy.** Pick this option if you don’t want to customize your security zones and privacy settings. + + - **Import the current security zones and privacy.** Pick this option to import your security zone and privacy settings from your computer and use them as the preset for your employee’s settings.

          **Note**
          To change your settings, click **Modify Settings** to open the **Internet Properties** box, and then click the **Security** and **Privacy** tabs to make your changes. + +2. Decide if you want to customize your content ratings. You can pick: + + - **Do not customize content ratings.** Pick this option if you don’t want to customize content ratings. + + - **Import the current content ratings settings.** Pick this option to import your content rating settings from your computer and use them as the preset for your employee’s settings.

          **Note**
          Not all Internet content is rated. If you choose to allow users to view unrated sites, some of those sites could contain inappropriate material. To change your settings, click **Modify Settings** to open the **Content Advisor** box, where you can make your changes. + +3. Click **Next** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page or **Back** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md index c81c6b6a9d..74e61ad2bb 100644 --- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md @@ -1,27 +1,27 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package. -author: lomayor -ms.prod: ie11 -ms.assetid: 19791c44-aaa7-4f37-9faa-85cbdf29f68e -ms.reviewer: -manager: dansimp -ms.author: lomayor -title: Use the Security Imports .INS file to import security info (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Security Imports .INS file to import security info -Info about how to import security information from your local device to your custom package. - -|Name |Value |Description | -|-----|------|------------| -|ImportAuthCode |

          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Authenticode settings. | -|ImportRatings |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Content Ratings settings. | -|ImportSecZones |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Security Zone settings. | -|ImportSiteCert |
          • **0.** Don’t import the existing authorities.
          • **1.** Import the existing authorities.
          |Whether to import the existing site certification authorities. | -|Win16SiteCerts |
          • **0.** Don’t use the site certificates.
          • **1.** Use the site certificates.
          |Whether to use site certificates for computers running 16-bit versions of Windows. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package. +author: lomayor +ms.prod: ie11 +ms.assetid: 19791c44-aaa7-4f37-9faa-85cbdf29f68e +ms.reviewer: +audience: itpro manager: dansimp +ms.author: lomayor +title: Use the Security Imports .INS file to import security info (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Security Imports .INS file to import security info +Info about how to import security information from your local device to your custom package. + +|Name |Value |Description | +|-----|------|------------| +|ImportAuthCode |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Authenticode settings. | +|ImportRatings |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Content Ratings settings. | +|ImportSecZones |
          • **0.** Don’t import the existing settings.
          • **1.** Import the existing settings.
          |Whether to import the existing Security Zone settings. | +|ImportSiteCert |
          • **0.** Don’t import the existing authorities.
          • **1.** Import the existing authorities.
          |Whether to import the existing site certification authorities. | +|Win16SiteCerts |
          • **0.** Don’t use the site certificates.
          • **1.** Use the site certificates.
          |Whether to use site certificates for computers running 16-bit versions of Windows. | + diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md index ca25c64f0e..228805f528 100644 --- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md @@ -1,123 +1,123 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package. -author: lomayor -ms.author: lomayor -ms.prod: ie11 -ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4 -ms.reviewer: -manager: dansimp -title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Troubleshoot custom package and IEAK 11 problems -While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package. - -## I am unable to locate some of the wizard pages -The most common reasons you will not see certain pages is because: - -- **Your licensing agreement with Microsoft.** Your licensing agreement determines whether you install the **Internal** or **External** version of the Internet Explorer Customization Wizard, and there are different features available for each version. For info about which features are available for each version, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). - -- **Your choice of operating system.** Depending on the operating system you picked from the **Platform Selection** page of the wizard, you might not see all of the pages. Some features aren’t available for all operating systems. For more information, see [Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md). - -- **Your choice of features.** Depending on what you selected from the **Feature Selection** page of the wizard, you might not see all of the pages. You need to make sure that the features you want to customize are all checked. For more information, see [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md). - -## Internet Explorer Setup fails on user's devices -Various issues can cause problems during Setup, including missing files, trust issues, or URL monikers. You can troubleshoot these issues by reviewing the Setup log file, located at `IE11\_main.log` from the **Windows** folder (typically, `C:\Windows`). The log file covers the entire Setup process from the moment IE11Setup.exe starts until the last .cab file finishes, providing error codes that you can use to help determine the cause of the failure. - -### Main.log file codes - -|Code |Description | -|-----|------------| -|0 |Initializing, making a temporary folder, and checking disk space. | -|1 |Checking for all dependencies. | -|2 |Downloading files from the server. | -|3 |Copying files from download location to the temporary installation folder. | -|4 |Restarting download and retrying Setup, because of a time-out error or other download error. | -|5 |Checking trust and checking permissions. | -|6 |Extracting files. | -|7 |Running Setup program (an .inf or .exe file). | -|8 |Installation is finished. | -|9 |Download finished, and all files are downloaded. | - -### Main.log error codes - -|Code |Description | -|-----|------------| -|80100003 |Files are missing from the download folder during installation. | -|800bxxxx |An error code starting with 800b is a trust failure. | -|800Cxxxx |An error code starting with 800C is a Urlmon.dll failure. | - - -## Internet Explorer Setup connection times out -Internet Explorer Setup can switch servers during the installation process to maintain maximum throughput or to recover from a non-responsive download site (you receive less than 1 byte in 2 minutes). If the connection times out, but Setup is able to connect to the next download site on the list, your download starts over. If however the connection times out and Setup can’t connect to a different server, it’ll ask if you want to stop the installation or try again. - -To address connection issues (for example, as a result of server problems) where Setup can’t locate another download site by default, we recommend you overwrite your first download server using this workaround: - -``` syntax -\ie11setup.exe /C:"ie11wzd.exe /S:""\ie11setup.exe"" /L:""https://your_Web_server/your_Web_site/ie11sites.dat""" -``` - -Where `` represents the folder location where you stored IE11setup.exe. - -## Users cannot uninstall IE -If you cannot uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information is not on the computer. To fix this issue, you should: - -1. Review the uninstall log file, IE11Uninst.log, located in the `C:\Windows` folder. This log file covers the entire uninstallation process, including every file change, every registry change, and any dialog boxes that are shown. - -2. Try to manually uninstall IE. Go to the backup folder, `:\Windows\$ie11$`, and run the uninstall file, `Spunist.exe`. - -  -## The Internet Explorer Customization Wizard 11 does not work with user names that user double-byte character sets -The customization wizard does not work with user names that use double-byte character sets, such as Chinese or Japanese. To fix this, set the **TEMP** and **TMP** environmental variables to a path that does not use these characters (for example, C:\temp). - -1. Open **System Properties**, click the **Advanced** tab, and then click **Environmental Variables**. -2. Click Edit, and then modify the **TEMP** and **TMP** environmental variables to a non-user profile directory. - -  -## Unicode characters are not supported in IEAK 11 path names -While Unicode characters, such as Emoji, are supported for organization names and other branding items, you must not use Unicode characters in any paths associated with running the Internet Explorer Customization Wizard 11. This includes paths to your IEAK 11 installation and to the storage location for your custom packages after they're built. - -## Internet Explorer branding conflicts when using both Unattend and IEAK 11 to customize Internet Explorer settings -Using both Unattend settings and an IEAK custom package to modify a user's version of Internet Explorer 11 might cause a user to lose personalized settings during an upgrade. For example, many manufacturers configure Internet Explorer using Unattend settings. If a user purchases a laptop, and then signs up for Internet service, their Internet Service Provider (ISP) might provide a version of Internet Explorer that has been branded (for example, with a custom homepage for that ISP) using Internet Explorer Customization Wizard 11. If that user later upgrades to a new version of Internet Explorer, the Unattend settings from the laptop manufacturer will be reapplied, overwriting any settings that the user configured for themselves (such as their homepage). - - -## IEAK 11 does not correctly apply the Delete all existing items under Favorites, Favorites Bar and Feeds option -The Internet Explorer Customization Wizard 11 does not correctly apply the **Delete all existing items under Favorites**, **Favorites Bar and Feeds** option, available on the **Browsing Options** page. - -Selecting to include this feature in your customized Internet Explorer package enables the deletion of existing items in the **Favorites** and **Favorites Bar** areas, but it doesn't enable deletion in the **Feeds** area. In addition, this setting adds a new favorite, titled “Web Slice Gallery” to the **Favorites Bar**. - -## F1 does not activate Help on Automatic Version Synchronization page -Pressing the **F1** button on the **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 does not display the **Help** page. Clicking the **Help** button enables you to open the Help system and view information about this page. - -## Certificate installation does not work on IEAK 11 -IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe). - ->[!NOTE] ->This applies only when using the External licensing mode of IEAK 11. - -## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11 -When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language. - ->[!NOTE] ->This applies only when using the Internal licensing mode of IEAK 11. - -To work around this issue, run the customization wizard following these steps: -1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11. -2. Click **Next**, and then click **Synchronize** on the Automatic Version Synchronization page. -3. After synchronization is complete, cancel the wizard. -4. Repeat these steps for each platform on the Platform Selection page. - -After performing these steps, you must still do the following each time you synchronize a new language and platform: -1. Open File Explorer to the Program Files\Windows IEAK 11 or Program Files (x86)\Windows IEAK 11 folder. -2. Open the **Policies** folder, and then open the appropriate platform folder. -3. Copy the contents of the matching-language folder into the new language folder. - -After completing these steps, the Additional Settings page matches your wizard’s language. - -## Unable to access feeds stored in a subfolder -Adding feeds using the **Favorites**, **Favorites Bar**, and **Feeds** page of the Internet Explorer 11 Customization Wizard requires that the feeds be stored in a single folder. Creating two levels of folders, and creating the feed in the subfolder, causes the feed to fail. +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package. +author: lomayor +ms.author: lomayor +ms.prod: ie11 +ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4 +ms.reviewer: +audience: itpro manager: dansimp +title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Troubleshoot custom package and IEAK 11 problems +While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package. + +## I am unable to locate some of the wizard pages +The most common reasons you will not see certain pages is because: + +- **Your licensing agreement with Microsoft.** Your licensing agreement determines whether you install the **Internal** or **External** version of the Internet Explorer Customization Wizard, and there are different features available for each version. For info about which features are available for each version, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). + +- **Your choice of operating system.** Depending on the operating system you picked from the **Platform Selection** page of the wizard, you might not see all of the pages. Some features aren’t available for all operating systems. For more information, see [Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md). + +- **Your choice of features.** Depending on what you selected from the **Feature Selection** page of the wizard, you might not see all of the pages. You need to make sure that the features you want to customize are all checked. For more information, see [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md). + +## Internet Explorer Setup fails on user's devices +Various issues can cause problems during Setup, including missing files, trust issues, or URL monikers. You can troubleshoot these issues by reviewing the Setup log file, located at `IE11\_main.log` from the **Windows** folder (typically, `C:\Windows`). The log file covers the entire Setup process from the moment IE11Setup.exe starts until the last .cab file finishes, providing error codes that you can use to help determine the cause of the failure. + +### Main.log file codes + +|Code |Description | +|-----|------------| +|0 |Initializing, making a temporary folder, and checking disk space. | +|1 |Checking for all dependencies. | +|2 |Downloading files from the server. | +|3 |Copying files from download location to the temporary installation folder. | +|4 |Restarting download and retrying Setup, because of a time-out error or other download error. | +|5 |Checking trust and checking permissions. | +|6 |Extracting files. | +|7 |Running Setup program (an .inf or .exe file). | +|8 |Installation is finished. | +|9 |Download finished, and all files are downloaded. | + +### Main.log error codes + +|Code |Description | +|-----|------------| +|80100003 |Files are missing from the download folder during installation. | +|800bxxxx |An error code starting with 800b is a trust failure. | +|800Cxxxx |An error code starting with 800C is a Urlmon.dll failure. | + + +## Internet Explorer Setup connection times out +Internet Explorer Setup can switch servers during the installation process to maintain maximum throughput or to recover from a non-responsive download site (you receive less than 1 byte in 2 minutes). If the connection times out, but Setup is able to connect to the next download site on the list, your download starts over. If however the connection times out and Setup can’t connect to a different server, it’ll ask if you want to stop the installation or try again. + +To address connection issues (for example, as a result of server problems) where Setup can’t locate another download site by default, we recommend you overwrite your first download server using this workaround: + +``` syntax +\ie11setup.exe /C:"ie11wzd.exe /S:""\ie11setup.exe"" /L:""https://your_Web_server/your_Web_site/ie11sites.dat""" +``` + +Where `` represents the folder location where you stored IE11setup.exe. + +## Users cannot uninstall IE +If you cannot uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information is not on the computer. To fix this issue, you should: + +1. Review the uninstall log file, IE11Uninst.log, located in the `C:\Windows` folder. This log file covers the entire uninstallation process, including every file change, every registry change, and any dialog boxes that are shown. + +2. Try to manually uninstall IE. Go to the backup folder, `:\Windows\$ie11$`, and run the uninstall file, `Spunist.exe`. + +  +## The Internet Explorer Customization Wizard 11 does not work with user names that user double-byte character sets +The customization wizard does not work with user names that use double-byte character sets, such as Chinese or Japanese. To fix this, set the **TEMP** and **TMP** environmental variables to a path that does not use these characters (for example, C:\temp). + +1. Open **System Properties**, click the **Advanced** tab, and then click **Environmental Variables**. +2. Click Edit, and then modify the **TEMP** and **TMP** environmental variables to a non-user profile directory. + +  +## Unicode characters are not supported in IEAK 11 path names +While Unicode characters, such as Emoji, are supported for organization names and other branding items, you must not use Unicode characters in any paths associated with running the Internet Explorer Customization Wizard 11. This includes paths to your IEAK 11 installation and to the storage location for your custom packages after they're built. + +## Internet Explorer branding conflicts when using both Unattend and IEAK 11 to customize Internet Explorer settings +Using both Unattend settings and an IEAK custom package to modify a user's version of Internet Explorer 11 might cause a user to lose personalized settings during an upgrade. For example, many manufacturers configure Internet Explorer using Unattend settings. If a user purchases a laptop, and then signs up for Internet service, their Internet Service Provider (ISP) might provide a version of Internet Explorer that has been branded (for example, with a custom homepage for that ISP) using Internet Explorer Customization Wizard 11. If that user later upgrades to a new version of Internet Explorer, the Unattend settings from the laptop manufacturer will be reapplied, overwriting any settings that the user configured for themselves (such as their homepage). + + +## IEAK 11 does not correctly apply the Delete all existing items under Favorites, Favorites Bar and Feeds option +The Internet Explorer Customization Wizard 11 does not correctly apply the **Delete all existing items under Favorites**, **Favorites Bar and Feeds** option, available on the **Browsing Options** page. + +Selecting to include this feature in your customized Internet Explorer package enables the deletion of existing items in the **Favorites** and **Favorites Bar** areas, but it doesn't enable deletion in the **Feeds** area. In addition, this setting adds a new favorite, titled “Web Slice Gallery” to the **Favorites Bar**. + +## F1 does not activate Help on Automatic Version Synchronization page +Pressing the **F1** button on the **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 does not display the **Help** page. Clicking the **Help** button enables you to open the Help system and view information about this page. + +## Certificate installation does not work on IEAK 11 +IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe). + +>[!NOTE] +>This applies only when using the External licensing mode of IEAK 11. + +## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11 +When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language. + +>[!NOTE] +>This applies only when using the Internal licensing mode of IEAK 11. + +To work around this issue, run the customization wizard following these steps: +1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11. +2. Click **Next**, and then click **Synchronize** on the Automatic Version Synchronization page. +3. After synchronization is complete, cancel the wizard. +4. Repeat these steps for each platform on the Platform Selection page. + +After performing these steps, you must still do the following each time you synchronize a new language and platform: +1. Open File Explorer to the Program Files\Windows IEAK 11 or Program Files (x86)\Windows IEAK 11 folder. +2. Open the **Policies** folder, and then open the appropriate platform folder. +3. Copy the contents of the matching-language folder into the new language folder. + +After completing these steps, the Additional Settings page matches your wizard’s language. + +## Unable to access feeds stored in a subfolder +Adding feeds using the **Favorites**, **Favorites Bar**, and **Feeds** page of the Internet Explorer 11 Customization Wizard requires that the feeds be stored in a single folder. Creating two levels of folders, and creating the feed in the subfolder, causes the feed to fail. diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md index 1aec2abb8a..965fda174e 100644 --- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md @@ -1,40 +1,40 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server. -author: dansimp -ms.prod: ie11 -ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the URL .INS file to use an auto-configured proxy server -Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server. - -|Name |Value |Description | -|-----|------|------------| -|AutoConfig |
          • **0.** Don’t automatically configure the browser.
          • **1.** Automatically configure the browser.
          |Determines whether to automatically configure the customized browser on your employee’s device. | -|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) | -|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. | -|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. | -|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. | -|Help_Page |`` |The URL to your internal technical support site. | -|Home_Page |`` |The URL to your default **Home** page. | -|NoWelcome |
          • **0.** Display the **Welcome** page.
          • **1.** Don’t display the **Welcome** page.
          |Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. | -|Quick_Link_1 |`` |The URL to your first Quick Link. | -|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. | -|Quick_Link_2 |`` |The URL to your second Quick Link. | -|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. | -|Quick_Link_X |`` |The URL to another Quick Link. | -|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. | -|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. | -|Quick_Link_X_Offline |
          • **0.** Don’t make the Quick Links available offline.
          • **1.** Make the Quick Links available offline.
          |Determines whether to make the Quick Links available for offline browsing. | -|Search_Page |`` |The URL to the default search page. | -|UseLocalIns |
          • **0.** Don’t use a local .ins file.
          • **1.** Use a local .ins file.
          |Determines whether to use a local Internet Settings (.ins) file | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server. +author: dansimp +ms.prod: ie11 +ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the URL .INS file to use an auto-configured proxy server +Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server. + +|Name |Value |Description | +|-----|------|------------| +|AutoConfig |
          • **0.** Don’t automatically configure the browser.
          • **1.** Automatically configure the browser.
          |Determines whether to automatically configure the customized browser on your employee’s device. | +|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) | +|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. | +|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. | +|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. | +|Help_Page |`` |The URL to your internal technical support site. | +|Home_Page |`` |The URL to your default **Home** page. | +|NoWelcome |
          • **0.** Display the **Welcome** page.
          • **1.** Don’t display the **Welcome** page.
          |Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. | +|Quick_Link_1 |`` |The URL to your first Quick Link. | +|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. | +|Quick_Link_2 |`` |The URL to your second Quick Link. | +|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. | +|Quick_Link_X |`` |The URL to another Quick Link. | +|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. | +|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. | +|Quick_Link_X_Offline |
          • **0.** Don’t make the Quick Links available offline.
          • **1.** Make the Quick Links available offline.
          |Determines whether to make the Quick Links available for offline browsing. | +|Search_Page |`` |The URL to the default search page. | +|UseLocalIns |
          • **0.** Don’t use a local .ins file.
          • **1.** Use a local .ins file.
          |Determines whether to use a local Internet Settings (.ins) file | + diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md index b9d51e17e5..ed8f2be8f1 100644 --- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md @@ -1,60 +1,60 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process. -author: dansimp -ms.prod: ie11 -ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the User Experience page in the IEAK 11 Wizard -The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process. - -**Note**
          You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.

          The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7. - -**To use the User Experience page** - -1. Choose how your employee should interact with Setup, including: - - - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process. - - - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process. - - - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again. -

          Both the hands-free and completely silent installation options will: - - - Answer prompts so Setup can continue. - - - Accept the license agreement. - - - Determine that Internet Explorer 11 is installed and not just downloaded. - - - Perform your specific installation type. - - - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version. - -2. Choose if your employee’s device will restart at the end of Setup. - - - **Default**. Prompts your employees to restart after installing IE. - - - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later. - - - **Force restart**. Automatically restarts the computer after installing IE. - -3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page. - - - - - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process. +author: dansimp +ms.prod: ie11 +ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the User Experience page in the IEAK 11 Wizard +The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process. + +**Note**
          You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.

          The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7. + +**To use the User Experience page** + +1. Choose how your employee should interact with Setup, including: + + - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process. + + - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process. + + - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again. +

          Both the hands-free and completely silent installation options will: + + - Answer prompts so Setup can continue. + + - Accept the license agreement. + + - Determine that Internet Explorer 11 is installed and not just downloaded. + + - Perform your specific installation type. + + - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version. + +2. Choose if your employee’s device will restart at the end of Setup. + + - **Default**. Prompts your employees to restart after installing IE. + + - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later. + + - **Force restart**. Automatically restarts the computer after installing IE. + +3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page. + + + + + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md index f17c6d7844..3efd12ffa8 100644 --- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md +++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md @@ -1,37 +1,37 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package. -author: dansimp -ms.prod: ie11 -ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977 -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Using Internet Settings (.INS) files with IEAK 11 -Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file. - -Here's a list of the available .INS file settings: - -|Setting |Description | -|-----------------------------------------|------------------------------------------------------------------------------| -|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. | -|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. | -|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. | -|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. | -|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. | -|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. | -|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. | -|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. | -|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. | -|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. | -|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. | -|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. | -|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. | - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package. +author: dansimp +ms.prod: ie11 +ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977 +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using Internet Settings (.INS) files with IEAK 11 +Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file. + +Here's a list of the available .INS file settings: + +|Setting |Description | +|-----------------------------------------|------------------------------------------------------------------------------| +|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. | +|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. | +|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. | +|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. | +|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. | +|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. | +|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. | +|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. | +|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. | +|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. | +|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. | +|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. | +|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. | + diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md index 221f4896ab..5e8b4e979e 100644 --- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md +++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md @@ -1,68 +1,68 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. -author: dansimp -ms.author: dansimp -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: -ms.reviewer: -manager: dansimp -title: What IEAK can do for you -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# What IEAK can do for you - -Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. - -IEAK 10 and newer includes the ability to install using one of the following installation modes: - -- Internal - -- External - -## IEAK 11 users -Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. - -IEAK 10 and newer includes the ability to install using one of the following installation modes: -- Internal -- External - ->[!NOTE] ->IEAK 11 works in network environments, with or without Microsoft Active Directory service. - - -### Corporations -IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality. - -Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older). - -### Internet service providers -IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package. - -ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older). - -### Internet content providers -IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use. - -ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older) - -### Independent software vendors -IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar. - -ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older). - -## Additional resources - -- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) -- [Download IEAK 11](ieak-information-and-downloads.md) -- [IEAK 11 overview](index.md) -- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) -- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) -- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) -- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. +author: dansimp +ms.author: dansimp +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +ms.reviewer: +audience: itpro manager: dansimp +title: What IEAK can do for you +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# What IEAK can do for you + +Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. + +IEAK 10 and newer includes the ability to install using one of the following installation modes: + +- Internal + +- External + +## IEAK 11 users +Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. + +IEAK 10 and newer includes the ability to install using one of the following installation modes: +- Internal +- External + +>[!NOTE] +>IEAK 11 works in network environments, with or without Microsoft Active Directory service. + + +### Corporations +IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality. + +Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older). + +### Internet service providers +IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package. + +ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older). + +### Internet content providers +IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use. + +ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older) + +### Independent software vendors +IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar. + +ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older). + +## Additional resources + +- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) +- [Download IEAK 11](ieak-information-and-downloads.md) +- [IEAK 11 overview](index.md) +- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) +- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) +- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) +- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) +- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md index e32fa2b1da..e81b0eedea 100644 --- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md @@ -1,31 +1,31 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package. -author: dansimp -ms.prod: ie11 -ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc -ms.reviewer: -manager: dansimp -ms.author: dansimp -title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard -The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**. - -In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads. - -After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package. +author: dansimp +ms.prod: ie11 +ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc +ms.reviewer: +audience: itpro manager: dansimp +ms.author: dansimp +title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard +The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**. + +In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads. + +After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md). + +  + +  + + + + + diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md index c2dbda0086..ad64db8744 100644 --- a/browsers/internet-explorer/index.md +++ b/browsers/internet-explorer/index.md @@ -2,7 +2,7 @@ ms.mktglfcycl: deploy description: The landing page for IE11 that lets you access the documentation. author: shortpatti -ms.prod: IE11 +ms.prod: ie11 title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0 ms.sitesec: library diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index d50c95d74f..36cbb30a09 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,13 +1,15 @@ # [Microsoft HoloLens](index.md) # [What's new in HoloLens](hololens-whats-new.md) -# [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md) # [Set up HoloLens](hololens-setup.md) +# Deploy HoloLens in a commercial environment +## [Overview and deployment planning](hololens-requirements.md) +## [Configure HoloLens using a provisioning package](hololens-provisioning.md) +## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) + # Device Management ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) ## [Install localized version of HoloLens](hololens-install-localized.md) -## [Configure HoloLens using a provisioning package](hololens-provisioning.md) -## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) ## [Manage updates to HoloLens](hololens-updates.md) ## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) ## [Use the HoloLens Clicker](hololens-clicker.md) diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json index b19110b8f2..7cda17b22f 100644 --- a/devices/hololens/docfx.json +++ b/devices/hololens/docfx.json @@ -32,7 +32,8 @@ "breadcrumb_path": "/hololens/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "jdecker", + "audience": "ITPro", + "manager": "laurawi", "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index 8cbeaf26eb..838674f0dc 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -102,6 +102,6 @@ Provisioning packages are files created by the Windows Configuration Designer to Encryption is silent on HoloLens. To verify the device encryption status: -- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted. +- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted. ![About screen showing BitLocker enabled](images/about-encryption.png) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index ef830c3525..418cfce2d9 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -22,9 +22,9 @@ manager: dansimp For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business). To configure how and when updates are applied, use the following policies: -- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) -- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) +- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) +- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates: - [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) diff --git a/devices/hololens/images/hololens2-side-render-medium.png b/devices/hololens/images/hololens2-side-render-medium.png new file mode 100644 index 0000000000..d4650c05e2 Binary files /dev/null and b/devices/hololens/images/hololens2-side-render-medium.png differ diff --git a/devices/hololens/images/hololens2-side-render-small.png b/devices/hololens/images/hololens2-side-render-small.png new file mode 100644 index 0000000000..a1a612e05a Binary files /dev/null and b/devices/hololens/images/hololens2-side-render-small.png differ diff --git a/devices/hololens/images/hololens2-side-render-xs.png b/devices/hololens/images/hololens2-side-render-xs.png new file mode 100644 index 0000000000..08d5f966cd Binary files /dev/null and b/devices/hololens/images/hololens2-side-render-xs.png differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index abb50c076e..5aee70afdb 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -3,6 +3,7 @@ title: Microsoft HoloLens (HoloLens) description: Landing page for HoloLens commercial and enterprise management. ms.prod: hololens ms.sitesec: library +ms.assetid: 0947f5b3-8f0f-42f0-aa27-6d2cad51d040 author: scooley ms.author: scooley ms.topic: article @@ -18,7 +19,9 @@ ms.date: 07/14/2019

          Now, with the introduction of HoloLens 2, every device provides commercial ready management enhanced by the reliability, security, and scalability of cloud and AI services from Microsoft.

          -HoloLens 2 side view +

          To learn more about HoloLens 2 for developers, check out the mixed reality developer documentation.

          + +HoloLens 2 side view ## Guides in this section @@ -26,7 +29,7 @@ ms.date: 07/14/2019 | Guide | Description | | --- | --- | | [Get started with HoloLens](hololens-setup.md) | Set up HoloLens for the first time. | -| [Set up HoloLens in the enterprise](hololens-requirements.md) | Configure HoloLens for scale enterprise deployment and ongoing device management. | +| [Deploy HoloLens in a commercial environment](hololens-requirements.md) | Configure HoloLens for scale enterprise deployment and ongoing device management. | | [Install and manage applications on HoloLens](hololens-install-apps.md) |Install and manage important applications on HoloLens at scale. | | [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | | [Get support](https://support.microsoft.com/products/hololens) |Connect with Microsoft support resources for HoloLens in enterprise. | diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json index 5f16f8d171..2ab787b803 100644 --- a/devices/surface-hub/docfx.json +++ b/devices/surface-hub/docfx.json @@ -27,7 +27,9 @@ "breadcrumb_path": "/surface-hub/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "windows", + "audience": "ITPro", "ms.topic": "article", + "manager": "laurawi", "ms.mktglfcycl": "manage", "ms.sitesec": "library", "ms.date": "05/23/2017", diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md index 7df7a694dc..76e5ac1055 100644 --- a/devices/surface-hub/surface-hub-2s-setup.md +++ b/devices/surface-hub/surface-hub-2s-setup.md @@ -97,4 +97,4 @@ If you insert a USB thumb drive with a provisioning package into one of the USB ![* Select a device account and friendly name from your configuration file*](images/sh2-run14.png)
          - 4. Follow the instructions to complete first time Setup. +4. Follow the instructions to complete first time Setup. diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 881dfa5e4b..568e515039 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -26,6 +26,18 @@ Please refer to the “[Surface Hub Important Information](https://support.micro ## Windows 10 Team Creators Update 1703 +
          +June 18, 2019—update for Team edition based on KB4503289* (OS Build 15063.1897) + +This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: + +* Addresses an issue with log collection for Microsoft Surface Hub 2S. +* Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully. + +Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services. +*[KB4503289](https://support.microsoft.com/help/4503289) +
          +
          May 28, 2019—update for Team edition based on KB4499162* (OS Build 15063.1835) @@ -484,4 +496,4 @@ This update to the Surface Hub includes quality improvements and security fixes. * [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq) * [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327) * [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968) -* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447) \ No newline at end of file +* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447) diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 2c8a3793a6..e921c71e09 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -34,7 +34,7 @@ To get Whiteboard to Whiteboard collaboration up and running, you’ll need to m - Currently not utilizing Office 365 Germany or Office 365 operated by 21Vianet - Surface Hub needs to be updated to Windows 10, version 1607 or newer - Port 443 needs to be open since Whiteboard makes standard https requests -- Whiteboard.ms, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies +- Whiteboard.ms, whiteboard.microsoft.com, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies >[!NOTE] @@ -68,4 +68,5 @@ After you’re done, you can export a copy of the Whiteboard collaboration for y ## Related topics - [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub) -- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) + +- [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 15a51ed349..e74076b642 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,6 +1,6 @@ # [Surface](index.md) -## Get started +## [Get started](get-started.md) ## Overview ### [Surface Pro Tech specs](https://www.microsoft.com/surface/devices/surface-pro/tech-specs) diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json index 75607e9f4d..026be430c1 100644 --- a/devices/surface/docfx.json +++ b/devices/surface/docfx.json @@ -25,7 +25,9 @@ "breadcrumb_path": "/surface/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "windows", + "audience": "ITPro", "ms.topic": "article", + "manager": "laurawi", "ms.date": "05/09/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index 2d0b406711..a1e5874ea2 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -61,8 +61,8 @@ The following steps show you how to create a deployment share for Windows 10 tha >[!NOTE] >As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows: > * Deployment tools - > * User State Migration Tool (USMT) - > * Windows Preinstallation Environment (WinPE) + > * User State Migration Tool (USMT) + > * Windows Preinstallation Environment (WinPE) > [!NOTE] > As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1. @@ -75,11 +75,11 @@ The following steps show you how to create a deployment share for Windows 10 tha - **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3. - - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**. + - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**. - **Windows 10 Deployment Services** - - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot. + - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot. - **Windows 10 Source Files** diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index af796bd2c4..dff968bbf3 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -103,39 +103,45 @@ The sample scripts include examples of how to set Surface UEFI settings and how ### Specify certificate and package names -The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates the names for the SEMM configuration package and SEMM reset package. The certificate and package names are specified on lines 56 through 67 in the ConfigureSEMM.ps1 script: +The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script: ``` 56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition 57 $packageRoot = "$WorkingDirPath\Config" - 58 - 59 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot } - 60 Copy-Item "$WorkingDirPath\FabrikamOwnerSigner.pfx" $packageRoot - 61 - 62 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath "FabrikamOwnerSigner.pfx" - 63 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamSignerProvisioningPackage.pkg" - 64 $resetPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamUniversalResetPackage.pkg" - 65 - 66 # If your PFX file requires a password then it can be set here, otherwise use a blank string. - 67 $password = "1234" + 58 $certName = "FabrikamSEMMSample.pfx" + 59 $DllVersion = "2.26.136.0" + 60 + 61 $certNameOnly = [System.IO.Path]::GetFileNameWithoutExtension($certName) + 62 $ProvisioningPackage = $certNameOnly + "ProvisioningPackage.pkg" + 63 $ResetPackage = $certNameOnly + "ResetPackage.pkg" + 64 + 65 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot } + 66 Copy-Item "$WorkingDirPath\$certName" $packageRoot + 67 + 68 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath $certName + 69 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath $ProvisioningPackage + 70 $resetPackageName = Join-Path -Path $packageRoot -ChildPath $ResetPackage + 71 + 72 # If your PFX file requires a password then it can be set here, otherwise use a blank string. + 73 $password = "1234" ``` -Replace the **FabrikamOwnerSigner.pfx** value for the **$privateOwnerKey** variable with the name of your SEMM Certificate file on both lines 60 and 62. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory. +Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory. -Replace the **FabrikamSignerProvisioningPackage.pkg** and **FabrikamUniversalResetPackage.pkg** values on lines 63 and 64 to define the **$ownerPackageName** and **$resetPackageName** variables with your desired names for the SEMM configuration and reset packages. These packages will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script. +Owner package and reset package will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script. -On line 67, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text. +On line 73, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text. >[!Note] ->The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 144-149, to accomplish this: +>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this: ``` -144 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership. -145 # For convenience we get the thumbprint here and present to the user. -146 $pw = ConvertTo-SecureString $password -AsPlainText -Force -147 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -148 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet) -149 Write-Host "Thumbprint =" $certPrint.Thumbprint +150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership. +151 # For convenience we get the thumbprint here and present to the user. +152 $pw = ConvertTo-SecureString $password -AsPlainText -Force +153 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 +154 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet) +155 Write-Host "Thumbprint =" $certPrint.Thumbprint ``` Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process: @@ -153,46 +159,47 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin ### Configure permissions -The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 202 in the sample script with the comment **# Configure Permissions** and continues to line 238. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras: +The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras: ``` -202 # Configure Permissions -203 foreach ($uefiV2 IN $surfaceDevices.Values) { -204 # Here we define which "identities" will be allowed to modify which settings -205 # PermissionSignerOwner = The primary SEMM enterprise owner identity -206 # PermissionLocal = The user when booting to the UEFI pre-boot GUI -207 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 = -208 # Additional user identities created so that the signer owner -209 # can delegate permission control for some settings. -210 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -211 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal) -212 -213 # Make all permissions owner only by default -214 foreach ($setting IN $uefiV2.Settings.Values) { -215 $setting.ConfiguredPermissionFlags = $ownerOnly -216 } -217 # Allow the local user to change their own password -218 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser -219 -220 # Allow the local user to change the state of the TPM -221 $uefiV2.Settings["Trusted Platform Module (TPM)"].ConfiguredPermissionFlags = $ownerAndLocalUser -222 -223 # Allow the local user to change the state of the Front and Rear cameras -224 $uefiV2.SettingsById[302].ConfiguredPermissionFlags = $ownerAndLocalUser -225 $uefiV2.SettingsById[304].ConfiguredPermissionFlags = $ownerAndLocalUser -226 -227 -228 # Create a unique package name based on family and LSV. -229 # We will choose a name that can be parsed by later scripts. -230 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg" -231 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName -232 -233 # Build and sign the Permission package then save it to a file. -234 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv) -235 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) -236 $permissionPackageStream.CopyTo($permissionPackage) -237 $permissionPackage.Close() -238 } +210 # Configure Permissions +211 foreach ($uefiV2 IN $surfaceDevices.Values) { +212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) { +213 Write-Host "Configuring permissions" +214 Write-Host $Device.Model +215 Write-Host "=======================" +216 +217 # Here we define which "identities" will be allowed to modify which settings +218 # PermissionSignerOwner = The primary SEMM enterprise owner identity +219 # PermissionLocal = The user when booting to the UEFI pre-boot GUI +220 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 = +221 # Additional user identities created so that the signer owner +222 # can delegate permission control for some settings. +223 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner +224 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal) +225 +226 # Make all permissions owner only by default +227 foreach ($setting IN $uefiV2.Settings.Values) { +228 $setting.ConfiguredPermissionFlags = $ownerOnly +229 } +230 +231 # Allow the local user to change their own password +232 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser +233 +234 Write-Host "" +235 +236 # Create a unique package name based on family and LSV. +237 # We will choose a name that can be parsed by later scripts. +238 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg" +239 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName +240 +241 # Build and sign the Permission package then save it to a file. +242 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv) +243 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) +244 $permissionPackageStream.CopyTo($permissionPackage) +245 $permissionPackage.Close() +246 } +247 } ``` Each **$uefiV2** variable identifies a Surface UEFI setting by setting name or ID, and then configures the permissions to one of the following values: @@ -204,69 +211,169 @@ You can find information about the available settings names and IDs for Surface ### Configure settings -The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 282 through line 312 in the sample script. The region appears as follows: +The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows: ``` -282 # Configure Settings -283 foreach ($uefiV2 IN $surfaceDevices.Values) { -284 # In this demo, we will start by setting every setting to the default factory setting. -285 # You may want to start by doing this in your scripts -286 # so that every setting gets set to a known state. -287 foreach ($setting IN $uefiV2.Settings.Values) { -288 $setting.ConfiguredValue = $setting.DefaultValue -289 } -290 -291 # If you want to set something to a different value from the default, -292 # here are examples of how to accomplish this. -293 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = "Disabled" -294 -295 # If you want to leave the setting unmodified, set it to $null -296 # PowerShell has issues setting things to $null so ClearConfiguredValue() -297 # is supplied to do this explicitly. -298 # Here is an example of leaving the UEFI administrator password as-is, -299 # even after we initially set it to factory default above. -300 $uefiV2.SettingsById[501].ClearConfiguredValue() -301 -302 # Create a unique package name based on family and LSV. -303 # We will choose a name that can be parsed by later scripts. -304 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg" -305 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName -306 -307 # Build and sign the Settings package then save it to a file. -308 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv) -309 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) -310 $settingsPackageStream.CopyTo($settingsPackage) -311 $settingsPackage.Close() -312 } +291 # Configure Settings +292 foreach ($uefiV2 IN $surfaceDevices.Values) { +293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) { +294 Write-Host "Configuring settings" +295 Write-Host $Device.Model +296 Write-Host "====================" +297 +298 # In this demo, we will start by setting every setting to the default factory setting. +299 # You may want to start by doing this in your scripts +300 # so that every setting gets set to a known state. +301 foreach ($setting IN $uefiV2.Settings.Values) { +302 $setting.ConfiguredValue = $setting.DefaultValue +303 } +304 +305 $EnabledValue = "Enabled" +306 $DisabledValue = "Disabled" +307 +308 # If you want to set something to a different value from the default, +309 # here are examples of how to accomplish this. +310 # This disables IPv6 PXE boot by name: +311 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = $DisabledValue +312 +313 # This disables IPv6 PXE Boot by ID: +314 $uefiV2.SettingsById[400].ConfiguredValue = $DisabledValue +315 +316 Write-Host "" +317 +318 # If you want to leave the setting unmodified, set it to $null +319 # PowerShell has issues setting things to $null so ClearConfiguredValue() +320 # is supplied to do this explicitly. +321 # Here is an example of leaving the UEFI administrator password as-is, +322 # even after we initially set it to factory default above. +323 $uefiV2.SettingsById[501].ClearConfiguredValue() +324 +325 # Create a unique package name based on family and LSV. +326 # We will choose a name that can be parsed by later scripts. +327 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg" +328 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName +329 +330 # Build and sign the Settings package then save it to a file. +331 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv) +332 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) +333 $settingsPackageStream.CopyTo($settingsPackage) +334 $settingsPackage.Close() +335 } ``` Like the permissions set in the **Configure Permissions** section of the script, the configuration of each Surface UEFI setting is performed by defining the **$uefiV2** variable. For each line defining the **$uefiV2** variable, a Surface UEFI setting is identified by setting name or ID and the configured value is set to **Enabled** or **Disabled**. -If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 300 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**. +If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 323 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**. You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section later in this article. ### Settings registry key -To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry key that can be used to identify enrolled systems as having been installed with the SEMM configuration script. This key can be found at the following location: +To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location: -`HKLM\SOFTWARE\Microsoft\Surface\SEMM\Enabled_Version1000` +`HKLM\SOFTWARE\Microsoft\Surface\SEMM` -The following code fragment, found on lines 352-363, is used to write this registry key: +The following code fragment, found on lines 380-477, is used to write these registry keys: ``` -352 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM" -353 New-RegKey $SurfaceRegKey -354 $SurfaceRegValue = Get-ItemProperty $SurfaceRegKey Enabled_Version1000 -ErrorAction SilentlyContinue -355 -356 If ($SurfaceRegValue -eq $null) -357 { -358 New-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -PropertyType String -Value 1 | Out-Null -359 } -360 Else -361 { -362 Set-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -Value 1 -363 } +380 # For SCCM or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry: +381 $UTCDate = (Get-Date).ToUniversalTime().ToString() +382 $certIssuer = $certPrint.Issuer +383 $certSubject = $certPrint.Subject +384 +385 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM" +386 New-RegKey $SurfaceRegKey +387 $LSVRegValue = Get-ItemProperty $SurfaceRegKey LSV -ErrorAction SilentlyContinue +388 $DateTimeRegValue = Get-ItemProperty $SurfaceRegKey LastConfiguredUTC -ErrorAction SilentlyContinue +389 $OwnershipSessionIdRegValue = Get-ItemProperty $SurfaceRegKey OwnershipSessionId -ErrorAction SilentlyContinue +390 $PermissionSessionIdRegValue = Get-ItemProperty $SurfaceRegKey PermissionSessionId -ErrorAction SilentlyContinue +391 $SettingsSessionIdRegValue = Get-ItemProperty $SurfaceRegKey SettingsSessionId -ErrorAction SilentlyContinue +392 $IsResetRegValue = Get-ItemProperty $SurfaceRegKey IsReset -ErrorAction SilentlyContinue +393 $certUsedRegValue = Get-ItemProperty $SurfaceRegKey CertName -ErrorAction SilentlyContinue +394 $certIssuerRegValue = Get-ItemProperty $SurfaceRegKey CertIssuer -ErrorAction SilentlyContinue +395 $certSubjectRegValue = Get-ItemProperty $SurfaceRegKey CertSubject -ErrorAction SilentlyContinue +396 +397 +398 If ($LSVRegValue -eq $null) +399 { +400 New-ItemProperty -Path $SurfaceRegKey -Name LSV -PropertyType DWORD -Value $lsv | Out-Null +401 } +402 Else +403 { +404 Set-ItemProperty -Path $SurfaceRegKey -Name LSV -Value $lsv +405 } +406 +407 If ($DateTimeRegValue -eq $null) +408 { +409 New-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -PropertyType String -Value $UTCDate | Out-Null +410 } +411 Else +412 { +413 Set-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -Value $UTCDate +414 } +415 +416 If ($OwnershipSessionIdRegValue -eq $null) +417 { +418 New-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -PropertyType String -Value $ownerSessionIdValue | Out-Null +419 } +420 Else +421 { +422 Set-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -Value $ownerSessionIdValue +423 } +424 +425 If ($PermissionSessionIdRegValue -eq $null) +426 { +427 New-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -PropertyType String -Value $permissionSessionIdValue | Out-Null +428 } +429 Else +430 { +431 Set-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -Value $permissionSessionIdValue +432 } +433 +434 If ($SettingsSessionIdRegValue -eq $null) +435 { +436 New-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -PropertyType String -Value $settingsSessionIdValue | Out-Null +437 } +438 Else +439 { +440 Set-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -Value $settingsSessionIdValue +441 } +442 +443 If ($IsResetRegValue -eq $null) +444 { +445 New-ItemProperty -Path $SurfaceRegKey -Name IsReset -PropertyType DWORD -Value 0 | Out-Null +446 } +447 Else +448 { +449 Set-ItemProperty -Path $SurfaceRegKey -Name IsReset -Value 0 +450 } +451 +452 If ($certUsedRegValue -eq $null) +453 { +454 New-ItemProperty -Path $SurfaceRegKey -Name CertName -PropertyType String -Value $certName | Out-Null +455 } +456 Else +457 { +458 Set-ItemProperty -Path $SurfaceRegKey -Name CertName -Value $certName +459 } +460 +461 If ($certIssuerRegValue -eq $null) +462 { +463 New-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -PropertyType String -Value $certIssuer | Out-Null +464 } +465 Else +466 { +467 Set-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -Value $certIssuer +468 } +469 +470 If ($certSubjectRegValue -eq $null) +471 { +472 New-ItemProperty -Path $SurfaceRegKey -Name CertSubject -PropertyType String -Value $certSubject | Out-Null +473 } +474 Else +475 { +476 Set-ItemProperty -Path $SurfaceRegKey -Name CertSubject -Value $certSubject +477 } ``` ### Settings names and IDs diff --git a/education/docfx.json b/education/docfx.json index c336a4de5b..2f691e4f77 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -27,6 +27,8 @@ "ROBOTS": "INDEX, FOLLOW", "audience": "windows-education", "ms.topic": "article", + "ms.technology": "windows", + "audience": "ITPro", "breadcrumb_path": "/education/breadcrumb/toc.json", "ms.date": "05/09/2017", "feedback_system": "GitHub", diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md index d6010ad62c..3047fe8d8d 100644 --- a/education/get-started/configure-microsoft-store-for-education.md +++ b/education/get-started/configure-microsoft-store-for-education.md @@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: get-started +ms.topic: quickstart ms.localizationpriority: medium ms.pagetype: edu author: levinec diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md index 170c94d505..986a6c4af0 100644 --- a/education/get-started/enable-microsoft-teams.md +++ b/education/get-started/enable-microsoft-teams.md @@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: get-started +ms.topic: quickstart ms.localizationpriority: medium ms.pagetype: edu author: levinec diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md index 9495aa1d31..8633a400ed 100644 --- a/education/get-started/finish-setup-and-other-tasks.md +++ b/education/get-started/finish-setup-and-other-tasks.md @@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: get-started +ms.topic: quickstart ms.localizationpriority: medium ms.pagetype: edu author: levinec diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md index 0d5813061e..f0887073f7 100644 --- a/education/get-started/set-up-office365-edu-tenant.md +++ b/education/get-started/set-up-office365-edu-tenant.md @@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: get-started +ms.topic: quickstart ms.localizationpriority: medium ms.pagetype: edu author: levinec diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md index bc564efa41..67b39af36c 100644 --- a/education/get-started/set-up-windows-10-education-devices.md +++ b/education/get-started/set-up-windows-10-education-devices.md @@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: get-started +ms.topic: quickstart ms.localizationpriority: medium ms.pagetype: edu author: levinec diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md index 582134817f..cb83590354 100644 --- a/education/get-started/set-up-windows-education-devices.md +++ b/education/get-started/set-up-windows-education-devices.md @@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: get-started +ms.topic: quickstart ms.localizationpriority: medium ms.pagetype: edu author: levinec diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md index 9a4b451c83..1a4fdb71e5 100644 --- a/education/get-started/use-intune-for-education.md +++ b/education/get-started/use-intune-for-education.md @@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: get-started +ms.topic: quickstart ms.localizationpriority: medium ms.pagetype: edu author: levinec diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md index 6a025b3ff4..14a34bcda5 100644 --- a/education/get-started/use-school-data-sync.md +++ b/education/get-started/use-school-data-sync.md @@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: get-started +ms.topic: quickstart ms.localizationpriority: medium ms.pagetype: edu author: levinec diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index bdb1df0296..b4cdaad1f4 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -5,7 +5,7 @@ keywords: education, Microsoft 365 Education, trial, full cloud IT solution, sch ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: get-started +ms.topic: quickstart ms.localizationpriority: medium ms.pagetype: edu ROBOTS: noindex,nofollow diff --git a/mdop/agpm/TOC.md b/mdop/agpm/TOC.md index 1443cf78ae..319eeaf746 100644 --- a/mdop/agpm/TOC.md +++ b/mdop/agpm/TOC.md @@ -240,5 +240,6 @@ ###### [AGPM Server Connection Settings](agpm-server-connection-settings.md) ###### [Feature Visibility Settings](feature-visibility-settings.md) ##### [Other Enhancements to the GPMC](other-enhancements-to-the-gpmc.md) +## [Troubleshooting AGPM Upgrades](troubleshooting-agpm40-upgrades.md) ## [Resources for AGPM](resources-for-agpm.md) diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md index 324327c269..3832e088c4 100644 --- a/mdop/agpm/index.md +++ b/mdop/agpm/index.md @@ -1,7 +1,7 @@ --- title: Advanced Group Policy Management description: Advanced Group Policy Management -author: jamiejdt +author: dansimp ms.assetid: 493ca3c3-c3d6-4bb1-9430-dc1e43c86bb0 ms.pagetype: mdop ms.mktglfcycl: manage diff --git a/mdop/agpm/troubleshooting-agpm40-upgrades.md b/mdop/agpm/troubleshooting-agpm40-upgrades.md new file mode 100644 index 0000000000..a1b6663214 --- /dev/null +++ b/mdop/agpm/troubleshooting-agpm40-upgrades.md @@ -0,0 +1,41 @@ +--- +title: Troubleshooting AGPM Upgrades +description: Troubleshooting AGPM Upgrades +author: jedodson +ms.assetid: 1abbf0c1-fd32-46a8-a3ba-c005f066523d +ms.reviewer: +manager: dansimp +ms.author: jedodson +ms.pagetype: mdop +ms.mktglfcycl: manage +ms.sitesec: library +ms.prod: w10 +ms.date: 06/16/2016 +--- + + +# Troubleshooting AGPM Upgrades + +This section lists common issues that you may encounter when you upgrade your Advanced Group Policy Management (AGPM) server to a newer version (e.g. AGPM 4.0 to AGPM 4.3). To diagnose issues not listed here, it may be helpful to view the [Troubleshooting AGPM](troubleshooting-agpm-agpm40.md) or for an AGPM Administrator (Full Control) to use logging and tracing. For more information, see [Configure Logging and Tracing](configure-logging-and-tracing-agpm40.md). + +## What problems are you having? + +- [Failed to generate a HTML GPO difference report (Error code 80004003)](#bkmk-error-80004003) + +### Failed to generate a HTML GPO difference report (Error code 80004003) + +- **Cause**: You have installed the AGPM upgrade package with an incorrect account. + +- **Solution**: You will need to be an AGPM administrator in order to fix this issue. + + - Ensure you know the username & password of your **AGPM service account**. + + - Log onto your AGPM server interactively as your AGPM service account. + + - This is critically important, as the install will fail if you use a different account. + + - Shutdown the AGPM service. + + - Install the required hotfix. + + - Connect to AGPM using an AGPM client to test that your difference reports are now functioning. diff --git a/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md b/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md index 1b90836822..5d1c399e81 100644 --- a/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md +++ b/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: manikadhiman ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/about-application-licensing.md b/mdop/appv-v4/about-application-licensing.md index 323ddc8447..039444d39d 100644 --- a/mdop/appv-v4/about-application-licensing.md +++ b/mdop/appv-v4/about-application-licensing.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-application-virtualization-applications.md b/mdop/appv-v4/about-application-virtualization-applications.md index bcde0caabe..81f4351171 100644 --- a/mdop/appv-v4/about-application-virtualization-applications.md +++ b/mdop/appv-v4/about-application-virtualization-applications.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-application-virtualization-packages.md b/mdop/appv-v4/about-application-virtualization-packages.md index cc5664e576..63e1915d67 100644 --- a/mdop/appv-v4/about-application-virtualization-packages.md +++ b/mdop/appv-v4/about-application-virtualization-packages.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-application-virtualization-servers.md b/mdop/appv-v4/about-application-virtualization-servers.md index 241dbca298..6078a1f5cb 100644 --- a/mdop/appv-v4/about-application-virtualization-servers.md +++ b/mdop/appv-v4/about-application-virtualization-servers.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md index 2ece8bb435..2379da3dff 100644 --- a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md +++ b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md index 6e0135e762..80134f7a39 100644 --- a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md +++ b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45.md b/mdop/appv-v4/about-microsoft-application-virtualization-45.md index 6747f077ed..827934974f 100644 --- a/mdop/appv-v4/about-microsoft-application-virtualization-45.md +++ b/mdop/appv-v4/about-microsoft-application-virtualization-45.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md index aa774f657e..f2d49596f4 100644 --- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md +++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md index d11db11a1f..ece900187a 100644 --- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md +++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md index 5973540792..ef4f01c277 100644 --- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md +++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46.md b/mdop/appv-v4/about-microsoft-application-virtualization-46.md index 394b921628..4e2161b45f 100644 --- a/mdop/appv-v4/about-microsoft-application-virtualization-46.md +++ b/mdop/appv-v4/about-microsoft-application-virtualization-46.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-publishing.md b/mdop/appv-v4/about-publishing.md index 54ba36cfd3..0aab27b334 100644 --- a/mdop/appv-v4/about-publishing.md +++ b/mdop/appv-v4/about-publishing.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-sequencing-phases.md b/mdop/appv-v4/about-sequencing-phases.md index 78f1f65733..e9f821e89a 100644 --- a/mdop/appv-v4/about-sequencing-phases.md +++ b/mdop/appv-v4/about-sequencing-phases.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-sharing-package-accelerators-page.md b/mdop/appv-v4/about-sharing-package-accelerators-page.md index c8cf061993..880688dd13 100644 --- a/mdop/appv-v4/about-sharing-package-accelerators-page.md +++ b/mdop/appv-v4/about-sharing-package-accelerators-page.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-the-application-virtualization-sequencer.md b/mdop/appv-v4/about-the-application-virtualization-sequencer.md index 139afed1b7..c51d335407 100644 --- a/mdop/appv-v4/about-the-application-virtualization-sequencer.md +++ b/mdop/appv-v4/about-the-application-virtualization-sequencer.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-the-application-virtualization-server-management-console.md b/mdop/appv-v4/about-the-application-virtualization-server-management-console.md index eb23af68bb..e3654b07e0 100644 --- a/mdop/appv-v4/about-the-application-virtualization-server-management-console.md +++ b/mdop/appv-v4/about-the-application-virtualization-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-the-deployment-tab.md b/mdop/appv-v4/about-the-deployment-tab.md index ecd0dce407..7a0a6c25b4 100644 --- a/mdop/appv-v4/about-the-deployment-tab.md +++ b/mdop/appv-v4/about-the-deployment-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/about-the-files-tab.md b/mdop/appv-v4/about-the-files-tab.md index 8d8c64dd8b..2281e4a415 100644 --- a/mdop/appv-v4/about-the-files-tab.md +++ b/mdop/appv-v4/about-the-files-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-the-osd-tab.md b/mdop/appv-v4/about-the-osd-tab.md index 6355f6a8a5..cd15ddc088 100644 --- a/mdop/appv-v4/about-the-osd-tab.md +++ b/mdop/appv-v4/about-the-osd-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-the-properties-tab.md b/mdop/appv-v4/about-the-properties-tab.md index 60f67d1be8..49f24affb3 100644 --- a/mdop/appv-v4/about-the-properties-tab.md +++ b/mdop/appv-v4/about-the-properties-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-the-sequencer-console.md b/mdop/appv-v4/about-the-sequencer-console.md index 836a438e18..c9ade6aad8 100644 --- a/mdop/appv-v4/about-the-sequencer-console.md +++ b/mdop/appv-v4/about-the-sequencer-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-the-virtual-file-system-tab.md b/mdop/appv-v4/about-the-virtual-file-system-tab.md index bd07a942c7..c63df76467 100644 --- a/mdop/appv-v4/about-the-virtual-file-system-tab.md +++ b/mdop/appv-v4/about-the-virtual-file-system-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/about-the-virtual-registry-tab.md b/mdop/appv-v4/about-the-virtual-registry-tab.md index 71e0e3aa94..580a4456c0 100644 --- a/mdop/appv-v4/about-the-virtual-registry-tab.md +++ b/mdop/appv-v4/about-the-virtual-registry-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-the-virtual-services-tab.md b/mdop/appv-v4/about-the-virtual-services-tab.md index 94b51a9dd2..9da1a5c4f1 100644 --- a/mdop/appv-v4/about-the-virtual-services-tab.md +++ b/mdop/appv-v4/about-the-virtual-services-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-using-the-sequencer-command-line.md b/mdop/appv-v4/about-using-the-sequencer-command-line.md index 844d28f414..b54eeb6152 100644 --- a/mdop/appv-v4/about-using-the-sequencer-command-line.md +++ b/mdop/appv-v4/about-using-the-sequencer-command-line.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/about-virtual-environments.md b/mdop/appv-v4/about-virtual-environments.md index 91448a0bbb..263e550a58 100644 --- a/mdop/appv-v4/about-virtual-environments.md +++ b/mdop/appv-v4/about-virtual-environments.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/add-app.md b/mdop/appv-v4/add-app.md index 56e1ff83ee..be8e8866ee 100644 --- a/mdop/appv-v4/add-app.md +++ b/mdop/appv-v4/add-app.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/add-package.md b/mdop/appv-v4/add-package.md index 58a1f87769..80ed132da5 100644 --- a/mdop/appv-v4/add-package.md +++ b/mdop/appv-v4/add-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/add-server.md b/mdop/appv-v4/add-server.md index 3db501a538..546c6c2e3a 100644 --- a/mdop/appv-v4/add-server.md +++ b/mdop/appv-v4/add-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/add-type.md b/mdop/appv-v4/add-type.md index 804035833e..cfcbb9e6fb 100644 --- a/mdop/appv-v4/add-type.md +++ b/mdop/appv-v4/add-type.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/administrators-node.md b/mdop/appv-v4/administrators-node.md index 4c36416137..633c1da358 100644 --- a/mdop/appv-v4/administrators-node.md +++ b/mdop/appv-v4/administrators-node.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/administrators-results-pane-columns.md b/mdop/appv-v4/administrators-results-pane-columns.md index 7a62f2ddf6..57de6d3cde 100644 --- a/mdop/appv-v4/administrators-results-pane-columns.md +++ b/mdop/appv-v4/administrators-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/administrators-results-pane.md b/mdop/appv-v4/administrators-results-pane.md index 8432b0e579..88516a4348 100644 --- a/mdop/appv-v4/administrators-results-pane.md +++ b/mdop/appv-v4/administrators-results-pane.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md index 055f74d65d..4eec31af83 100644 --- a/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/app-v-45-sp2-release-notes.md b/mdop/appv-v4/app-v-45-sp2-release-notes.md index dc5d8fafe0..ab0e856ca4 100644 --- a/mdop/appv-v4/app-v-45-sp2-release-notes.md +++ b/mdop/appv-v4/app-v-45-sp2-release-notes.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- @@ -73,11 +73,11 @@ When this has been completed, install the App-V 4.5 SP2 Clients by using Setup.m When installing Microsoft Application Error Reporting, use the following command if you are installing or upgrading to the App-V 4.5 SP2 Desktop Client: -**    msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** +**msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** Alternatively, if you are installing or upgrading to the App-V 4.5 SP2 Client for Remote Desktop Services (formerly Terminal Services), use the following command: -**    msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** +**msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** **Note**   - The APPGUID parameter references the product code of the App-V Clients that you install or upgrade. The product code is unique for each Setup.msi. You can use the Orca Database Editor or a similar tool to examine Windows Installer files and determine the product code. This step is required for all installations or upgrades to App-V 4.5 SP2. diff --git a/mdop/appv-v4/app-v-46-release-notes.md b/mdop/appv-v4/app-v-46-release-notes.md index efa16e1ff9..08a8ca5d64 100644 --- a/mdop/appv-v4/app-v-46-release-notes.md +++ b/mdop/appv-v4/app-v-46-release-notes.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/app-v-46-sp1-release-notes.md b/mdop/appv-v4/app-v-46-sp1-release-notes.md index 09ea6abd40..dd7fa73a1b 100644 --- a/mdop/appv-v4/app-v-46-sp1-release-notes.md +++ b/mdop/appv-v4/app-v-46-sp1-release-notes.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/app-v-46-sp2-release-notes.md b/mdop/appv-v4/app-v-46-sp2-release-notes.md index 9da44bdde6..227967a34a 100644 --- a/mdop/appv-v4/app-v-46-sp2-release-notes.md +++ b/mdop/appv-v4/app-v-46-sp2-release-notes.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/app-v-46-sp3-release-notes.md b/mdop/appv-v4/app-v-46-sp3-release-notes.md index 7dc2b557c3..d62afda16b 100644 --- a/mdop/appv-v4/app-v-46-sp3-release-notes.md +++ b/mdop/appv-v4/app-v-46-sp3-release-notes.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/app-v-application-wmi-class.md b/mdop/appv-v4/app-v-application-wmi-class.md index 7aae865573..3567a8da0e 100644 --- a/mdop/appv-v4/app-v-application-wmi-class.md +++ b/mdop/appv-v4/app-v-application-wmi-class.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/app-v-client-registry-values-sp1.md b/mdop/appv-v4/app-v-client-registry-values-sp1.md index 59e5ac9ae5..5edc5870e2 100644 --- a/mdop/appv-v4/app-v-client-registry-values-sp1.md +++ b/mdop/appv-v4/app-v-client-registry-values-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/app-v-desktop-client-security.md b/mdop/appv-v4/app-v-desktop-client-security.md index 8b1261715e..2bf8723032 100644 --- a/mdop/appv-v4/app-v-desktop-client-security.md +++ b/mdop/appv-v4/app-v-desktop-client-security.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/app-v-installation-checklist.md b/mdop/appv-v4/app-v-installation-checklist.md index 4b2e5c573d..68208f051d 100644 --- a/mdop/appv-v4/app-v-installation-checklist.md +++ b/mdop/appv-v4/app-v-installation-checklist.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md b/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md index be861b5d2c..b4fc7f6ba0 100644 --- a/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md +++ b/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/app-v-package-wmi-class.md b/mdop/appv-v4/app-v-package-wmi-class.md index bd91ad1751..f9efeee4ce 100644 --- a/mdop/appv-v4/app-v-package-wmi-class.md +++ b/mdop/appv-v4/app-v-package-wmi-class.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/app-v-postinstallation-checklist.md b/mdop/appv-v4/app-v-postinstallation-checklist.md index 87b30551fd..814811b75f 100644 --- a/mdop/appv-v4/app-v-postinstallation-checklist.md +++ b/mdop/appv-v4/app-v-postinstallation-checklist.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/app-v-pre-installation-checklist.md b/mdop/appv-v4/app-v-pre-installation-checklist.md index c426c83566..4de02e6032 100644 --- a/mdop/appv-v4/app-v-pre-installation-checklist.md +++ b/mdop/appv-v4/app-v-pre-installation-checklist.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/app-v-upgrade-checklist.md b/mdop/appv-v4/app-v-upgrade-checklist.md index fcabc76d01..942fa32de6 100644 --- a/mdop/appv-v4/app-v-upgrade-checklist.md +++ b/mdop/appv-v4/app-v-upgrade-checklist.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/application-utilization-reportserver.md b/mdop/appv-v4/application-utilization-reportserver.md index 29301ef748..78ed55aaad 100644 --- a/mdop/appv-v4/application-utilization-reportserver.md +++ b/mdop/appv-v4/application-utilization-reportserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md index fbeb7f66e6..e7bf14bd06 100644 --- a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md +++ b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md b/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md index 5934984a4d..2f13cd29a0 100644 --- a/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md +++ b/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/application-virtualization-client-management-console-overview.md b/mdop/appv-v4/application-virtualization-client-management-console-overview.md index 314b2e91ef..1f514c7ba3 100644 --- a/mdop/appv-v4/application-virtualization-client-management-console-overview.md +++ b/mdop/appv-v4/application-virtualization-client-management-console-overview.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-client-management-console-reference.md b/mdop/appv-v4/application-virtualization-client-management-console-reference.md index 0d705a6dbc..e13ceabe61 100644 --- a/mdop/appv-v4/application-virtualization-client-management-console-reference.md +++ b/mdop/appv-v4/application-virtualization-client-management-console-reference.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md b/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md index c00f5ef58d..a65de90286 100644 --- a/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md +++ b/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-client-management-console.md b/mdop/appv-v4/application-virtualization-client-management-console.md index 703e1fcab3..e8e5980d13 100644 --- a/mdop/appv-v4/application-virtualization-client-management-console.md +++ b/mdop/appv-v4/application-virtualization-client-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-client-reference.md b/mdop/appv-v4/application-virtualization-client-reference.md index 2363a32ee3..bc3dbef0d8 100644 --- a/mdop/appv-v4/application-virtualization-client-reference.md +++ b/mdop/appv-v4/application-virtualization-client-reference.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-client-wmi-provider.md b/mdop/appv-v4/application-virtualization-client-wmi-provider.md index 39b1ebb2ed..dd3b3f8eae 100644 --- a/mdop/appv-v4/application-virtualization-client-wmi-provider.md +++ b/mdop/appv-v4/application-virtualization-client-wmi-provider.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-client.md b/mdop/appv-v4/application-virtualization-client.md index 1756d814d7..819dd8bed1 100644 --- a/mdop/appv-v4/application-virtualization-client.md +++ b/mdop/appv-v4/application-virtualization-client.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md index ae15062828..4bd4d4fe49 100644 --- a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md +++ b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md index c7c5b57205..d71379b47f 100644 --- a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md +++ b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md index 7e6e309b9b..c09ced741d 100644 --- a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md +++ b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-deployment-requirements.md b/mdop/appv-v4/application-virtualization-deployment-requirements.md index 2d00a73d21..9baee67d59 100644 --- a/mdop/appv-v4/application-virtualization-deployment-requirements.md +++ b/mdop/appv-v4/application-virtualization-deployment-requirements.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-glossary.md b/mdop/appv-v4/application-virtualization-glossary.md index 441bff3d5d..3669509527 100644 --- a/mdop/appv-v4/application-virtualization-glossary.md +++ b/mdop/appv-v4/application-virtualization-glossary.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md b/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md index c459939b7c..9b480ae5f3 100644 --- a/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md +++ b/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-properties-file-system-tab.md b/mdop/appv-v4/application-virtualization-properties-file-system-tab.md index 2a116d4707..fe4acb134a 100644 --- a/mdop/appv-v4/application-virtualization-properties-file-system-tab.md +++ b/mdop/appv-v4/application-virtualization-properties-file-system-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-properties-general-tab.md b/mdop/appv-v4/application-virtualization-properties-general-tab.md index 31bfb94c4b..375209e344 100644 --- a/mdop/appv-v4/application-virtualization-properties-general-tab.md +++ b/mdop/appv-v4/application-virtualization-properties-general-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md b/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md index 87085b92cf..ada91ffa6f 100644 --- a/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md +++ b/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-properties-interface-tab.md b/mdop/appv-v4/application-virtualization-properties-interface-tab.md index 558c483a39..fedbe93af5 100644 --- a/mdop/appv-v4/application-virtualization-properties-interface-tab.md +++ b/mdop/appv-v4/application-virtualization-properties-interface-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-properties-permissions-tab.md b/mdop/appv-v4/application-virtualization-properties-permissions-tab.md index b80b1b8d6a..b830275c12 100644 --- a/mdop/appv-v4/application-virtualization-properties-permissions-tab.md +++ b/mdop/appv-v4/application-virtualization-properties-permissions-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-reference.md b/mdop/appv-v4/application-virtualization-reference.md index 974d97b6f6..11b374d4e3 100644 --- a/mdop/appv-v4/application-virtualization-reference.md +++ b/mdop/appv-v4/application-virtualization-reference.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-report-types.md b/mdop/appv-v4/application-virtualization-report-types.md index 6ea5f2c5b6..3e81bdd8f6 100644 --- a/mdop/appv-v4/application-virtualization-report-types.md +++ b/mdop/appv-v4/application-virtualization-report-types.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencer-command-line.md b/mdop/appv-v4/application-virtualization-sequencer-command-line.md index a8be9c0b31..abbc660844 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-command-line.md +++ b/mdop/appv-v4/application-virtualization-sequencer-command-line.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencer-console-overview.md b/mdop/appv-v4/application-virtualization-sequencer-console-overview.md index cb4b33d294..1669e0fe12 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-console-overview.md +++ b/mdop/appv-v4/application-virtualization-sequencer-console-overview.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md index 22cdebc6e0..cc7fa3c205 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md +++ b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencer-online-help.md b/mdop/appv-v4/application-virtualization-sequencer-online-help.md index ca78682274..3164dedaf1 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-online-help.md +++ b/mdop/appv-v4/application-virtualization-sequencer-online-help.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md index 99a1ab2bb0..894504a132 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md +++ b/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencer-overview.md b/mdop/appv-v4/application-virtualization-sequencer-overview.md index 3c9e44e3ab..efe77f6f0e 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-overview.md +++ b/mdop/appv-v4/application-virtualization-sequencer-overview.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencer-reference.md b/mdop/appv-v4/application-virtualization-sequencer-reference.md index e68f8bfb5c..69240cc62a 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-reference.md +++ b/mdop/appv-v4/application-virtualization-sequencer-reference.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md b/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md index 75d1b5f1a4..36c372bd1c 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md +++ b/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencer.md b/mdop/appv-v4/application-virtualization-sequencer.md index 7ba4e42e1c..3f31f87b42 100644 --- a/mdop/appv-v4/application-virtualization-sequencer.md +++ b/mdop/appv-v4/application-virtualization-sequencer.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md index 19fe7b1ff4..e3b9b48948 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md index 6b96b69061..7d58727b72 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md index a987309e5f..1a7aceec55 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md index bea986ef57..c195624f90 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md index fde9035b02..0fa1b9ca03 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md index fbbb325980..995ae0facc 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md index cab2f6fa85..8f834f6d26 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md index 3cefd2e341..996fff81b1 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md index e27772099e..6a9437812a 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md index ac297b38e4..87689f417f 100644 --- a/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md +++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md index fd47fcd34c..f39efad9be 100644 --- a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md +++ b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-server-based-scenario.md b/mdop/appv-v4/application-virtualization-server-based-scenario.md index e572a24620..84336dad16 100644 --- a/mdop/appv-v4/application-virtualization-server-based-scenario.md +++ b/mdop/appv-v4/application-virtualization-server-based-scenario.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-server-management-console-reference.md b/mdop/appv-v4/application-virtualization-server-management-console-reference.md index 24e202d492..c36cd7f3fd 100644 --- a/mdop/appv-v4/application-virtualization-server-management-console-reference.md +++ b/mdop/appv-v4/application-virtualization-server-management-console-reference.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-server-management-help.md b/mdop/appv-v4/application-virtualization-server-management-help.md index eebfea01e7..7ae7b3aab4 100644 --- a/mdop/appv-v4/application-virtualization-server-management-help.md +++ b/mdop/appv-v4/application-virtualization-server-management-help.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-server.md b/mdop/appv-v4/application-virtualization-server.md index 088cca81ff..db3ac34238 100644 --- a/mdop/appv-v4/application-virtualization-server.md +++ b/mdop/appv-v4/application-virtualization-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-system-requirements.md b/mdop/appv-v4/application-virtualization-system-requirements.md index 0688d51f04..d912bfff73 100644 --- a/mdop/appv-v4/application-virtualization-system-requirements.md +++ b/mdop/appv-v4/application-virtualization-system-requirements.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md b/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md index 0e6f43502d..3420240770 100644 --- a/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md +++ b/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/applications-licenses-node.md b/mdop/appv-v4/applications-licenses-node.md index e41472ad97..3bc727a6b1 100644 --- a/mdop/appv-v4/applications-licenses-node.md +++ b/mdop/appv-v4/applications-licenses-node.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/applications-licenses-results-pane-columns.md b/mdop/appv-v4/applications-licenses-results-pane-columns.md index db5a7c01f6..9fe5dbaaf8 100644 --- a/mdop/appv-v4/applications-licenses-results-pane-columns.md +++ b/mdop/appv-v4/applications-licenses-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/applications-licenses-results-pane.md b/mdop/appv-v4/applications-licenses-results-pane.md index 8ef30047ea..3339644301 100644 --- a/mdop/appv-v4/applications-licenses-results-pane.md +++ b/mdop/appv-v4/applications-licenses-results-pane.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/applications-node-in-server-management-console.md b/mdop/appv-v4/applications-node-in-server-management-console.md index 69d90c8bdb..0dd4066e35 100644 --- a/mdop/appv-v4/applications-node-in-server-management-console.md +++ b/mdop/appv-v4/applications-node-in-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/applications-node.md b/mdop/appv-v4/applications-node.md index 872ead9d24..760ebc733a 100644 --- a/mdop/appv-v4/applications-node.md +++ b/mdop/appv-v4/applications-node.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md b/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md index f39b06792c..55a7172da2 100644 --- a/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md +++ b/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/applications-results-pane-columns.md b/mdop/appv-v4/applications-results-pane-columns.md index 763e99c393..c7c7c41ec3 100644 --- a/mdop/appv-v4/applications-results-pane-columns.md +++ b/mdop/appv-v4/applications-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/applications-results-pane-in-server-management-console.md b/mdop/appv-v4/applications-results-pane-in-server-management-console.md index bd376a200e..ea36979d73 100644 --- a/mdop/appv-v4/applications-results-pane-in-server-management-console.md +++ b/mdop/appv-v4/applications-results-pane-in-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/applications-results-pane.md b/mdop/appv-v4/applications-results-pane.md index 22f28cbc17..ad52fe65d1 100644 --- a/mdop/appv-v4/applications-results-pane.md +++ b/mdop/appv-v4/applications-results-pane.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md index 98700d6626..8ac9a89ec9 100644 --- a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md +++ b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/change-history-tab-keep.md b/mdop/appv-v4/change-history-tab-keep.md index 4347604ec5..7de068d479 100644 --- a/mdop/appv-v4/change-history-tab-keep.md +++ b/mdop/appv-v4/change-history-tab-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/clear-app.md b/mdop/appv-v4/clear-app.md index c2d2aabe62..ce8c9d4c5f 100644 --- a/mdop/appv-v4/clear-app.md +++ b/mdop/appv-v4/clear-app.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/clear-obj.md b/mdop/appv-v4/clear-obj.md index d3ca15bcc0..33dfd04705 100644 --- a/mdop/appv-v4/clear-obj.md +++ b/mdop/appv-v4/clear-obj.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/client-management-console-about-dialog-boxes.md b/mdop/appv-v4/client-management-console-about-dialog-boxes.md index 97a9f99b1d..67b7ff9eaa 100644 --- a/mdop/appv-v4/client-management-console-about-dialog-boxes.md +++ b/mdop/appv-v4/client-management-console-about-dialog-boxes.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/client-management-console-application-virtualization-node.md b/mdop/appv-v4/client-management-console-application-virtualization-node.md index 5f7297aa42..9ea64120a9 100644 --- a/mdop/appv-v4/client-management-console-application-virtualization-node.md +++ b/mdop/appv-v4/client-management-console-application-virtualization-node.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/client-management-console-application-virtualization-properties.md b/mdop/appv-v4/client-management-console-application-virtualization-properties.md index 5da7bbfacd..85513a0959 100644 --- a/mdop/appv-v4/client-management-console-application-virtualization-properties.md +++ b/mdop/appv-v4/client-management-console-application-virtualization-properties.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/client-management-console-applications-node.md b/mdop/appv-v4/client-management-console-applications-node.md index 586ba675da..6661141ad2 100644 --- a/mdop/appv-v4/client-management-console-applications-node.md +++ b/mdop/appv-v4/client-management-console-applications-node.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/client-management-console-file-type-associations-node.md b/mdop/appv-v4/client-management-console-file-type-associations-node.md index f30e504b85..f0c5570f3c 100644 --- a/mdop/appv-v4/client-management-console-file-type-associations-node.md +++ b/mdop/appv-v4/client-management-console-file-type-associations-node.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/client-management-console-publishing-servers-node.md b/mdop/appv-v4/client-management-console-publishing-servers-node.md index 304a71be0d..f863e5d717 100644 --- a/mdop/appv-v4/client-management-console-publishing-servers-node.md +++ b/mdop/appv-v4/client-management-console-publishing-servers-node.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/command-line-errors.md b/mdop/appv-v4/command-line-errors.md index 4acd9ab657..3da8e0d9f9 100644 --- a/mdop/appv-v4/command-line-errors.md +++ b/mdop/appv-v4/command-line-errors.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/command-line-parameters.md b/mdop/appv-v4/command-line-parameters.md index b404816379..2c67aced2f 100644 --- a/mdop/appv-v4/command-line-parameters.md +++ b/mdop/appv-v4/command-line-parameters.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/completion-page-package-accelerator.md b/mdop/appv-v4/completion-page-package-accelerator.md index 27a3c7d86a..7542c71906 100644 --- a/mdop/appv-v4/completion-page-package-accelerator.md +++ b/mdop/appv-v4/completion-page-package-accelerator.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/completion-page.md b/mdop/appv-v4/completion-page.md index 185a46fbcb..c733a56d5d 100644 --- a/mdop/appv-v4/completion-page.md +++ b/mdop/appv-v4/completion-page.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configure-app.md b/mdop/appv-v4/configure-app.md index b79e177839..407824e6a0 100644 --- a/mdop/appv-v4/configure-app.md +++ b/mdop/appv-v4/configure-app.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configure-package.md b/mdop/appv-v4/configure-package.md index 140a076da1..2bccdbf61d 100644 --- a/mdop/appv-v4/configure-package.md +++ b/mdop/appv-v4/configure-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configure-server.md b/mdop/appv-v4/configure-server.md index 80234b1cb8..ed7f5ca4d8 100644 --- a/mdop/appv-v4/configure-server.md +++ b/mdop/appv-v4/configure-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configure-software-page--learn-more-.md b/mdop/appv-v4/configure-software-page--learn-more-.md index af0b0a1d3a..87abcb67dd 100644 --- a/mdop/appv-v4/configure-software-page--learn-more-.md +++ b/mdop/appv-v4/configure-software-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configure-software-page-app-v-46-sp1.md b/mdop/appv-v4/configure-software-page-app-v-46-sp1.md index a34c98a052..7d201afb8d 100644 --- a/mdop/appv-v4/configure-software-page-app-v-46-sp1.md +++ b/mdop/appv-v4/configure-software-page-app-v-46-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configure-type.md b/mdop/appv-v4/configure-type.md index e835038f35..42307e58cb 100644 --- a/mdop/appv-v4/configure-type.md +++ b/mdop/appv-v4/configure-type.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md b/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md index 13366bf24f..1fe3f100c5 100644 --- a/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md +++ b/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/configuring-app-v-for-secure-administration.md b/mdop/appv-v4/configuring-app-v-for-secure-administration.md index c7cba41d0a..a71fffa3c7 100644 --- a/mdop/appv-v4/configuring-app-v-for-secure-administration.md +++ b/mdop/appv-v4/configuring-app-v-for-secure-administration.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md b/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md index 5c2c349db4..fe8ec7d8bc 100644 --- a/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md +++ b/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md b/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md index 2a4167506b..86f2485e5c 100644 --- a/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md +++ b/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md b/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md index 5465035643..7999d55e32 100644 --- a/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md +++ b/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/configuring-iis-for-secure-streaming.md b/mdop/appv-v4/configuring-iis-for-secure-streaming.md index 7257a99ab0..1e5c0be5b8 100644 --- a/mdop/appv-v4/configuring-iis-for-secure-streaming.md +++ b/mdop/appv-v4/configuring-iis-for-secure-streaming.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md b/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md index 96a4b5539a..022b096208 100644 --- a/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md +++ b/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md b/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md index 1bd95ead94..92700f1f2a 100644 --- a/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md +++ b/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md b/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md index edc3ef0f37..f8ec256bdd 100644 --- a/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md +++ b/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md b/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md index d464360774..571b263abc 100644 --- a/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md +++ b/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md b/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md index e30320dafe..688c137ae2 100644 --- a/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md +++ b/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/configuring-windows-firewall-for-app-v.md b/mdop/appv-v4/configuring-windows-firewall-for-app-v.md index 73934119ca..f97d412295 100644 --- a/mdop/appv-v4/configuring-windows-firewall-for-app-v.md +++ b/mdop/appv-v4/configuring-windows-firewall-for-app-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md b/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md index fc96660a9f..11cb5f957c 100644 --- a/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md +++ b/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/create-package-accelerator--review-errors--page.md b/mdop/appv-v4/create-package-accelerator--review-errors--page.md index 8d75ae4c4d..63cdf9f7e1 100644 --- a/mdop/appv-v4/create-package-accelerator--review-errors--page.md +++ b/mdop/appv-v4/create-package-accelerator--review-errors--page.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/create-package-accelerator-page.md b/mdop/appv-v4/create-package-accelerator-page.md index 375a138612..2d86172bf5 100644 --- a/mdop/appv-v4/create-package-accelerator-page.md +++ b/mdop/appv-v4/create-package-accelerator-page.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md b/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md index 71a197fc05..65aba0176a 100644 --- a/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md +++ b/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/create-package-page--app-v-46-sp1.md b/mdop/appv-v4/create-package-page--app-v-46-sp1.md index 11e4b06c98..cfd5f7b2fc 100644 --- a/mdop/appv-v4/create-package-page--app-v-46-sp1.md +++ b/mdop/appv-v4/create-package-page--app-v-46-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/customize-page--learn-more-.md b/mdop/appv-v4/customize-page--learn-more-.md index 6a0e3c74c1..0bed35f090 100644 --- a/mdop/appv-v4/customize-page--learn-more-.md +++ b/mdop/appv-v4/customize-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md index e4c834e85d..a4d6ce5126 100644 --- a/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md index 07fbba35bd..0fc1fd41be 100644 --- a/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/delete-app.md b/mdop/appv-v4/delete-app.md index 0e41d65f85..a5a5189fe4 100644 --- a/mdop/appv-v4/delete-app.md +++ b/mdop/appv-v4/delete-app.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/delete-obj.md b/mdop/appv-v4/delete-obj.md index 6b5acf34df..e0e1085ae9 100644 --- a/mdop/appv-v4/delete-obj.md +++ b/mdop/appv-v4/delete-obj.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/delete-package.md b/mdop/appv-v4/delete-package.md index 925e63a5c9..f89b69d461 100644 --- a/mdop/appv-v4/delete-package.md +++ b/mdop/appv-v4/delete-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/delete-server.md b/mdop/appv-v4/delete-server.md index 4f021d2a66..7425b0751b 100644 --- a/mdop/appv-v4/delete-server.md +++ b/mdop/appv-v4/delete-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/delete-type.md b/mdop/appv-v4/delete-type.md index d0a905b4ee..62cbd9b1c7 100644 --- a/mdop/appv-v4/delete-type.md +++ b/mdop/appv-v4/delete-type.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/deployment-tab.md b/mdop/appv-v4/deployment-tab.md index d6e1eff0b6..0b872aa0ce 100644 --- a/mdop/appv-v4/deployment-tab.md +++ b/mdop/appv-v4/deployment-tab.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/determine-your-publishing-method.md b/mdop/appv-v4/determine-your-publishing-method.md index 1883661846..683549aa16 100644 --- a/mdop/appv-v4/determine-your-publishing-method.md +++ b/mdop/appv-v4/determine-your-publishing-method.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/determine-your-streaming-method.md b/mdop/appv-v4/determine-your-streaming-method.md index 290ebfd16b..eac83fa0c2 100644 --- a/mdop/appv-v4/determine-your-streaming-method.md +++ b/mdop/appv-v4/determine-your-streaming-method.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md b/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md index 9ff9753e82..a61b7c716f 100644 --- a/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md +++ b/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/disconnected-operation-mode.md b/mdop/appv-v4/disconnected-operation-mode.md index dd0d4d4240..b123b249f9 100644 --- a/mdop/appv-v4/disconnected-operation-mode.md +++ b/mdop/appv-v4/disconnected-operation-mode.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md b/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md index d0ea1928a7..7abf4bd3a7 100644 --- a/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md +++ b/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/edit-shortcuts-learn-more.md b/mdop/appv-v4/edit-shortcuts-learn-more.md index ace37c7243..830abacbd3 100644 --- a/mdop/appv-v4/edit-shortcuts-learn-more.md +++ b/mdop/appv-v4/edit-shortcuts-learn-more.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md index 51c635b149..6173dbdd7a 100644 --- a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md +++ b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/electronic-software-distribution-based-scenario.md b/mdop/appv-v4/electronic-software-distribution-based-scenario.md index 2c8df5d6cd..d99c4ce90f 100644 --- a/mdop/appv-v4/electronic-software-distribution-based-scenario.md +++ b/mdop/appv-v4/electronic-software-distribution-based-scenario.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/exclusion-item-dialog-box.md b/mdop/appv-v4/exclusion-item-dialog-box.md index 3038ca2a54..250a430862 100644 --- a/mdop/appv-v4/exclusion-item-dialog-box.md +++ b/mdop/appv-v4/exclusion-item-dialog-box.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/exclusion-items-tab-keep.md b/mdop/appv-v4/exclusion-items-tab-keep.md index 03cef6b8c2..e4dcff97c2 100644 --- a/mdop/appv-v4/exclusion-items-tab-keep.md +++ b/mdop/appv-v4/exclusion-items-tab-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md index 5e81d25347..a08aea1e5d 100644 --- a/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/file-type-association-results-pane-columns.md b/mdop/appv-v4/file-type-association-results-pane-columns.md index 553b985e35..1cdc78f1cc 100644 --- a/mdop/appv-v4/file-type-association-results-pane-columns.md +++ b/mdop/appv-v4/file-type-association-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/file-type-association-results-pane.md b/mdop/appv-v4/file-type-association-results-pane.md index c390505e3b..3b6a32eb71 100644 --- a/mdop/appv-v4/file-type-association-results-pane.md +++ b/mdop/appv-v4/file-type-association-results-pane.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/file-type-associations-node-client.md b/mdop/appv-v4/file-type-associations-node-client.md index eb1add60af..4182a0dbbf 100644 --- a/mdop/appv-v4/file-type-associations-node-client.md +++ b/mdop/appv-v4/file-type-associations-node-client.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/file-type-associations-node.md b/mdop/appv-v4/file-type-associations-node.md index a3c15d61a1..f739cf0208 100644 --- a/mdop/appv-v4/file-type-associations-node.md +++ b/mdop/appv-v4/file-type-associations-node.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/file-type-associations-results-pane-columns.md b/mdop/appv-v4/file-type-associations-results-pane-columns.md index 328719b89c..1458316d50 100644 --- a/mdop/appv-v4/file-type-associations-results-pane-columns.md +++ b/mdop/appv-v4/file-type-associations-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/file-type-associations-results-pane.md b/mdop/appv-v4/file-type-associations-results-pane.md index b92248b3ce..b1f2badd96 100644 --- a/mdop/appv-v4/file-type-associations-results-pane.md +++ b/mdop/appv-v4/file-type-associations-results-pane.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md index 3d67e35b05..c994c8d5e0 100644 --- a/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/files-tab-keep.md b/mdop/appv-v4/files-tab-keep.md index 3c616264a1..aaeebd7805 100644 --- a/mdop/appv-v4/files-tab-keep.md +++ b/mdop/appv-v4/files-tab-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/gathering-information-page--learn-more-.md b/mdop/appv-v4/gathering-information-page--learn-more-.md index c6c6f38d8a..2fb6c6cc6f 100644 --- a/mdop/appv-v4/gathering-information-page--learn-more-.md +++ b/mdop/appv-v4/gathering-information-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/general-tab-keep.md b/mdop/appv-v4/general-tab-keep.md index 4df61af9be..58ae9340d1 100644 --- a/mdop/appv-v4/general-tab-keep.md +++ b/mdop/appv-v4/general-tab-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/guidance-page-app-v-46-sp1.md b/mdop/appv-v4/guidance-page-app-v-46-sp1.md index 879ece17d3..6af524a1e1 100644 --- a/mdop/appv-v4/guidance-page-app-v-46-sp1.md +++ b/mdop/appv-v4/guidance-page-app-v-46-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/help.md b/mdop/appv-v4/help.md index 287e3fa741..1b14a81bf2 100644 --- a/mdop/appv-v4/help.md +++ b/mdop/appv-v4/help.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-add-a-file-type-association.md b/mdop/appv-v4/how-to-add-a-file-type-association.md index 046d2f8f0d..bd5e1a7cb5 100644 --- a/mdop/appv-v4/how-to-add-a-file-type-association.md +++ b/mdop/appv-v4/how-to-add-a-file-type-association.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md b/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md index 8f7b5ed7f5..6b9c002b72 100644 --- a/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md +++ b/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-add-a-package-version.md b/mdop/appv-v4/how-to-add-a-package-version.md index b2aba5778b..6a4b7c4372 100644 --- a/mdop/appv-v4/how-to-add-a-package-version.md +++ b/mdop/appv-v4/how-to-add-a-package-version.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-add-a-package.md b/mdop/appv-v4/how-to-add-a-package.md index 4e55ae9e08..b9f409c2cb 100644 --- a/mdop/appv-v4/how-to-add-a-package.md +++ b/mdop/appv-v4/how-to-add-a-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-add-a-server.md b/mdop/appv-v4/how-to-add-a-server.md index 4649e67c3f..0fb467e68f 100644 --- a/mdop/appv-v4/how-to-add-a-server.md +++ b/mdop/appv-v4/how-to-add-a-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-add-an-administrator-group.md b/mdop/appv-v4/how-to-add-an-administrator-group.md index 193e0366bd..27067fbc52 100644 --- a/mdop/appv-v4/how-to-add-an-administrator-group.md +++ b/mdop/appv-v4/how-to-add-an-administrator-group.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-add-an-application.md b/mdop/appv-v4/how-to-add-an-application.md index 71dbe1c7f8..760c7f8540 100644 --- a/mdop/appv-v4/how-to-add-an-application.md +++ b/mdop/appv-v4/how-to-add-an-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md b/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md index c1ecf63c7e..2616fee08d 100644 --- a/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md b/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md index 4ac9accd65..ca8c706037 100644 --- a/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md index ae25bdef3b..f24d17b75f 100644 --- a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md +++ b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md index 2d0a95bbfd..9e1d52e3fc 100644 --- a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md +++ b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md b/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md index ffb07d7155..84d62ca579 100644 --- a/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md +++ b/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-branch-a-package.md b/mdop/appv-v4/how-to-branch-a-package.md index 52221d9dd2..9b2ab8c069 100644 --- a/mdop/appv-v4/how-to-branch-a-package.md +++ b/mdop/appv-v4/how-to-branch-a-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md b/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md index d5b2380a20..32dfc28858 100644 --- a/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md +++ b/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-an-application-icon.md b/mdop/appv-v4/how-to-change-an-application-icon.md index 1f2881c4f8..9e9dbf95b0 100644 --- a/mdop/appv-v4/how-to-change-an-application-icon.md +++ b/mdop/appv-v4/how-to-change-an-application-icon.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-an-application-iconserver.md b/mdop/appv-v4/how-to-change-an-application-iconserver.md index 7f85c76a15..19445774d2 100644 --- a/mdop/appv-v4/how-to-change-an-application-iconserver.md +++ b/mdop/appv-v4/how-to-change-an-application-iconserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-deployment-properties.md b/mdop/appv-v4/how-to-change-deployment-properties.md index 66c8d2fd96..f9eb0b5d3f 100644 --- a/mdop/appv-v4/how-to-change-deployment-properties.md +++ b/mdop/appv-v4/how-to-change-deployment-properties.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-import-search-paths.md b/mdop/appv-v4/how-to-change-import-search-paths.md index 928852dfa1..fef1c273d9 100644 --- a/mdop/appv-v4/how-to-change-import-search-paths.md +++ b/mdop/appv-v4/how-to-change-import-search-paths.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-package-properties.md b/mdop/appv-v4/how-to-change-package-properties.md index abe69abeb3..565e4c27e9 100644 --- a/mdop/appv-v4/how-to-change-package-properties.md +++ b/mdop/appv-v4/how-to-change-package-properties.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md b/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md index 8346a0eb10..0aed8a88e3 100644 --- a/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md +++ b/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md b/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md index c981b9ffd1..4c3247ee57 100644 --- a/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md +++ b/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-the-server-cache-size.md b/mdop/appv-v4/how-to-change-the-server-cache-size.md index 198ee9a625..5b61e12a03 100644 --- a/mdop/appv-v4/how-to-change-the-server-cache-size.md +++ b/mdop/appv-v4/how-to-change-the-server-cache-size.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md b/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md index 8bfcb4dcb4..baeeef43e1 100644 --- a/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md +++ b/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-the-server-port.md b/mdop/appv-v4/how-to-change-the-server-port.md index 3a807f2d68..14d1933fb9 100644 --- a/mdop/appv-v4/how-to-change-the-server-port.md +++ b/mdop/appv-v4/how-to-change-the-server-port.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md b/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md index 7fe070657a..db72c07843 100644 --- a/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md +++ b/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-change-user-access-permissions.md b/mdop/appv-v4/how-to-change-user-access-permissions.md index ef7947df2b..e935af3cad 100644 --- a/mdop/appv-v4/how-to-change-user-access-permissions.md +++ b/mdop/appv-v4/how-to-change-user-access-permissions.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-clear-an-application.md b/mdop/appv-v4/how-to-clear-an-application.md index c738ca904d..2fba3e47a3 100644 --- a/mdop/appv-v4/how-to-clear-an-application.md +++ b/mdop/appv-v4/how-to-clear-an-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md index 801b2d13bc..0a694a6795 100644 --- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md +++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- @@ -156,7 +156,7 @@ Instead of changing the AppFS key FILENAME value every time that a new cache fil 3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled. - **     fsutil behavior set SymlinkEvaluation R2R:1** + **fsutil behavior set SymlinkEvaluation R2R:1** **Note**   On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**. diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md index 2ee211e811..8fd997eafd 100644 --- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md +++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- @@ -167,7 +167,7 @@ Instead of modifying the AppFS key FILENAME value every time that a new cache fi 3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled. - **     fsutil behavior set SymlinkEvaluation R2R:1** + **fsutil behavior set SymlinkEvaluation R2R:1** **Note**   On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**. diff --git a/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md b/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md index ec3efe7a1a..c14a8c48a6 100644 --- a/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md +++ b/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md b/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md index 978aefac2f..2b4a53819a 100644 --- a/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md +++ b/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md b/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md index 4f60659a53..1c79254fd6 100644 --- a/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md +++ b/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md b/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md index 9fb56f0792..5a4d8e1932 100644 --- a/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md +++ b/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md b/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md index 7f8b6db82f..c668b902eb 100644 --- a/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md +++ b/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md b/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md index 05d2bc0b77..afe7d0a2da 100644 --- a/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md +++ b/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md b/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md index 150d93d6c9..03e3ac7409 100644 --- a/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md +++ b/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md b/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md index 023d8ba9ba..615d3a60b6 100644 --- a/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md +++ b/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md b/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md index 1b477e3c0e..85ccb5fd59 100644 --- a/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md +++ b/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md index 9dc834b4ad..5dab5d7b35 100644 --- a/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md +++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md index bd27ed1708..8225fe37da 100644 --- a/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md +++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md index 9f63f76ebb..8671c8e401 100644 --- a/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md +++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md b/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md index 54a3e12931..04f4c05542 100644 --- a/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md +++ b/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md b/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md index 08fb9b8dfb..fe5c5331d3 100644 --- a/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md +++ b/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md b/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md index ec298ac0dd..ee1c92f759 100644 --- a/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md +++ b/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md b/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md index 2dcd0fc57b..951cbbb2d7 100644 --- a/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md +++ b/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-client-log-file.md b/mdop/appv-v4/how-to-configure-the-client-log-file.md index 20b326dfa4..e4a46cd129 100644 --- a/mdop/appv-v4/how-to-configure-the-client-log-file.md +++ b/mdop/appv-v4/how-to-configure-the-client-log-file.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-file-server.md b/mdop/appv-v4/how-to-configure-the-file-server.md index 812c78cb2c..c9d01b4dba 100644 --- a/mdop/appv-v4/how-to-configure-the-file-server.md +++ b/mdop/appv-v4/how-to-configure-the-file-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-server-for-iis.md b/mdop/appv-v4/how-to-configure-the-server-for-iis.md index 76119811be..4290cc9bf5 100644 --- a/mdop/appv-v4/how-to-configure-the-server-for-iis.md +++ b/mdop/appv-v4/how-to-configure-the-server-for-iis.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md b/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md index 04e4ec6328..fec2c858fe 100644 --- a/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md +++ b/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-user-permissions.md b/mdop/appv-v4/how-to-configure-user-permissions.md index 31a1894e7b..88e1049577 100644 --- a/mdop/appv-v4/how-to-configure-user-permissions.md +++ b/mdop/appv-v4/how-to-configure-user-permissions.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md b/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md index 59c1e3b44c..3ec2889648 100644 --- a/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md +++ b/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md b/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md index 7578063d2b..7e516a89fd 100644 --- a/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md +++ b/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md b/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md index 9321f73949..8368dd56f8 100644 --- a/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md +++ b/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md b/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md index 097bf0d4b7..169761167e 100644 --- a/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md +++ b/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-create-a-reportserver.md b/mdop/appv-v4/how-to-create-a-reportserver.md index 134036f18f..abdfd7298e 100644 --- a/mdop/appv-v4/how-to-create-a-reportserver.md +++ b/mdop/appv-v4/how-to-create-a-reportserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-create-a-server-group.md b/mdop/appv-v4/how-to-create-a-server-group.md index fa407f994a..bc12c0bd0a 100644 --- a/mdop/appv-v4/how-to-create-a-server-group.md +++ b/mdop/appv-v4/how-to-create-a-server-group.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md b/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md index 249ed7b0e1..23e2b3570b 100644 --- a/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md +++ b/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md b/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md index 55143333bd..26aae4b1ea 100644 --- a/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-create-an-application-group.md b/mdop/appv-v4/how-to-create-an-application-group.md index 4144e95e2f..ac2fba82be 100644 --- a/mdop/appv-v4/how-to-create-an-application-group.md +++ b/mdop/appv-v4/how-to-create-an-application-group.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-create-an-application-license-group.md b/mdop/appv-v4/how-to-create-an-application-license-group.md index e1c6567c65..76da2668b9 100644 --- a/mdop/appv-v4/how-to-create-an-application-license-group.md +++ b/mdop/appv-v4/how-to-create-an-application-license-group.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md b/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md index 522662b28d..bf6769fb47 100644 --- a/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md b/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md index c169abd147..c4db220dcf 100644 --- a/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md +++ b/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-create-the-package-root-directory.md b/mdop/appv-v4/how-to-create-the-package-root-directory.md index 01ba72181f..8e00793ee2 100644 --- a/mdop/appv-v4/how-to-create-the-package-root-directory.md +++ b/mdop/appv-v4/how-to-create-the-package-root-directory.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md b/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md index 6b2e6bc05c..b745ddf86a 100644 --- a/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md +++ b/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md b/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md index 49f4a3afc7..f1e04f6d1e 100644 --- a/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md +++ b/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-delete-a-file-type-association.md b/mdop/appv-v4/how-to-delete-a-file-type-association.md index 8f12921951..16c96b8513 100644 --- a/mdop/appv-v4/how-to-delete-a-file-type-association.md +++ b/mdop/appv-v4/how-to-delete-a-file-type-association.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-delete-a-package-version.md b/mdop/appv-v4/how-to-delete-a-package-version.md index 62137f64ca..c1d92e1264 100644 --- a/mdop/appv-v4/how-to-delete-a-package-version.md +++ b/mdop/appv-v4/how-to-delete-a-package-version.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-delete-a-packageserver.md b/mdop/appv-v4/how-to-delete-a-packageserver.md index c63d2eaf35..7f2bd13bae 100644 --- a/mdop/appv-v4/how-to-delete-a-packageserver.md +++ b/mdop/appv-v4/how-to-delete-a-packageserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-delete-a-reportserver.md b/mdop/appv-v4/how-to-delete-a-reportserver.md index 2b8a517f7c..14ac327bbf 100644 --- a/mdop/appv-v4/how-to-delete-a-reportserver.md +++ b/mdop/appv-v4/how-to-delete-a-reportserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md b/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md index 21e583e5b2..1fdb2c31c6 100644 --- a/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md +++ b/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-delete-an-administrator-group.md b/mdop/appv-v4/how-to-delete-an-administrator-group.md index c825492416..d538220e01 100644 --- a/mdop/appv-v4/how-to-delete-an-administrator-group.md +++ b/mdop/appv-v4/how-to-delete-an-administrator-group.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-delete-an-application-server.md b/mdop/appv-v4/how-to-delete-an-application-server.md index 247163a1de..55f77b412f 100644 --- a/mdop/appv-v4/how-to-delete-an-application-server.md +++ b/mdop/appv-v4/how-to-delete-an-application-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-delete-an-application.md b/mdop/appv-v4/how-to-delete-an-application.md index 4ac8548398..c1e441347c 100644 --- a/mdop/appv-v4/how-to-delete-an-application.md +++ b/mdop/appv-v4/how-to-delete-an-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-deny-access-to-an-application.md b/mdop/appv-v4/how-to-deny-access-to-an-application.md index e1a9045654..1dd6b7fdf5 100644 --- a/mdop/appv-v4/how-to-deny-access-to-an-application.md +++ b/mdop/appv-v4/how-to-deny-access-to-an-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md b/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md index 2c88ccb0f0..6fda63581a 100644 --- a/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md +++ b/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md b/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md index 140d19db20..5394ec7bb3 100644 --- a/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md b/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md index 07a83858b4..fc1d34c067 100644 --- a/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md +++ b/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md b/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md index b92d34564c..822fe72dd9 100644 --- a/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md +++ b/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md b/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md index 6930a3459d..41b7631eb1 100644 --- a/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md +++ b/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-edit-an-osd-file.md b/mdop/appv-v4/how-to-edit-an-osd-file.md index e150953185..6f19e9a7b7 100644 --- a/mdop/appv-v4/how-to-edit-an-osd-file.md +++ b/mdop/appv-v4/how-to-edit-an-osd-file.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md b/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md index 25d48601e0..480c2d8d34 100644 --- a/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md +++ b/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-export-a-reportserver.md b/mdop/appv-v4/how-to-export-a-reportserver.md index 6580474502..f7eb70e1aa 100644 --- a/mdop/appv-v4/how-to-export-a-reportserver.md +++ b/mdop/appv-v4/how-to-export-a-reportserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-grant-access-to-an-application.md b/mdop/appv-v4/how-to-grant-access-to-an-application.md index 697afb607b..89a6cf8277 100644 --- a/mdop/appv-v4/how-to-grant-access-to-an-application.md +++ b/mdop/appv-v4/how-to-grant-access-to-an-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-import-an-application.md b/mdop/appv-v4/how-to-import-an-application.md index ecaec1c2de..2fc950a033 100644 --- a/mdop/appv-v4/how-to-import-an-application.md +++ b/mdop/appv-v4/how-to-import-an-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-import-an-applicationserver.md b/mdop/appv-v4/how-to-import-an-applicationserver.md index 24b4bce0dd..66852c68c1 100644 --- a/mdop/appv-v4/how-to-import-an-applicationserver.md +++ b/mdop/appv-v4/how-to-import-an-applicationserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-a-database.md b/mdop/appv-v4/how-to-install-a-database.md index 884793e4a7..da440a18ff 100644 --- a/mdop/appv-v4/how-to-install-a-database.md +++ b/mdop/appv-v4/how-to-install-a-database.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md b/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md index 83e7e4b7d1..ba2ed5bf33 100644 --- a/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md +++ b/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-and-configure-the-default-application.md b/mdop/appv-v4/how-to-install-and-configure-the-default-application.md index c5bb0dbe54..529a24aadc 100644 --- a/mdop/appv-v4/how-to-install-and-configure-the-default-application.md +++ b/mdop/appv-v4/how-to-install-and-configure-the-default-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-application-virtualization-management-server.md b/mdop/appv-v4/how-to-install-application-virtualization-management-server.md index 0dd33e3482..9fff92bc25 100644 --- a/mdop/appv-v4/how-to-install-application-virtualization-management-server.md +++ b/mdop/appv-v4/how-to-install-application-virtualization-management-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md index e2f80c72dd..37596836cd 100644 --- a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md +++ b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md index f5b25c5517..5485cfe6f6 100644 --- a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md +++ b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md b/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md index d9c4fb364b..5cf9e908d7 100644 --- a/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md +++ b/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md b/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md index 0cd8731539..b6facad249 100644 --- a/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md +++ b/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md b/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md index ab7c6ff130..69e3331059 100644 --- a/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md +++ b/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-management-console.md b/mdop/appv-v4/how-to-install-the-management-console.md index 1f584040a8..df74e0f969 100644 --- a/mdop/appv-v4/how-to-install-the-management-console.md +++ b/mdop/appv-v4/how-to-install-the-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-management-web-service.md b/mdop/appv-v4/how-to-install-the-management-web-service.md index 66cdda0365..72f0d59456 100644 --- a/mdop/appv-v4/how-to-install-the-management-web-service.md +++ b/mdop/appv-v4/how-to-install-the-management-web-service.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md b/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md index ce132d4f49..ea900036a2 100644 --- a/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-sequencer.md b/mdop/appv-v4/how-to-install-the-sequencer.md index 411a6c5b05..decce9699a 100644 --- a/mdop/appv-v4/how-to-install-the-sequencer.md +++ b/mdop/appv-v4/how-to-install-the-sequencer.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-install-the-servers-and-system-components.md b/mdop/appv-v4/how-to-install-the-servers-and-system-components.md index a5fa8f0893..d8d537d0e8 100644 --- a/mdop/appv-v4/how-to-install-the-servers-and-system-components.md +++ b/mdop/appv-v4/how-to-install-the-servers-and-system-components.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-load-files-and-packages.md b/mdop/appv-v4/how-to-load-files-and-packages.md index 21dc909c70..f70cbf6dc3 100644 --- a/mdop/appv-v4/how-to-load-files-and-packages.md +++ b/mdop/appv-v4/how-to-load-files-and-packages.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-load-or-unload-an-application.md b/mdop/appv-v4/how-to-load-or-unload-an-application.md index 94fce4808b..5dd97091a1 100644 --- a/mdop/appv-v4/how-to-load-or-unload-an-application.md +++ b/mdop/appv-v4/how-to-load-or-unload-an-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md b/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md index 6443110c20..c089ce97ab 100644 --- a/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md +++ b/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-lock-or-unlock-an-application.md b/mdop/appv-v4/how-to-lock-or-unlock-an-application.md index 8913276ecd..1b2b033d69 100644 --- a/mdop/appv-v4/how-to-lock-or-unlock-an-application.md +++ b/mdop/appv-v4/how-to-lock-or-unlock-an-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md index 67680da087..a48df6078f 100644 --- a/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md +++ b/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md index 279a9aaa89..89c0f06825 100644 --- a/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md +++ b/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md b/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md index 5c28780e12..caa426f56a 100644 --- a/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md +++ b/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md index 636e572699..bfae14c37b 100644 --- a/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md +++ b/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md index 59097cac45..920445161f 100644 --- a/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md +++ b/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md index a8f2d9bbe5..cfd2debb42 100644 --- a/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md +++ b/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md index 2717afbee8..9287af4caa 100644 --- a/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md +++ b/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md b/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md index 1f9c00705d..b3050789b3 100644 --- a/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md +++ b/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md b/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md index 3002ee21c9..c88c2c0a2e 100644 --- a/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md +++ b/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-manually.md b/mdop/appv-v4/how-to-manage-virtual-applications-manually.md index 9b3d5d2637..1e5aa136e6 100644 --- a/mdop/appv-v4/how-to-manage-virtual-applications-manually.md +++ b/mdop/appv-v4/how-to-manage-virtual-applications-manually.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md b/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md index 4048f3c6ba..49b1512034 100644 --- a/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md +++ b/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manually-add-an-application.md b/mdop/appv-v4/how-to-manually-add-an-application.md index 965954b973..b503780e0d 100644 --- a/mdop/appv-v4/how-to-manually-add-an-application.md +++ b/mdop/appv-v4/how-to-manually-add-an-application.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md index 014d912472..3df7f2a0ee 100644 --- a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md +++ b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md @@ -9,56 +9,46 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- - # How to Manually Install the Application Virtualization Client - There are two types of Application Virtualization Client components: the Application Virtualization Desktop Client, which is designed for installation on desktop computers, and the Application Virtualization Client for Remote Desktop Services (formerly Terminal Services), which you can install on Remote Desktop Session Host (RD Session Host) servers . Although the two client installer programs are different, you can use the following procedure to manually install either the Application Virtualization Desktop Client on a single desktop computer or the Application Virtualization Client for Remote Desktop Services on a single RD Session Host server. In a production environment, you most likely will install the Application Virtualization Desktop Client on multiple desktop computers with an automated scripted installation process. For information about how to install multiple clients by using a scripted installation process, see [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md). **Note** -1. If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md). - -2. If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder. - +1. If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md). +2. If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder. **Note** For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL is installed in the Windows\\system32 directory. If the App-V client is installed on a 64-bit system, SFTLDR\_WOW64.DLL is installed in the Windows\\SysWOW64 directory. - - **To manually install Application Virtualization Desktop Client** -1. After you have obtained the correct installer archive file and saved it to your computer, make sure you are logged on with an account having administrator rights on the computer and double-click the file to expand the archive. +1. After you have obtained the correct installer archive file and saved it to your computer, make sure you are logged on with an account having administrator rights on the computer and double-click the file to expand the archive. -2. Choose the folder in which to save the files, and then open the folder after the files have been copied to it. +2. Choose the folder in which to save the files, and then open the folder after the files have been copied to it. -3. Review the Release Notes if appropriate. +3. Review the Release Notes if appropriate. -4. Browse to find the setup.exe file, and double-click setup.exe to start the installation. +4. Browse to find the setup.exe file, and double-click setup.exe to start the installation. -5. The wizard checks the system to ensure that all prerequisite software is installed, and if any of the following are missing, the wizard will automatically prompt you to install them: +5. The wizard checks the system to ensure that all prerequisite software is installed, and if any of the following are missing, the wizard will automatically prompt you to install them: - - Microsoft Visual C++ 2005 SP1 Redistributable Package (x86) + - Microsoft Visual C++ 2005 SP1 Redistributable Package (x86) - - Microsoft Core XML Services (MSXML) 6.0 SP1 (x86) + - Microsoft Core XML Services (MSXML) 6.0 SP1 (x86) - - Microsoft Application Error Reporting + - Microsoft Application Error Reporting **Note** For App-V version 4.6 and later, the wizard will also install Microsoft Visual C++ 2008 SP1 Redistributable Package (x86). - For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see (https://go.microsoft.com/fwlink/?LinkId=150700). + For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [https://go.microsoft.com/fwlink/?LinkId=150700](https://go.microsoft.com/fwlink/?LinkId=150700). - - -~~~ -If prompted, click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully. -~~~ + If prompted, click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully. 6. When the **Microsoft Application Virtualization Desktop Client – InstallShield Wizard** is displayed, click **Next**. @@ -76,88 +66,66 @@ If prompted, click **Install**. Installation progress is displayed, and the stat 12. On the **Application Virtualization Data Location** screen, click **Next** to accept the default data locations or complete the following actions to change where the data is stored: - 1. Click **Change**, and then browse to or, in the **Global Data Location** field, enter the destination folder for the global data location, and click **OK**. The Global Data Directory is where the Application Virtualization Desktop Client caches data shared by all users on the computer, like OSD files and SFT file data. + 1. Click **Change**, and then browse to or, in the **Global Data Location** field, enter the destination folder for the global data location, and click **OK**. The Global Data Directory is where the Application Virtualization Desktop Client caches data shared by all users on the computer, like OSD files and SFT file data. - 2. If you want to change the drive letter to be used, select the preferred drive letter from the drop-down list. + 2. If you want to change the drive letter to be used, select the preferred drive letter from the drop-down list. - 3. Enter a new path to store the user-specific data in the **User-specific Data Location** field if you want to change the data location. The User Data Directory is where the Application Virtualization Desktop Client stores user-specific information, like personal settings for virtualized applications. + 3. Enter a new path to store the user-specific data in the **User-specific Data Location** field if you want to change the data location. The User Data Directory is where the Application Virtualization Desktop Client stores user-specific information, like personal settings for virtualized applications. **Note** This path must be different for every user, so it should include a user-specific environment variable or a mapped drive or something else that will resolve to a unique path for each user. - - - 4. When you have finished making the changes, click **Next**. + 4. When you have finished making the changes, click **Next**. 13. On the **Cache Size Settings** screen, you can accept or change the default cache size. Click one of the following radio buttons to choose how to manage the cache space: - 1. **Use maximum cache size**. Enter a numeric value from 100–1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache. + 1. **Use maximum cache size**. Enter a numeric value from 100–1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache. - 2. **Use free disk space threshold**. Enter a numeric value to specify the amount of free disk space, in MB, that the Application Virtualization Client must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is currently unused. + 2. **Use free disk space threshold**. Enter a numeric value to specify the amount of free disk space, in MB, that the Application Virtualization Client must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is currently unused. - **Important** - To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly. For more information about the cache space management feature, in the Microsoft Application Virtualization (App-V) Operations Guide, see **How to Use the Cache Space Management Feature**. + **Important** + To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly. For more information about the cache space management feature, in the Microsoft Application Virtualization (App-V) Operations Guide, see **How to Use the Cache Space Management Feature**. - - -~~~ -Click **Next** to continue. -~~~ + Click **Next** to continue. 14. In the following sections of the **Runtime Package Policy Configuration** screen, you can change the parameters that affect how the Application Virtualization client behaves during runtime: - 1. **Application Source Root**. Specifies the location of SFT files. If used, overrides the protocol, server, and port portions of the CODEBASE HREF URL in the OSD file. + 1. **Application Source Root**. Specifies the location of SFT files. If used, overrides the protocol, server, and port portions of the CODEBASE HREF URL in the OSD file. - 2. **Application Authorization**. When **Require User authorization even when cached** is checked, users are required to connect to a server and validate their credentials at least once before they are allowed to start each virtual application. + 2. **Application Authorization**. When **Require User authorization even when cached** is checked, users are required to connect to a server and validate their credentials at least once before they are allowed to start each virtual application. - 3. **Allow streaming from file**. Indicates whether streaming from file will be enabled, regardless of how the **Application Source Root** field is used. If not checked, streaming from files is disabled. This must be checked if **Application Source Root** contains a UNC path in the form \\\\server\\share. + 3. **Allow streaming from file**. Indicates whether streaming from file will be enabled, regardless of how the **Application Source Root** field is used. If not checked, streaming from files is disabled. This must be checked if **Application Source Root** contains a UNC path in the form \\\\server\\share. - 4. **Automatically Load Application**. Controls when and how automatic background loading of applications occurs. + 4. **Automatically Load Application**. Controls when and how automatic background loading of applications occurs. **Note** When you install the App-V client to use with a read-only cache, for example, with a VDI server implementation, set **What applications to Auto Load** to **Do not automatically load applications** to prevent the client from trying to update applications in the read-only cache. - - -~~~ -Click **Next** to continue. -~~~ + Click **Next** to continue. 15. On the **Publishing Server** screen, select the **Set up a Publishing Server now** check box if you want to define a publishing server, or click **Next** if you want to complete this later. To define a publishing server, specify the following information: - 1. **Display Name**—Enter the name you want to display for the server. + 1. **Display Name**—Enter the name you want to display for the server. - 2. **Type**—Select the server type from the drop-down list of server types. + 2. **Type**—Select the server type from the drop-down list of server types. - 3. **Host Name** and **Port**—Enter the host name and the port in the corresponding fields. When you select a server type in the drop-down list, the port field will automatically fill with the standard port numbers. To change a port number, click the server type in the list and change the port number according to your needs. + 3. **Host Name** and **Port**—Enter the host name and the port in the corresponding fields. When you select a server type in the drop-down list, the port field will automatically fill with the standard port numbers. To change a port number, click the server type in the list and change the port number according to your needs. - 4. **Path**—If you have selected either **Standard HTTP Server** or **Enhanced Security HTTP Server**, you must enter the complete path to the XML file containing publishing data in this field. If you select either **Application Virtualization Server** or **Enhanced Security Application Virtualization Server**, this field is not active. + 4. **Path**—If you have selected either **Standard HTTP Server** or **Enhanced Security HTTP Server**, you must enter the complete path to the XML file containing publishing data in this field. If you select either **Application Virtualization Server** or **Enhanced Security Application Virtualization Server**, this field is not active. - 5. **Automatically contact this server to update settings when a user logs in**—Select this check box if you want this server to be queried automatically when users log in to their account on the Application Virtualization Client. + 5. **Automatically contact this server to update settings when a user logs in**—Select this check box if you want this server to be queried automatically when users log in to their account on the Application Virtualization Client. - 6. When finished with the configuration steps, click **Next**. + 6. When finished with the configuration steps, click **Next**. 16. On the **Ready to Install the Program** screen, click **Install**. A screen is displayed that shows the progress of the installation. 17. On the **Install Wizard Completed** screen, click **Finish**. - **Note** - If the installation fails for any reason, you might need to restart the computer before trying the install again. - - + **Note** + If the installation fails for any reason, you might need to restart the computer before trying the install again. ## Related topics - [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md) [Stand-Alone Delivery Scenario Overview](stand-alone-delivery-scenario-overview.md) - - - - - - - - - diff --git a/mdop/appv-v4/how-to-manually-manage-applications-in-the-client-management-console.md b/mdop/appv-v4/how-to-manually-manage-applications-in-the-client-management-console.md index e681bb817e..4302487ce2 100644 --- a/mdop/appv-v4/how-to-manually-manage-applications-in-the-client-management-console.md +++ b/mdop/appv-v4/how-to-manually-manage-applications-in-the-client-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md b/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md index f2489eb2f5..f4e1e2a14e 100644 --- a/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md +++ b/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-a-virtual-application-package--app-v-46-.md b/mdop/appv-v4/how-to-modify-a-virtual-application-package--app-v-46-.md index be75e8d6aa..b3286dd1fd 100644 --- a/mdop/appv-v4/how-to-modify-a-virtual-application-package--app-v-46-.md +++ b/mdop/appv-v4/how-to-modify-a-virtual-application-package--app-v-46-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md b/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md index af10891ff9..9ef7b06355 100644 --- a/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-attributes-of-embedded-services.md b/mdop/appv-v4/how-to-modify-attributes-of-embedded-services.md index 0ac39a2bb7..98cb2e695d 100644 --- a/mdop/appv-v4/how-to-modify-attributes-of-embedded-services.md +++ b/mdop/appv-v4/how-to-modify-attributes-of-embedded-services.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-file-mapping-information.md b/mdop/appv-v4/how-to-modify-file-mapping-information.md index 650d2c5a16..bd04938de3 100644 --- a/mdop/appv-v4/how-to-modify-file-mapping-information.md +++ b/mdop/appv-v4/how-to-modify-file-mapping-information.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md b/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md index c5b952309a..c6af207c9b 100644 --- a/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md +++ b/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-modify-the-files-included-in-a-package.md b/mdop/appv-v4/how-to-modify-the-files-included-in-a-package.md index 8b1a2d787a..dabbe47a97 100644 --- a/mdop/appv-v4/how-to-modify-the-files-included-in-a-package.md +++ b/mdop/appv-v4/how-to-modify-the-files-included-in-a-package.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-the-location-of-the-log-directory.md b/mdop/appv-v4/how-to-modify-the-location-of-the-log-directory.md index 9992f353aa..c3428e4556 100644 --- a/mdop/appv-v4/how-to-modify-the-location-of-the-log-directory.md +++ b/mdop/appv-v4/how-to-modify-the-location-of-the-log-directory.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-the-location-of-the-scratch-directory.md b/mdop/appv-v4/how-to-modify-the-location-of-the-scratch-directory.md index b4a00900c6..09e46293f9 100644 --- a/mdop/appv-v4/how-to-modify-the-location-of-the-scratch-directory.md +++ b/mdop/appv-v4/how-to-modify-the-location-of-the-scratch-directory.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-the-log-directory-location.md b/mdop/appv-v4/how-to-modify-the-log-directory-location.md index 9b4accadbf..f02e8c4638 100644 --- a/mdop/appv-v4/how-to-modify-the-log-directory-location.md +++ b/mdop/appv-v4/how-to-modify-the-log-directory-location.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md b/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md index f3aa20ff3b..e331c63e11 100644 --- a/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md +++ b/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md b/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md index 582f590f01..325ec1b929 100644 --- a/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md +++ b/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-modify-virtual-registry-key-information.md b/mdop/appv-v4/how-to-modify-virtual-registry-key-information.md index a858d13e4d..4d0979f07c 100644 --- a/mdop/appv-v4/how-to-modify-virtual-registry-key-information.md +++ b/mdop/appv-v4/how-to-modify-virtual-registry-key-information.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-move-an-application-group.md b/mdop/appv-v4/how-to-move-an-application-group.md index 13f84cae13..dc8b8b117a 100644 --- a/mdop/appv-v4/how-to-move-an-application-group.md +++ b/mdop/appv-v4/how-to-move-an-application-group.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-move-an-application.md b/mdop/appv-v4/how-to-move-an-application.md index 891de6a2a0..1ddecfd3b0 100644 --- a/mdop/appv-v4/how-to-move-an-application.md +++ b/mdop/appv-v4/how-to-move-an-application.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md b/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md index 9a25b5de7e..69ea2fdaa3 100644 --- a/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md +++ b/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md b/mdop/appv-v4/how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md index b155413d62..7b74cd7b09 100644 --- a/mdop/appv-v4/how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md +++ b/mdop/appv-v4/how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-app-v-client-management-console.md b/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-app-v-client-management-console.md index 884e42b049..78618cb92e 100644 --- a/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-app-v-client-management-console.md +++ b/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-app-v-client-management-console.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-client-management-console.md b/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-client-management-console.md index 72d7607e31..129c4c2058 100644 --- a/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-client-management-console.md +++ b/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-client-management-console.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-print-a-reportserver.md b/mdop/appv-v4/how-to-print-a-reportserver.md index c691eb95df..c3407cc14a 100644 --- a/mdop/appv-v4/how-to-print-a-reportserver.md +++ b/mdop/appv-v4/how-to-print-a-reportserver.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md b/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md index d91ae838c7..9a3d19e2a1 100644 --- a/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md +++ b/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-publish-application-shortcuts.md b/mdop/appv-v4/how-to-publish-application-shortcuts.md index 8098674b69..25b4335a06 100644 --- a/mdop/appv-v4/how-to-publish-application-shortcuts.md +++ b/mdop/appv-v4/how-to-publish-application-shortcuts.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-refresh-the-publishing-servers.md b/mdop/appv-v4/how-to-refresh-the-publishing-servers.md index 54494a77f0..c1f6550d87 100644 --- a/mdop/appv-v4/how-to-refresh-the-publishing-servers.md +++ b/mdop/appv-v4/how-to-refresh-the-publishing-servers.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-refresh-virtual-applications-from-the-desktop-notification-area.md b/mdop/appv-v4/how-to-refresh-virtual-applications-from-the-desktop-notification-area.md index 29ab05d2dd..9d197bf99f 100644 --- a/mdop/appv-v4/how-to-refresh-virtual-applications-from-the-desktop-notification-area.md +++ b/mdop/appv-v4/how-to-refresh-virtual-applications-from-the-desktop-notification-area.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-remove-a-package-by-using-the-command-line.md b/mdop/appv-v4/how-to-remove-a-package-by-using-the-command-line.md index 4673705119..09098690cf 100644 --- a/mdop/appv-v4/how-to-remove-a-package-by-using-the-command-line.md +++ b/mdop/appv-v4/how-to-remove-a-package-by-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-remove-a-server-group.md b/mdop/appv-v4/how-to-remove-a-server-group.md index 20cab42326..f29d802d3f 100644 --- a/mdop/appv-v4/how-to-remove-a-server-group.md +++ b/mdop/appv-v4/how-to-remove-a-server-group.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-remove-a-server.md b/mdop/appv-v4/how-to-remove-a-server.md index bda6da9484..6bf7d4bcf3 100644 --- a/mdop/appv-v4/how-to-remove-a-server.md +++ b/mdop/appv-v4/how-to-remove-a-server.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md b/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md index 28cf02fc30..b6cf52235b 100644 --- a/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md +++ b/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-remove-an-application-group.md b/mdop/appv-v4/how-to-remove-an-application-group.md index 9971b36c80..f6be0294c8 100644 --- a/mdop/appv-v4/how-to-remove-an-application-group.md +++ b/mdop/appv-v4/how-to-remove-an-application-group.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-remove-an-application-license-group.md b/mdop/appv-v4/how-to-remove-an-application-license-group.md index 108f41917f..2ddff90f47 100644 --- a/mdop/appv-v4/how-to-remove-an-application-license-group.md +++ b/mdop/appv-v4/how-to-remove-an-application-license-group.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-remove-the-application-virtualization-system-components.md b/mdop/appv-v4/how-to-remove-the-application-virtualization-system-components.md index 2d2274110c..a24a7b50b4 100644 --- a/mdop/appv-v4/how-to-remove-the-application-virtualization-system-components.md +++ b/mdop/appv-v4/how-to-remove-the-application-virtualization-system-components.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-rename-an-application-group.md b/mdop/appv-v4/how-to-rename-an-application-group.md index 55b03cd556..572521fe16 100644 --- a/mdop/appv-v4/how-to-rename-an-application-group.md +++ b/mdop/appv-v4/how-to-rename-an-application-group.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-rename-an-application.md b/mdop/appv-v4/how-to-rename-an-application.md index d16fc9a6e9..4f52a1b300 100644 --- a/mdop/appv-v4/how-to-rename-an-application.md +++ b/mdop/appv-v4/how-to-rename-an-application.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-repair-an-application.md b/mdop/appv-v4/how-to-repair-an-application.md index 21b8d3a5ef..ac189548e4 100644 --- a/mdop/appv-v4/how-to-repair-an-application.md +++ b/mdop/appv-v4/how-to-repair-an-application.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-reset-the-filesystem-cache.md b/mdop/appv-v4/how-to-reset-the-filesystem-cache.md index 8f50c720f3..c5e745460d 100644 --- a/mdop/appv-v4/how-to-reset-the-filesystem-cache.md +++ b/mdop/appv-v4/how-to-reset-the-filesystem-cache.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-run-a-reportserver.md b/mdop/appv-v4/how-to-run-a-reportserver.md index feb8ffd3aa..80562c889f 100644 --- a/mdop/appv-v4/how-to-run-a-reportserver.md +++ b/mdop/appv-v4/how-to-run-a-reportserver.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md index 69b8fe0655..d572d752a6 100644 --- a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md b/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md index 8cf0f80add..8ebca67179 100644 --- a/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md +++ b/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md b/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md index 8df7b3d92a..590210b069 100644 --- a/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md +++ b/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md b/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md index 65432aa68a..2f8c87b2f6 100644 --- a/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md +++ b/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-sequence-a-new-application.md b/mdop/appv-v4/how-to-sequence-a-new-application.md index 21debde0ba..93f3d84506 100644 --- a/mdop/appv-v4/how-to-sequence-a-new-application.md +++ b/mdop/appv-v4/how-to-sequence-a-new-application.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md index 4f5f815988..3ca27b78c7 100644 --- a/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md index 0811b151cb..c1dbfafeb3 100644 --- a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-sequence-an-application.md b/mdop/appv-v4/how-to-sequence-an-application.md index 6e4b78a2d3..119261cce7 100644 --- a/mdop/appv-v4/how-to-sequence-an-application.md +++ b/mdop/appv-v4/how-to-sequence-an-application.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-a-concurrent-license-group.md b/mdop/appv-v4/how-to-set-up-a-concurrent-license-group.md index e70a585f56..ad438383ba 100644 --- a/mdop/appv-v4/how-to-set-up-a-concurrent-license-group.md +++ b/mdop/appv-v4/how-to-set-up-a-concurrent-license-group.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-a-named-license-group.md b/mdop/appv-v4/how-to-set-up-a-named-license-group.md index 3384f53bc7..5779656049 100644 --- a/mdop/appv-v4/how-to-set-up-a-named-license-group.md +++ b/mdop/appv-v4/how-to-set-up-a-named-license-group.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-an-unlimited-license-group.md b/mdop/appv-v4/how-to-set-up-an-unlimited-license-group.md index ad12a9daea..a793a50ed2 100644 --- a/mdop/appv-v4/how-to-set-up-an-unlimited-license-group.md +++ b/mdop/appv-v4/how-to-set-up-an-unlimited-license-group.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md b/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md index 330c8fd3c2..45059429b0 100644 --- a/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md +++ b/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-or-disable-application-licensing.md b/mdop/appv-v4/how-to-set-up-or-disable-application-licensing.md index 24f021a1d7..2171c365e1 100644 --- a/mdop/appv-v4/how-to-set-up-or-disable-application-licensing.md +++ b/mdop/appv-v4/how-to-set-up-or-disable-application-licensing.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-or-disable-database-size.md b/mdop/appv-v4/how-to-set-up-or-disable-database-size.md index 80082bec49..055ff8198c 100644 --- a/mdop/appv-v4/how-to-set-up-or-disable-database-size.md +++ b/mdop/appv-v4/how-to-set-up-or-disable-database-size.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md b/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md index cc5904c915..404bc76bd0 100644 --- a/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md +++ b/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md b/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md index 7c062516ea..f069cfa3b6 100644 --- a/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md +++ b/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-publishing-refresh-on-login.md b/mdop/appv-v4/how-to-set-up-publishing-refresh-on-login.md index 00463ee498..a416763534 100644 --- a/mdop/appv-v4/how-to-set-up-publishing-refresh-on-login.md +++ b/mdop/appv-v4/how-to-set-up-publishing-refresh-on-login.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-set-up-publishing-servers.md b/mdop/appv-v4/how-to-set-up-publishing-servers.md index cc298754ab..ad41ea0184 100644 --- a/mdop/appv-v4/how-to-set-up-publishing-servers.md +++ b/mdop/appv-v4/how-to-set-up-publishing-servers.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-uninstall-the-app-v-client.md b/mdop/appv-v4/how-to-uninstall-the-app-v-client.md index 32cefce588..aa38719ec5 100644 --- a/mdop/appv-v4/how-to-uninstall-the-app-v-client.md +++ b/mdop/appv-v4/how-to-uninstall-the-app-v-client.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md b/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md index 6084e10e78..2285f43d07 100644 --- a/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md +++ b/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-a-package.md b/mdop/appv-v4/how-to-upgrade-a-package.md index 503f8d897c..a2e8150145 100644 --- a/mdop/appv-v4/how-to-upgrade-a-package.md +++ b/mdop/appv-v4/how-to-upgrade-a-package.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md b/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md index 3ed3a2cdfc..85293d4b7e 100644 --- a/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md +++ b/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md b/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md index 74d9705ad4..10086eb8f7 100644 --- a/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md +++ b/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md b/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md index 30f369aa2b..fcea04d661 100644 --- a/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md +++ b/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md b/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md index a1184994e7..82e5f8e584 100644 --- a/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md +++ b/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-an-existing-virtual-application.md b/mdop/appv-v4/how-to-upgrade-an-existing-virtual-application.md index acf753d0fd..25e939097f 100644 --- a/mdop/appv-v4/how-to-upgrade-an-existing-virtual-application.md +++ b/mdop/appv-v4/how-to-upgrade-an-existing-virtual-application.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md index f2acf0f9d6..841dd29209 100644 --- a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md +++ b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-sequencer.md b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-sequencer.md index d120506886..8505528785 100644 --- a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-sequencer.md +++ b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-sequencer.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md b/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md index 3724881e5b..07994fd06a 100644 --- a/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md +++ b/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-use-dynamic-suite-composition.md b/mdop/appv-v4/how-to-use-dynamic-suite-composition.md index a92d326172..e2c025e1fc 100644 --- a/mdop/appv-v4/how-to-use-dynamic-suite-composition.md +++ b/mdop/appv-v4/how-to-use-dynamic-suite-composition.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md b/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md index 5c1a2d616f..c449a2a051 100644 --- a/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md +++ b/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md b/mdop/appv-v4/how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md index 47ad3bd18b..ec96967913 100644 --- a/mdop/appv-v4/how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md +++ b/mdop/appv-v4/how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/how-to-use-the-differential-sft-file.md b/mdop/appv-v4/how-to-use-the-differential-sft-file.md index ee2cad8104..76fe2dc754 100644 --- a/mdop/appv-v4/how-to-use-the-differential-sft-file.md +++ b/mdop/appv-v4/how-to-use-the-differential-sft-file.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md b/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md index 2600e02b87..99672dfe57 100644 --- a/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md +++ b/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/improving-security-during-app-v-sequencing.md b/mdop/appv-v4/improving-security-during-app-v-sequencing.md index 25d280c294..36abc689dd 100644 --- a/mdop/appv-v4/improving-security-during-app-v-sequencing.md +++ b/mdop/appv-v4/improving-security-during-app-v-sequencing.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/incompatible-installer-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/incompatible-installer-dialog-box--app-v-46-sp1-.md index c02fae6064..b621af0ea0 100644 --- a/mdop/appv-v4/incompatible-installer-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/incompatible-installer-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/index.md b/mdop/appv-v4/index.md index 8f75ce1701..02747f94e3 100644 --- a/mdop/appv-v4/index.md +++ b/mdop/appv-v4/index.md @@ -1,12 +1,12 @@ --- title: Application Virtualization 4 description: Application Virtualization 4 -author: jamiejdt +author: dansimp ms.assetid: 9da557bc-f433-47d3-8af7-68ec4ff9bd3f ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/installation-files-page.md b/mdop/appv-v4/installation-files-page.md index 01386f3df3..e27b8a8203 100644 --- a/mdop/appv-v4/installation-files-page.md +++ b/mdop/appv-v4/installation-files-page.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/installation-page--learn-more-.md b/mdop/appv-v4/installation-page--learn-more-.md index 16497b85eb..decc1b459b 100644 --- a/mdop/appv-v4/installation-page--learn-more-.md +++ b/mdop/appv-v4/installation-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/installation-report-page--learn-more-.md b/mdop/appv-v4/installation-report-page--learn-more-.md index 343d0b17fd..4dc8d9afc6 100644 --- a/mdop/appv-v4/installation-report-page--learn-more-.md +++ b/mdop/appv-v4/installation-report-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md b/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md index a57d3fd5ef..9770276fd5 100644 --- a/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md +++ b/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/internet-facing-considerations-for-app-v-clients.md b/mdop/appv-v4/internet-facing-considerations-for-app-v-clients.md index d6386c9039..f1e423b957 100644 --- a/mdop/appv-v4/internet-facing-considerations-for-app-v-clients.md +++ b/mdop/appv-v4/internet-facing-considerations-for-app-v-clients.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md b/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md index 08a864e1ad..7ed378d7f0 100644 --- a/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md +++ b/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md b/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md index fb9336a35c..5e5e2a17d9 100644 --- a/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md +++ b/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/load-app.md b/mdop/appv-v4/load-app.md index e76ab3bbfd..ec44358bc7 100644 --- a/mdop/appv-v4/load-app.md +++ b/mdop/appv-v4/load-app.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/load-package.md b/mdop/appv-v4/load-package.md index a5b0ab5872..2de2fe1aa4 100644 --- a/mdop/appv-v4/load-package.md +++ b/mdop/appv-v4/load-package.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/lock-app.md b/mdop/appv-v4/lock-app.md index e33f3dccae..c6e0e0a6eb 100644 --- a/mdop/appv-v4/lock-app.md +++ b/mdop/appv-v4/lock-app.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/log-file-for-the-application-virtualization-client.md b/mdop/appv-v4/log-file-for-the-application-virtualization-client.md index 0d0fbf2b4d..ca3662f546 100644 --- a/mdop/appv-v4/log-file-for-the-application-virtualization-client.md +++ b/mdop/appv-v4/log-file-for-the-application-virtualization-client.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/log-files-for-the-application-virtualization-sequencer.md b/mdop/appv-v4/log-files-for-the-application-virtualization-sequencer.md index 62fe4015f9..ba4748b2d7 100644 --- a/mdop/appv-v4/log-files-for-the-application-virtualization-sequencer.md +++ b/mdop/appv-v4/log-files-for-the-application-virtualization-sequencer.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-1-privacy-statement.md b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-1-privacy-statement.md index 9842c91c7b..b631d97a83 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-1-privacy-statement.md +++ b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-1-privacy-statement.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md index f7ffd9de24..feb3688ed5 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md +++ b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- @@ -76,7 +76,7 @@ This section is divided into two parts: (1) features in all versions of App-V an Microsoft Error Reporting provides a service that allows you to report problems you may be having with App-V to Microsoft and to receive information that may help you avoid or solve such problems. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement at . @@ -84,7 +84,7 @@ For information about the information collected, processed, or transmitted by Mi We use the error reporting data to solve customer problems and improve our software and services. -**Choice/Control: ** +**Choice/Control:** App-V does not change your Microsoft Error Reporting settings. If you previously turned on error reporting, it will send Microsoft the information about the errors you encountered. When Microsoft needs additional data to analyze the problem, you will be prompted to review the data and choose whether or not to send it.  App-V will always respect your Microsoft Error Reporting settings. @@ -98,7 +98,7 @@ Enterprise customers can use Group Policy to configure how Microsoft Error Repor Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software, including App-V.  For details about what information is collected, how it is used and how to change your settings, see the Update Services Privacy Statement at . -**Choice/Control: ** +**Choice/Control:** If Microsoft Update is not enabled, you can opt-in during setup and subsequent checks for updates will follow the machine-wide schedule. You can update this option from the Microsoft Update Control Panel item. @@ -108,7 +108,7 @@ If Microsoft Update is not enabled, you can opt-in during setup and subsequent c The product will collect various configuration items, including UserID, MachineID and SecurityGroup details, to be able to enforce settings on managed nodes. The data is stored in the App-V SQL database and transmitted across the App-V server and client components to enforce the configuration on the managed node. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** User and machine information and configuration content @@ -116,7 +116,7 @@ User and machine information and configuration content The information is used to enforce the application access configuration on the managed nodes within the enterprise. The information does not leave the enterprise. -**Choice/Control: ** +**Choice/Control:** By default, the product does not have any data. All data is entered and enabled by the admin and can be viewed in the Management console. The feature cannot be disabled as this is the product functionality. To disable this, App-V will need to be uninstalled. @@ -130,7 +130,7 @@ None of this information is sent out of the enterprise. It captures package history and asset information as part of the package. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** Information about the package and the sequencing environment is collected and stored in the package manifest during sequencing. @@ -138,7 +138,7 @@ Information about the package and the sequencing environment is collected and st The information will be used by the admin to track the updates done to a package during its lifecycle. It will also be used by software deployment systems to track the package deployments within the organization. -**Choice/Control: ** +**Choice/Control:** This feature is always enabled and cannot be turned off. @@ -152,7 +152,7 @@ This administrator information will be stored in the package and can be viewed b The product will collect a variety of reporting data points, including the username, to allow reporting on the usage of the product. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** Information about the machine, package and application usage are collected from every machine that reporting is enabled on. @@ -160,7 +160,7 @@ Information about the machine, package and application usage are collected from The information is used to report on application usage within the enterprise. The information does not leave the enterprise. -**Choice/Control: ** +**Choice/Control:** By default, the product does not have any data. Data is only collected once the reporting feature is enabled on the App-V Client. To disable the collection of reporting data, the reporting feature must be disabled on all clients. @@ -178,7 +178,7 @@ This section addresses specific features available in App-V 4.6 SP1 and later. The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at . @@ -186,7 +186,7 @@ For more information about the information collected, processed, or transmitted We use this information to improve the quality, reliability, and performance of Microsoft software and services. -**Choice/Control: ** +**Choice/Control:** CEIP is optional and the opt-in status can be updated during install or post install from the GUI.   @@ -196,7 +196,7 @@ CEIP is optional and the opt-in status can be updated during install or post ins Customers can use Application Package Accelerators to automatically package complex applications without installing the application. The App-V sequencer allows you to create package accelerators for each virtual package. You can then use these package accelerators to automatically re-create the same virtual package in the future. You may also use package accelerators released by Microsoft or other third parties to simplify and automate packaging of complex applications. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** Application Package Accelerators may contain information such as computer names, user account information, and information about applications included in the Package Accelerator file. diff --git a/mdop/appv-v4/microsoft-application-virtualization-client-management-help.md b/mdop/appv-v4/microsoft-application-virtualization-client-management-help.md index 8b5c8b1759..4c68c94bf5 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-client-management-help.md +++ b/mdop/appv-v4/microsoft-application-virtualization-client-management-help.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/microsoft-application-virtualization-getting-started-guide.md b/mdop/appv-v4/microsoft-application-virtualization-getting-started-guide.md index d581ace524..8d3ac35075 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-getting-started-guide.md +++ b/mdop/appv-v4/microsoft-application-virtualization-getting-started-guide.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md index 1e8882dde6..e0573f689e 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md +++ b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md index 34494bd042..faa8e6fb37 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md +++ b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/microsoft-application-virtualization-security-guide.md b/mdop/appv-v4/microsoft-application-virtualization-security-guide.md index c57610a611..610d1317df 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-security-guide.md +++ b/mdop/appv-v4/microsoft-application-virtualization-security-guide.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/monitoring-application-virtualization-servers.md b/mdop/appv-v4/monitoring-application-virtualization-servers.md index 9058c5bf3d..e2b08724bc 100644 --- a/mdop/appv-v4/monitoring-application-virtualization-servers.md +++ b/mdop/appv-v4/monitoring-application-virtualization-servers.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/online-help-for-application-virtualization.md b/mdop/appv-v4/online-help-for-application-virtualization.md index 5607572347..7b0fb5aa06 100644 --- a/mdop/appv-v4/online-help-for-application-virtualization.md +++ b/mdop/appv-v4/online-help-for-application-virtualization.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/open-package-wizard---appv-46-sp1-.md b/mdop/appv-v4/open-package-wizard---appv-46-sp1-.md index cf155ad5c7..1b5f04ae2a 100644 --- a/mdop/appv-v4/open-package-wizard---appv-46-sp1-.md +++ b/mdop/appv-v4/open-package-wizard---appv-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/operations-guide-for-the-application-virtualization-system.md b/mdop/appv-v4/operations-guide-for-the-application-virtualization-system.md index 7537dd9052..0ecbf6bd98 100644 --- a/mdop/appv-v4/operations-guide-for-the-application-virtualization-system.md +++ b/mdop/appv-v4/operations-guide-for-the-application-virtualization-system.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/osd-file-elements.md b/mdop/appv-v4/osd-file-elements.md index 77e35c6c8f..157d258180 100644 --- a/mdop/appv-v4/osd-file-elements.md +++ b/mdop/appv-v4/osd-file-elements.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/osd-tab-keep.md b/mdop/appv-v4/osd-tab-keep.md index 256b47eed2..6ee10b4d02 100644 --- a/mdop/appv-v4/osd-tab-keep.md +++ b/mdop/appv-v4/osd-tab-keep.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/oversized-package-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/oversized-package-dialog-box--app-v-46-sp1-.md index e088b5a477..1ad9f93518 100644 --- a/mdop/appv-v4/oversized-package-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/oversized-package-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/overview-of-application-virtualization.md b/mdop/appv-v4/overview-of-application-virtualization.md index 60b9846d7a..2381ed0605 100644 --- a/mdop/appv-v4/overview-of-application-virtualization.md +++ b/mdop/appv-v4/overview-of-application-virtualization.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/overview-of-the-application-virtualization-system-components.md b/mdop/appv-v4/overview-of-the-application-virtualization-system-components.md index cdd61b6351..672e8b0158 100644 --- a/mdop/appv-v4/overview-of-the-application-virtualization-system-components.md +++ b/mdop/appv-v4/overview-of-the-application-virtualization-system-components.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/package-name-page---learn-more-.md b/mdop/appv-v4/package-name-page---learn-more-.md index 2ec6a13682..47e9be6e5f 100644 --- a/mdop/appv-v4/package-name-page---learn-more-.md +++ b/mdop/appv-v4/package-name-page---learn-more-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/package-name-page--app-v-46-sp1.md b/mdop/appv-v4/package-name-page--app-v-46-sp1.md index d6a33e85ab..b595db124d 100644 --- a/mdop/appv-v4/package-name-page--app-v-46-sp1.md +++ b/mdop/appv-v4/package-name-page--app-v-46-sp1.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/package-results-pane-columns.md b/mdop/appv-v4/package-results-pane-columns.md index 2197976bc7..cfca796126 100644 --- a/mdop/appv-v4/package-results-pane-columns.md +++ b/mdop/appv-v4/package-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/package-results-pane.md b/mdop/appv-v4/package-results-pane.md index d9670bd51d..65808ecea6 100644 --- a/mdop/appv-v4/package-results-pane.md +++ b/mdop/appv-v4/package-results-pane.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/packages-node.md b/mdop/appv-v4/packages-node.md index 548eea3031..6bdf422c6e 100644 --- a/mdop/appv-v4/packages-node.md +++ b/mdop/appv-v4/packages-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/packaging-method--learn-more-.md b/mdop/appv-v4/packaging-method--learn-more-.md index b1016bf355..f0fd04c1c6 100644 --- a/mdop/appv-v4/packaging-method--learn-more-.md +++ b/mdop/appv-v4/packaging-method--learn-more-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/packaging-method-page--learn-more-.md b/mdop/appv-v4/packaging-method-page--learn-more-.md index dade78cf81..7d367a7c65 100644 --- a/mdop/appv-v4/packaging-method-page--learn-more-.md +++ b/mdop/appv-v4/packaging-method-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/parse-items-tab-keep.md b/mdop/appv-v4/parse-items-tab-keep.md index 04e254d387..5f70497e42 100644 --- a/mdop/appv-v4/parse-items-tab-keep.md +++ b/mdop/appv-v4/parse-items-tab-keep.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md b/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md index 3e3b86e643..890bce54a6 100644 --- a/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md +++ b/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/planning-for-application-virtualization-client-deployment.md b/mdop/appv-v4/planning-for-application-virtualization-client-deployment.md index 71f4d2d740..c7c2e67bf3 100644 --- a/mdop/appv-v4/planning-for-application-virtualization-client-deployment.md +++ b/mdop/appv-v4/planning-for-application-virtualization-client-deployment.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/planning-for-application-virtualization-system-deployment.md b/mdop/appv-v4/planning-for-application-virtualization-system-deployment.md index c76572d411..b54977c4b8 100644 --- a/mdop/appv-v4/planning-for-application-virtualization-system-deployment.md +++ b/mdop/appv-v4/planning-for-application-virtualization-system-deployment.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/planning-for-client-security.md b/mdop/appv-v4/planning-for-client-security.md index 6050d3895b..2e70095470 100644 --- a/mdop/appv-v4/planning-for-client-security.md +++ b/mdop/appv-v4/planning-for-client-security.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- @@ -34,7 +34,7 @@ By default, at installation the App-V client is configured with the minimum perm By default, the installation of the client registers file type associations (FTAs) for OSD files, which enables users to start applications directly from OSD files instead of the published shortcuts. If a user with local administrator rights receives an OSD file containing malicious code, either in e-mail or downloaded from a Web site, the user can open the OSD file and start the application even if the client has been set to restrict the **Add Application** permission. You can unregister the FTAs for the OSD to reduce this risk. Also, consider blocking this extension in the e-mail system and at the firewall. For more information about configuring Outlook to block extensions, see . -**Security Note:  ** +**Security Note:** Starting with App-V version 4.6, the file type association is no longer created for OSD files during a new installation of the client, although the existing settings will be maintained during an upgrade from version 4.2 or 4.5 of the App-V client. If for any reason it is essential to create the file type association, you can create the following registry keys and set their values as shown: @@ -50,7 +50,7 @@ During installation, you can use the **RequireAuthorizationIfCached** parameter Antivirus software running on an App-V Client computer can detect and report an infected file in the virtual environment. However, it cannot disinfect the file. If a virus is detected in the virtual environment, the antivirus software would perform the configured quarantine or repair operation in the cache, not in the actual package. Configure the antivirus software with an exception for the sftfs.fsd file. This file is the cache file that stores packages on the App-V Client. -**Security Note:  ** +**Security Note:** If a virus is detected in an application or package deployed in the production environment, replace the application or package with a virus-free version. diff --git a/mdop/appv-v4/planning-for-migration-from-previous-versions.md b/mdop/appv-v4/planning-for-migration-from-previous-versions.md index c999a32a70..31b155f1d0 100644 --- a/mdop/appv-v4/planning-for-migration-from-previous-versions.md +++ b/mdop/appv-v4/planning-for-migration-from-previous-versions.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/planning-for-security-and-protection.md b/mdop/appv-v4/planning-for-security-and-protection.md index b750a27dca..a229a68305 100644 --- a/mdop/appv-v4/planning-for-security-and-protection.md +++ b/mdop/appv-v4/planning-for-security-and-protection.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/planning-for-sequencer-security.md b/mdop/appv-v4/planning-for-sequencer-security.md index d3ad4052ec..fc925dca50 100644 --- a/mdop/appv-v4/planning-for-sequencer-security.md +++ b/mdop/appv-v4/planning-for-sequencer-security.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/planning-for-server-security.md b/mdop/appv-v4/planning-for-server-security.md index 7f51cc0fc6..c1ee2abf07 100644 --- a/mdop/appv-v4/planning-for-server-security.md +++ b/mdop/appv-v4/planning-for-server-security.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md b/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md index fe295dc2f6..90f6f01821 100644 --- a/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md +++ b/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md b/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md index 15a00e586c..f81b40c0e2 100644 --- a/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md +++ b/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md b/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md index a166551ed1..0ec37daf28 100644 --- a/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md +++ b/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/prepare-computer-page--learn-more-.md b/mdop/appv-v4/prepare-computer-page--learn-more-.md index d1b9f19800..4920b634e8 100644 --- a/mdop/appv-v4/prepare-computer-page--learn-more-.md +++ b/mdop/appv-v4/prepare-computer-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/properties-tab-keep.md b/mdop/appv-v4/properties-tab-keep.md index f6f72144b0..af45012be4 100644 --- a/mdop/appv-v4/properties-tab-keep.md +++ b/mdop/appv-v4/properties-tab-keep.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/provider-policies-node.md b/mdop/appv-v4/provider-policies-node.md index 38f417e3a1..23667457d8 100644 --- a/mdop/appv-v4/provider-policies-node.md +++ b/mdop/appv-v4/provider-policies-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/provider-policies-results-pane-columns.md b/mdop/appv-v4/provider-policies-results-pane-columns.md index 2b83fbccc2..edc54d5af9 100644 --- a/mdop/appv-v4/provider-policies-results-pane-columns.md +++ b/mdop/appv-v4/provider-policies-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/provider-policies-results-pane.md b/mdop/appv-v4/provider-policies-results-pane.md index 8bad9dc1e4..2f0f38d356 100644 --- a/mdop/appv-v4/provider-policies-results-pane.md +++ b/mdop/appv-v4/provider-policies-results-pane.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/publish-app.md b/mdop/appv-v4/publish-app.md index 365bd869f4..13b9f2635e 100644 --- a/mdop/appv-v4/publish-app.md +++ b/mdop/appv-v4/publish-app.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/publish-package.md b/mdop/appv-v4/publish-package.md index 0ddf0d20e8..04b4e5c319 100644 --- a/mdop/appv-v4/publish-package.md +++ b/mdop/appv-v4/publish-package.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/publishing-servers-node.md b/mdop/appv-v4/publishing-servers-node.md index bc9ef99098..76d964d714 100644 --- a/mdop/appv-v4/publishing-servers-node.md +++ b/mdop/appv-v4/publishing-servers-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/publishing-servers-results-pane-columns.md b/mdop/appv-v4/publishing-servers-results-pane-columns.md index ef1b0fcca5..4d18f6216d 100644 --- a/mdop/appv-v4/publishing-servers-results-pane-columns.md +++ b/mdop/appv-v4/publishing-servers-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/publishing-servers-results-pane.md b/mdop/appv-v4/publishing-servers-results-pane.md index 9ed534f85d..09a6240706 100644 --- a/mdop/appv-v4/publishing-servers-results-pane.md +++ b/mdop/appv-v4/publishing-servers-results-pane.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md b/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md index 8b19e64174..3e8cc15328 100644 --- a/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md +++ b/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/publishing-virtual-applications-using-electronic-software-distribution.md b/mdop/appv-v4/publishing-virtual-applications-using-electronic-software-distribution.md index 7587f1b537..9201d18ee2 100644 --- a/mdop/appv-v4/publishing-virtual-applications-using-electronic-software-distribution.md +++ b/mdop/appv-v4/publishing-virtual-applications-using-electronic-software-distribution.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/query-obj.md b/mdop/appv-v4/query-obj.md index 21de4d2dc6..ffe63b39cb 100644 --- a/mdop/appv-v4/query-obj.md +++ b/mdop/appv-v4/query-obj.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/refresh-server.md b/mdop/appv-v4/refresh-server.md index bb227a1cc9..ce416e2f57 100644 --- a/mdop/appv-v4/refresh-server.md +++ b/mdop/appv-v4/refresh-server.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/repair-app.md b/mdop/appv-v4/repair-app.md index 7d6f2d1ea2..8028a99b00 100644 --- a/mdop/appv-v4/repair-app.md +++ b/mdop/appv-v4/repair-app.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/reports-node.md b/mdop/appv-v4/reports-node.md index 8ba7e786a8..3a134a0bf2 100644 --- a/mdop/appv-v4/reports-node.md +++ b/mdop/appv-v4/reports-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/reports-results-pane-columns.md b/mdop/appv-v4/reports-results-pane-columns.md index 760dc1d0cf..30d4a7cd79 100644 --- a/mdop/appv-v4/reports-results-pane-columns.md +++ b/mdop/appv-v4/reports-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/reports-results-pane.md b/mdop/appv-v4/reports-results-pane.md index c885db722e..1bf053f4df 100644 --- a/mdop/appv-v4/reports-results-pane.md +++ b/mdop/appv-v4/reports-results-pane.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/restart-task-failure-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/restart-task-failure-dialog-box--app-v-46-sp1-.md index 38956d73ff..f8023fed89 100644 --- a/mdop/appv-v4/restart-task-failure-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/restart-task-failure-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/run-each-program-page-app-v-46-sp1.md b/mdop/appv-v4/run-each-program-page-app-v-46-sp1.md index 14baba4904..fca8e43e79 100644 --- a/mdop/appv-v4/run-each-program-page-app-v-46-sp1.md +++ b/mdop/appv-v4/run-each-program-page-app-v-46-sp1.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/security-and-protection-overview.md b/mdop/appv-v4/security-and-protection-overview.md index fc4bd7ab49..2f668ca5d7 100644 --- a/mdop/appv-v4/security-and-protection-overview.md +++ b/mdop/appv-v4/security-and-protection-overview.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- @@ -21,7 +21,7 @@ Microsoft Application Virtualization 4.5 provides the following enhanced securi - Application Virtualization now supports Transport Layer Security (TLS) using X.509 V3 certificates. Provided that a server certificate has been provisioned to the planned Application Virtualization Management or Streaming Server, the installation will default to secure, using the RTSPS protocol over port 322. Using RTSPS ensures that communication between the Application Virtualization Servers and the Application Virtualization Clients is signed and encrypted. If no certificate is assigned to the server during the Application Virtualization Server installation, the communication will be set to RTSP over port 554. - **Security Note:  ** + **Security Note:** To help provide a secure setup of the server, you must make sure that RTSP ports are disabled even if you have all packages configured to use RTSPS. diff --git a/mdop/appv-v4/select-files-page.md b/mdop/appv-v4/select-files-page.md index 01baa300ba..3e3ce46931 100644 --- a/mdop/appv-v4/select-files-page.md +++ b/mdop/appv-v4/select-files-page.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/select-guidance-page--package-accelerators-.md b/mdop/appv-v4/select-guidance-page--package-accelerators-.md index 77b089953b..f2a9ba20b3 100644 --- a/mdop/appv-v4/select-guidance-page--package-accelerators-.md +++ b/mdop/appv-v4/select-guidance-page--package-accelerators-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/select-installation-files-page-app-v-46-sp1.md b/mdop/appv-v4/select-installation-files-page-app-v-46-sp1.md index 69735eb53e..0fb499ff9d 100644 --- a/mdop/appv-v4/select-installation-files-page-app-v-46-sp1.md +++ b/mdop/appv-v4/select-installation-files-page-app-v-46-sp1.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/select-installer-page--learn-more-.md b/mdop/appv-v4/select-installer-page--learn-more-.md index 56c3d2df7d..c0c95a1828 100644 --- a/mdop/appv-v4/select-installer-page--learn-more-.md +++ b/mdop/appv-v4/select-installer-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/select-package--learn-more--page.md b/mdop/appv-v4/select-package--learn-more--page.md index c23544c5fb..078dbfbad4 100644 --- a/mdop/appv-v4/select-package--learn-more--page.md +++ b/mdop/appv-v4/select-package--learn-more--page.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/select-package-accelerator--learn-more--page.md b/mdop/appv-v4/select-package-accelerator--learn-more--page.md index 3e387a8a14..28c3dd746a 100644 --- a/mdop/appv-v4/select-package-accelerator--learn-more--page.md +++ b/mdop/appv-v4/select-package-accelerator--learn-more--page.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/select-package-accelerator-page.md b/mdop/appv-v4/select-package-accelerator-page.md index 8969a6ffaf..d06ddc61ba 100644 --- a/mdop/appv-v4/select-package-accelerator-page.md +++ b/mdop/appv-v4/select-package-accelerator-page.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/select-primary-page--learn-more-.md b/mdop/appv-v4/select-primary-page--learn-more-.md index 1a1ed7a346..a35e3c17bc 100644 --- a/mdop/appv-v4/select-primary-page--learn-more-.md +++ b/mdop/appv-v4/select-primary-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/select-task-page--learn-more-.md b/mdop/appv-v4/select-task-page--learn-more-.md index 1f5037a3e4..fd9a980960 100644 --- a/mdop/appv-v4/select-task-page--learn-more-.md +++ b/mdop/appv-v4/select-task-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/sequencer-command-line-error-codes.md b/mdop/appv-v4/sequencer-command-line-error-codes.md index a328fb293d..dd6de8148b 100644 --- a/mdop/appv-v4/sequencer-command-line-error-codes.md +++ b/mdop/appv-v4/sequencer-command-line-error-codes.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/sequencer-command-line-parameters.md b/mdop/appv-v4/sequencer-command-line-parameters.md index f0a873d666..45f23f75de 100644 --- a/mdop/appv-v4/sequencer-command-line-parameters.md +++ b/mdop/appv-v4/sequencer-command-line-parameters.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/sequencer-console.md b/mdop/appv-v4/sequencer-console.md index 075bbf4f05..7400f6a83a 100644 --- a/mdop/appv-v4/sequencer-console.md +++ b/mdop/appv-v4/sequencer-console.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/sequencer-dialog-boxes.md b/mdop/appv-v4/sequencer-dialog-boxes.md index 796ed43e5a..41e0e7f3a7 100644 --- a/mdop/appv-v4/sequencer-dialog-boxes.md +++ b/mdop/appv-v4/sequencer-dialog-boxes.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/sequencer-hardware-and-software-requirements.md b/mdop/appv-v4/sequencer-hardware-and-software-requirements.md index 47e3854169..1a194914ee 100644 --- a/mdop/appv-v4/sequencer-hardware-and-software-requirements.md +++ b/mdop/appv-v4/sequencer-hardware-and-software-requirements.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/sequencer-wizard---package-accelerator--appv-46-sp1-.md b/mdop/appv-v4/sequencer-wizard---package-accelerator--appv-46-sp1-.md index 49a306d35f..684ee01f73 100644 --- a/mdop/appv-v4/sequencer-wizard---package-accelerator--appv-46-sp1-.md +++ b/mdop/appv-v4/sequencer-wizard---package-accelerator--appv-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/sequencing-wizard.md b/mdop/appv-v4/sequencing-wizard.md index b439b83d0a..d4f7d09fec 100644 --- a/mdop/appv-v4/sequencing-wizard.md +++ b/mdop/appv-v4/sequencing-wizard.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-groups-node.md b/mdop/appv-v4/server-groups-node.md index 449204c5da..ce1414674d 100644 --- a/mdop/appv-v4/server-groups-node.md +++ b/mdop/appv-v4/server-groups-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-groups-results-pane-columns.md b/mdop/appv-v4/server-groups-results-pane-columns.md index 33042df361..f3e42b607f 100644 --- a/mdop/appv-v4/server-groups-results-pane-columns.md +++ b/mdop/appv-v4/server-groups-results-pane-columns.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-groups-results-pane.md b/mdop/appv-v4/server-groups-results-pane.md index 1d2a446726..129e193e76 100644 --- a/mdop/appv-v4/server-groups-results-pane.md +++ b/mdop/appv-v4/server-groups-results-pane.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-about-dialog-boxes.md b/mdop/appv-v4/server-management-console-about-dialog-boxes.md index 5ab178a36b..3efe389863 100644 --- a/mdop/appv-v4/server-management-console-about-dialog-boxes.md +++ b/mdop/appv-v4/server-management-console-about-dialog-boxes.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-administrators-node.md b/mdop/appv-v4/server-management-console-administrators-node.md index 9394274f33..015c4f342b 100644 --- a/mdop/appv-v4/server-management-console-administrators-node.md +++ b/mdop/appv-v4/server-management-console-administrators-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-application-licenses-node.md b/mdop/appv-v4/server-management-console-application-licenses-node.md index 2a8a97906f..3f238741ce 100644 --- a/mdop/appv-v4/server-management-console-application-licenses-node.md +++ b/mdop/appv-v4/server-management-console-application-licenses-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-application-virtualization-system-node.md b/mdop/appv-v4/server-management-console-application-virtualization-system-node.md index 527349e8e6..8b80ae666f 100644 --- a/mdop/appv-v4/server-management-console-application-virtualization-system-node.md +++ b/mdop/appv-v4/server-management-console-application-virtualization-system-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-applications-node.md b/mdop/appv-v4/server-management-console-applications-node.md index 4b4463745a..a60b48ffce 100644 --- a/mdop/appv-v4/server-management-console-applications-node.md +++ b/mdop/appv-v4/server-management-console-applications-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-file-type-associations-node.md b/mdop/appv-v4/server-management-console-file-type-associations-node.md index e40517eb0a..fceda812e7 100644 --- a/mdop/appv-v4/server-management-console-file-type-associations-node.md +++ b/mdop/appv-v4/server-management-console-file-type-associations-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-packages-node.md b/mdop/appv-v4/server-management-console-packages-node.md index 2bd20d93df..1dfe0fa72c 100644 --- a/mdop/appv-v4/server-management-console-packages-node.md +++ b/mdop/appv-v4/server-management-console-packages-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-provider-policies-node.md b/mdop/appv-v4/server-management-console-provider-policies-node.md index 6d899befab..ce731f565e 100644 --- a/mdop/appv-v4/server-management-console-provider-policies-node.md +++ b/mdop/appv-v4/server-management-console-provider-policies-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-reports-node.md b/mdop/appv-v4/server-management-console-reports-node.md index 1b6808031b..414250a6ed 100644 --- a/mdop/appv-v4/server-management-console-reports-node.md +++ b/mdop/appv-v4/server-management-console-reports-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/server-management-console-server-groups-node.md b/mdop/appv-v4/server-management-console-server-groups-node.md index 7b3cc68876..fa0a289798 100644 --- a/mdop/appv-v4/server-management-console-server-groups-node.md +++ b/mdop/appv-v4/server-management-console-server-groups-node.md @@ -9,7 +9,7 @@ ms.author: eravena ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/sftmime--command-reference.md b/mdop/appv-v4/sftmime--command-reference.md index 1f2d7d6407..55ee1492e0 100644 --- a/mdop/appv-v4/sftmime--command-reference.md +++ b/mdop/appv-v4/sftmime--command-reference.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/sfttray-command-reference.md b/mdop/appv-v4/sfttray-command-reference.md index 38b1c28072..bf89666ba8 100644 --- a/mdop/appv-v4/sfttray-command-reference.md +++ b/mdop/appv-v4/sfttray-command-reference.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/side-by-side-privatization-failed-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/side-by-side-privatization-failed-dialog-box--app-v-46-sp1-.md index 2148e9742b..ce583088cc 100644 --- a/mdop/appv-v4/side-by-side-privatization-failed-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/side-by-side-privatization-failed-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/software-audit-reportserver.md b/mdop/appv-v4/software-audit-reportserver.md index 4d147072ea..d360b339b8 100644 --- a/mdop/appv-v4/software-audit-reportserver.md +++ b/mdop/appv-v4/software-audit-reportserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md b/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md index ca951538f7..057f6f881c 100644 --- a/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md +++ b/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/stand-alone-delivery-scenario-overview.md b/mdop/appv-v4/stand-alone-delivery-scenario-overview.md index 7ac815d680..07365c016e 100644 --- a/mdop/appv-v4/stand-alone-delivery-scenario-overview.md +++ b/mdop/appv-v4/stand-alone-delivery-scenario-overview.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/streaming-page-learn-more.md b/mdop/appv-v4/streaming-page-learn-more.md index 690d651a6b..da5ad4a4f7 100644 --- a/mdop/appv-v4/streaming-page-learn-more.md +++ b/mdop/appv-v4/streaming-page-learn-more.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/support-for-client-reporting-over-http.md b/mdop/appv-v4/support-for-client-reporting-over-http.md index 1afa6d3679..affd21c498 100644 --- a/mdop/appv-v4/support-for-client-reporting-over-http.md +++ b/mdop/appv-v4/support-for-client-reporting-over-http.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/sxs-conflict-detected-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/sxs-conflict-detected-dialog-box--app-v-46-sp1-.md index 03fc10a7d3..836a996cb8 100644 --- a/mdop/appv-v4/sxs-conflict-detected-dialog-box--app-v-46-sp1-.md +++ b/mdop/appv-v4/sxs-conflict-detected-dialog-box--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/system-error-reportserver.md b/mdop/appv-v4/system-error-reportserver.md index a981fa9bd2..a05fd63491 100644 --- a/mdop/appv-v4/system-error-reportserver.md +++ b/mdop/appv-v4/system-error-reportserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/system-utilization-reportserver.md b/mdop/appv-v4/system-utilization-reportserver.md index 7251ff513b..d8d31cf853 100644 --- a/mdop/appv-v4/system-utilization-reportserver.md +++ b/mdop/appv-v4/system-utilization-reportserver.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/target-os-page-learn-more.md b/mdop/appv-v4/target-os-page-learn-more.md index ef9fb2aa79..8b841dc45f 100644 --- a/mdop/appv-v4/target-os-page-learn-more.md +++ b/mdop/appv-v4/target-os-page-learn-more.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md b/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md index d7a550ba6b..c7fd7547bb 100644 --- a/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md +++ b/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer.md b/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer.md index 736d4abb06..5241b96cce 100644 --- a/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer.md +++ b/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/troubleshooting-application-virtualization-sequencer-issues.md b/mdop/appv-v4/troubleshooting-application-virtualization-sequencer-issues.md index d518b6dd1c..0c9d93141c 100644 --- a/mdop/appv-v4/troubleshooting-application-virtualization-sequencer-issues.md +++ b/mdop/appv-v4/troubleshooting-application-virtualization-sequencer-issues.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/troubleshooting-certificate-permission-issues.md b/mdop/appv-v4/troubleshooting-certificate-permission-issues.md index 62d5a6e274..6987ec6314 100644 --- a/mdop/appv-v4/troubleshooting-certificate-permission-issues.md +++ b/mdop/appv-v4/troubleshooting-certificate-permission-issues.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-client.md b/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-client.md index 37f2f88e78..1a8a9821d5 100644 --- a/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-client.md +++ b/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-client.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-server.md b/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-server.md index 80485a8023..021372f847 100644 --- a/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-server.md +++ b/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/troubleshooting-the-application-virtualization-sequencer.md b/mdop/appv-v4/troubleshooting-the-application-virtualization-sequencer.md index de5af9194f..0ee0ebe678 100644 --- a/mdop/appv-v4/troubleshooting-the-application-virtualization-sequencer.md +++ b/mdop/appv-v4/troubleshooting-the-application-virtualization-sequencer.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/type-of-application-page--learn-more-.md b/mdop/appv-v4/type-of-application-page--learn-more-.md index 72e6772aa9..793ec8b0c1 100644 --- a/mdop/appv-v4/type-of-application-page--learn-more-.md +++ b/mdop/appv-v4/type-of-application-page--learn-more-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/unload-app.md b/mdop/appv-v4/unload-app.md index a2748ee100..692d0b2a1b 100644 --- a/mdop/appv-v4/unload-app.md +++ b/mdop/appv-v4/unload-app.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/unload-package.md b/mdop/appv-v4/unload-package.md index 03039cbbfe..d0ad6ce857 100644 --- a/mdop/appv-v4/unload-package.md +++ b/mdop/appv-v4/unload-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/unlock-app.md b/mdop/appv-v4/unlock-app.md index 8d20a7f7a3..f003f66e5a 100644 --- a/mdop/appv-v4/unlock-app.md +++ b/mdop/appv-v4/unlock-app.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/unpublish-package.md b/mdop/appv-v4/unpublish-package.md index 4111a75383..28df41e62d 100644 --- a/mdop/appv-v4/unpublish-package.md +++ b/mdop/appv-v4/unpublish-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md b/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md index 37f72f87ed..1517ada613 100644 --- a/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md +++ b/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md b/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md index 11a9533a37..0537d830a9 100644 --- a/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md +++ b/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md b/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md index 6f8e379deb..4788d4f85f 100644 --- a/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md +++ b/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/verify-applications-page--package-accelerators-.md b/mdop/appv-v4/verify-applications-page--package-accelerators-.md index 6cb0bdd47e..dc6a8604e7 100644 --- a/mdop/appv-v4/verify-applications-page--package-accelerators-.md +++ b/mdop/appv-v4/verify-applications-page--package-accelerators-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/virtual-application-package-additional-components.md b/mdop/appv-v4/virtual-application-package-additional-components.md index e44d919586..42d28df0f0 100644 --- a/mdop/appv-v4/virtual-application-package-additional-components.md +++ b/mdop/appv-v4/virtual-application-package-additional-components.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/appv-v4/virtual-file-system-tab-keep.md b/mdop/appv-v4/virtual-file-system-tab-keep.md index 9d50f3a15c..188445d4e4 100644 --- a/mdop/appv-v4/virtual-file-system-tab-keep.md +++ b/mdop/appv-v4/virtual-file-system-tab-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/virtual-registry-tab-keep.md b/mdop/appv-v4/virtual-registry-tab-keep.md index ab7b437cfd..832f3dc40b 100644 --- a/mdop/appv-v4/virtual-registry-tab-keep.md +++ b/mdop/appv-v4/virtual-registry-tab-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/virtual-services-tab-keep.md b/mdop/appv-v4/virtual-services-tab-keep.md index 2314727dbd..e78e0eee33 100644 --- a/mdop/appv-v4/virtual-services-tab-keep.md +++ b/mdop/appv-v4/virtual-services-tab-keep.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v4/wizard-pages--appv-46-sp1-.md b/mdop/appv-v4/wizard-pages--appv-46-sp1-.md index 8ea9090de2..8d47e49527 100644 --- a/mdop/appv-v4/wizard-pages--appv-46-sp1-.md +++ b/mdop/appv-v4/wizard-pages--appv-46-sp1-.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/appv-v5/index.md b/mdop/appv-v5/index.md index ca33b4be38..c51ad7bc30 100644 --- a/mdop/appv-v5/index.md +++ b/mdop/appv-v5/index.md @@ -1,7 +1,7 @@ --- title: Application Virtualization 5 description: Application Virtualization 5 -author: jamiejdt +author: dansimp ms.assetid: e82eb44b-9ccd-41aa-923b-71400230ad23 ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/mdop/dart-v10/index.md b/mdop/dart-v10/index.md index ca199090fb..5d88fce5c0 100644 --- a/mdop/dart-v10/index.md +++ b/mdop/dart-v10/index.md @@ -1,7 +1,7 @@ --- title: Diagnostics and Recovery Toolset 10 description: Diagnostics and Recovery Toolset 10 -author: jamiejdt +author: dansimp ms.assetid: 64403eca-ff05-4327-ac33-bdcc96e706c8 ms.pagetype: mdop ms.mktglfcycl: support diff --git a/mdop/dart-v7/about-dart-70-new-ia.md b/mdop/dart-v7/about-dart-70-new-ia.md index 944c2bd884..7669450607 100644 --- a/mdop/dart-v7/about-dart-70-new-ia.md +++ b/mdop/dart-v7/about-dart-70-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/accessibility-for-dart-70.md b/mdop/dart-v7/accessibility-for-dart-70.md index 5335e76631..afb83c0c70 100644 --- a/mdop/dart-v7/accessibility-for-dart-70.md +++ b/mdop/dart-v7/accessibility-for-dart-70.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md b/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md index 0bb0012fb5..2fa4e1973e 100644 --- a/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md +++ b/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md b/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md index 2a1c1e2596..fe7a329faa 100644 --- a/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md +++ b/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/dart-70-planning-checklist-dart-7.md b/mdop/dart-v7/dart-70-planning-checklist-dart-7.md index 7612462738..5d125aafaf 100644 --- a/mdop/dart-v7/dart-70-planning-checklist-dart-7.md +++ b/mdop/dart-v7/dart-70-planning-checklist-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/dart-70-supported-configurations-dart-7.md b/mdop/dart-v7/dart-70-supported-configurations-dart-7.md index 0bff4cebfc..5c0de66ee4 100644 --- a/mdop/dart-v7/dart-70-supported-configurations-dart-7.md +++ b/mdop/dart-v7/dart-70-supported-configurations-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/deploying-dart-70-new-ia.md b/mdop/dart-v7/deploying-dart-70-new-ia.md index 455cfa5388..9612cbbec2 100644 --- a/mdop/dart-v7/deploying-dart-70-new-ia.md +++ b/mdop/dart-v7/deploying-dart-70-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/deploying-dart-70-to-administrator-computers-dart-7.md b/mdop/dart-v7/deploying-dart-70-to-administrator-computers-dart-7.md index fa4f19d3d6..c8e61e3bbb 100644 --- a/mdop/dart-v7/deploying-dart-70-to-administrator-computers-dart-7.md +++ b/mdop/dart-v7/deploying-dart-70-to-administrator-computers-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md b/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md index fe84a514e2..b5bdee5e77 100644 --- a/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md +++ b/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/diagnosing-system-failures-with-crash-analyzer--dart-7.md b/mdop/dart-v7/diagnosing-system-failures-with-crash-analyzer--dart-7.md index 77afc0423f..5376233690 100644 --- a/mdop/dart-v7/diagnosing-system-failures-with-crash-analyzer--dart-7.md +++ b/mdop/dart-v7/diagnosing-system-failures-with-crash-analyzer--dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/getting-started-with-dart-70-new-ia.md b/mdop/dart-v7/getting-started-with-dart-70-new-ia.md index ac081ea5fb..fe540dcf08 100644 --- a/mdop/dart-v7/getting-started-with-dart-70-new-ia.md +++ b/mdop/dart-v7/getting-started-with-dart-70-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/how-to-change-repair-or-remove-dart-70.md b/mdop/dart-v7/how-to-change-repair-or-remove-dart-70.md index a6b4c35913..3a447a185e 100644 --- a/mdop/dart-v7/how-to-change-repair-or-remove-dart-70.md +++ b/mdop/dart-v7/how-to-change-repair-or-remove-dart-70.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/how-to-create-a-time-limited-recovery-image-dart-7.md b/mdop/dart-v7/how-to-create-a-time-limited-recovery-image-dart-7.md index cadfb77d47..b86616043e 100644 --- a/mdop/dart-v7/how-to-create-a-time-limited-recovery-image-dart-7.md +++ b/mdop/dart-v7/how-to-create-a-time-limited-recovery-image-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/how-to-deploy-dart-70.md b/mdop/dart-v7/how-to-deploy-dart-70.md index 32254f2c60..5ea5704612 100644 --- a/mdop/dart-v7/how-to-deploy-dart-70.md +++ b/mdop/dart-v7/how-to-deploy-dart-70.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md index ec9f029614..032c998a69 100644 --- a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md +++ b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md index bb9b4e45b5..53d9e0c199 100644 --- a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md +++ b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md index 8c9ec4eebf..dec6b0ee1f 100644 --- a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md +++ b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/how-to-ensure-that-crash-analyzer-can-access-symbol-files-dart-7.md b/mdop/dart-v7/how-to-ensure-that-crash-analyzer-can-access-symbol-files-dart-7.md index 04e664b006..97919ebdaf 100644 --- a/mdop/dart-v7/how-to-ensure-that-crash-analyzer-can-access-symbol-files-dart-7.md +++ b/mdop/dart-v7/how-to-ensure-that-crash-analyzer-can-access-symbol-files-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md b/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md index f24b5b6941..3c5e049cc4 100644 --- a/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md +++ b/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md b/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md index d8cdbc0ab0..92044dc55f 100644 --- a/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md +++ b/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md b/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md index 2000d0e0f8..ca96b96fa2 100644 --- a/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md +++ b/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md b/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md index 4a03441b10..1cd1277d48 100644 --- a/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md +++ b/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md b/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md index 64a13002bc..68bcaa762b 100644 --- a/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md +++ b/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/index.md b/mdop/dart-v7/index.md index 9dfe1fceaf..ba12a07c9d 100644 --- a/mdop/dart-v7/index.md +++ b/mdop/dart-v7/index.md @@ -1,12 +1,12 @@ --- title: Diagnostics and Recovery Toolset 7 Administrator's Guide description: Diagnostics and Recovery Toolset 7 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: bf89eccd-fc03-48ff-9019-a8640e11dd99 ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 04/19/2017 --- diff --git a/mdop/dart-v7/operations-for-dart-70-new-ia.md b/mdop/dart-v7/operations-for-dart-70-new-ia.md index 4ab261ebe1..aaeec42f32 100644 --- a/mdop/dart-v7/operations-for-dart-70-new-ia.md +++ b/mdop/dart-v7/operations-for-dart-70-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md b/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md index ccd74f662c..945180ced9 100644 --- a/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md +++ b/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/planning-for-dart-70-new-ia.md b/mdop/dart-v7/planning-for-dart-70-new-ia.md index d4227b88d2..69e7f032bb 100644 --- a/mdop/dart-v7/planning-for-dart-70-new-ia.md +++ b/mdop/dart-v7/planning-for-dart-70-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md b/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md index f99585b92a..dfe697ea8f 100644 --- a/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md +++ b/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/planning-to-create-the-dart-70-recovery-image.md b/mdop/dart-v7/planning-to-create-the-dart-70-recovery-image.md index 7c19fc8845..3aa6ed872f 100644 --- a/mdop/dart-v7/planning-to-create-the-dart-70-recovery-image.md +++ b/mdop/dart-v7/planning-to-create-the-dart-70-recovery-image.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/planning-to-deploy-dart-70.md b/mdop/dart-v7/planning-to-deploy-dart-70.md index f1f21b158b..5fa805cf89 100644 --- a/mdop/dart-v7/planning-to-deploy-dart-70.md +++ b/mdop/dart-v7/planning-to-deploy-dart-70.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md b/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md index 35e35b8a3e..e3e5f4824e 100644 --- a/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md +++ b/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/release-notes-for-dart-70-new-ia.md b/mdop/dart-v7/release-notes-for-dart-70-new-ia.md index 87506ac590..035b7570cf 100644 --- a/mdop/dart-v7/release-notes-for-dart-70-new-ia.md +++ b/mdop/dart-v7/release-notes-for-dart-70-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md b/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md index 7d51161f65..fb406cc6b9 100644 --- a/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md +++ b/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/technical-reference-for-dart-70-new-ia.md b/mdop/dart-v7/technical-reference-for-dart-70-new-ia.md index 70e1a1fba6..747af0760b 100644 --- a/mdop/dart-v7/technical-reference-for-dart-70-new-ia.md +++ b/mdop/dart-v7/technical-reference-for-dart-70-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v7/troubleshooting-dart-70-new-ia.md b/mdop/dart-v7/troubleshooting-dart-70-new-ia.md index 5e1d37af9e..7f1942cf6c 100644 --- a/mdop/dart-v7/troubleshooting-dart-70-new-ia.md +++ b/mdop/dart-v7/troubleshooting-dart-70-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/about-dart-80-dart-8.md b/mdop/dart-v8/about-dart-80-dart-8.md index 7de3d83f67..75405ef53f 100644 --- a/mdop/dart-v8/about-dart-80-dart-8.md +++ b/mdop/dart-v8/about-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/about-dart-80-sp1.md b/mdop/dart-v8/about-dart-80-sp1.md index 9a2cf5c3a0..c6bec15027 100644 --- a/mdop/dart-v8/about-dart-80-sp1.md +++ b/mdop/dart-v8/about-dart-80-sp1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/about-dart-81.md b/mdop/dart-v8/about-dart-81.md index a2d81ba1e5..9af17ffe96 100644 --- a/mdop/dart-v8/about-dart-81.md +++ b/mdop/dart-v8/about-dart-81.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/accessibility-for-dart-80-dart-8.md b/mdop/dart-v8/accessibility-for-dart-80-dart-8.md index 936d93ea7d..dedbc23dc8 100644 --- a/mdop/dart-v8/accessibility-for-dart-80-dart-8.md +++ b/mdop/dart-v8/accessibility-for-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/administering-dart-80-using-powershell-dart-8.md b/mdop/dart-v8/administering-dart-80-using-powershell-dart-8.md index d400b3bd5d..1aaf5e577a 100644 --- a/mdop/dart-v8/administering-dart-80-using-powershell-dart-8.md +++ b/mdop/dart-v8/administering-dart-80-using-powershell-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md index 0dfd0b39f2..cec64c5c0e 100644 --- a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md +++ b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/21/2017 --- diff --git a/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md b/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md index eca291304a..94c522e8cb 100644 --- a/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md +++ b/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/dart-80-planning-checklist-dart-8.md b/mdop/dart-v8/dart-80-planning-checklist-dart-8.md index 7e29d01395..d94a6d2c8c 100644 --- a/mdop/dart-v8/dart-80-planning-checklist-dart-8.md +++ b/mdop/dart-v8/dart-80-planning-checklist-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/dart-80-privacy-statement-dart-8.md b/mdop/dart-v8/dart-80-privacy-statement-dart-8.md index 3446e85228..0be261d833 100644 --- a/mdop/dart-v8/dart-80-privacy-statement-dart-8.md +++ b/mdop/dart-v8/dart-80-privacy-statement-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/dart-80-supported-configurations-dart-8.md b/mdop/dart-v8/dart-80-supported-configurations-dart-8.md index 1498448738..f659803a79 100644 --- a/mdop/dart-v8/dart-80-supported-configurations-dart-8.md +++ b/mdop/dart-v8/dart-80-supported-configurations-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/deploying-dart-80-dart-8.md b/mdop/dart-v8/deploying-dart-80-dart-8.md index 36e9c02d25..c6a3f6f118 100644 --- a/mdop/dart-v8/deploying-dart-80-dart-8.md +++ b/mdop/dart-v8/deploying-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/deploying-dart-80-to-administrator-computers-dart-8.md b/mdop/dart-v8/deploying-dart-80-to-administrator-computers-dart-8.md index ecd56e83ee..ddd014d2eb 100644 --- a/mdop/dart-v8/deploying-dart-80-to-administrator-computers-dart-8.md +++ b/mdop/dart-v8/deploying-dart-80-to-administrator-computers-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md b/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md index 99ebca995c..c635accd35 100644 --- a/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md +++ b/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/diagnosing-system-failures-with-crash-analyzer--dart-8.md b/mdop/dart-v8/diagnosing-system-failures-with-crash-analyzer--dart-8.md index d5e3945dc8..77522cf3fa 100644 --- a/mdop/dart-v8/diagnosing-system-failures-with-crash-analyzer--dart-8.md +++ b/mdop/dart-v8/diagnosing-system-failures-with-crash-analyzer--dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/getting-started-with-dart-80-dart-8.md b/mdop/dart-v8/getting-started-with-dart-80-dart-8.md index faa25ee39e..e313b81a37 100644 --- a/mdop/dart-v8/getting-started-with-dart-80-dart-8.md +++ b/mdop/dart-v8/getting-started-with-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/how-to-change-repair-or-remove-dart-80-dart-8.md b/mdop/dart-v8/how-to-change-repair-or-remove-dart-80-dart-8.md index 0e90caab1d..6c2e3fb612 100644 --- a/mdop/dart-v8/how-to-change-repair-or-remove-dart-80-dart-8.md +++ b/mdop/dart-v8/how-to-change-repair-or-remove-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md b/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md index e31d87e179..f562dc65ba 100644 --- a/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md +++ b/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md index a717b3888e..cddcfef5e9 100644 --- a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md +++ b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md index c5d594b59c..c84571d02c 100644 --- a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md +++ b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/how-to-ensure-that-crash-analyzer-can-access-symbol-files.md b/mdop/dart-v8/how-to-ensure-that-crash-analyzer-can-access-symbol-files.md index afe2d17d1b..dfdfa5bf01 100644 --- a/mdop/dart-v8/how-to-ensure-that-crash-analyzer-can-access-symbol-files.md +++ b/mdop/dart-v8/how-to-ensure-that-crash-analyzer-can-access-symbol-files.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/how-to-perform-dart-tasks-by-using-powershell-commands-dart-8.md b/mdop/dart-v8/how-to-perform-dart-tasks-by-using-powershell-commands-dart-8.md index c36fc90c84..c1eb0becc8 100644 --- a/mdop/dart-v8/how-to-perform-dart-tasks-by-using-powershell-commands-dart-8.md +++ b/mdop/dart-v8/how-to-perform-dart-tasks-by-using-powershell-commands-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md b/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md index dca11766bc..d4315fa44a 100644 --- a/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md +++ b/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md b/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md index 5cf1247cb4..0b4c3efa63 100644 --- a/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md +++ b/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-8.md b/mdop/dart-v8/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-8.md index ad3b05cceb..8b0b3c8a8c 100644 --- a/mdop/dart-v8/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-8.md +++ b/mdop/dart-v8/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-8.md b/mdop/dart-v8/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-8.md index c50f8d1d66..e3a35791e8 100644 --- a/mdop/dart-v8/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-8.md +++ b/mdop/dart-v8/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/how-to-use-a-powershell-script-to-create-the-recovery-image-dart-8.md b/mdop/dart-v8/how-to-use-a-powershell-script-to-create-the-recovery-image-dart-8.md index 34c8202a73..b0a3f41ad7 100644 --- a/mdop/dart-v8/how-to-use-a-powershell-script-to-create-the-recovery-image-dart-8.md +++ b/mdop/dart-v8/how-to-use-a-powershell-script-to-create-the-recovery-image-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/index.md b/mdop/dart-v8/index.md index 4f39c5a258..bcee6aaf64 100644 --- a/mdop/dart-v8/index.md +++ b/mdop/dart-v8/index.md @@ -1,12 +1,12 @@ --- title: Diagnostics and Recovery Toolset 8 Administrator's Guide description: Diagnostics and Recovery Toolset 8 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: 33685dd7-844f-4864-b504-3ef384ef01de ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 04/19/2017 --- diff --git a/mdop/dart-v8/microsoft-diagnostics-and-recovery-toolset--dart--users-should-use-windows-defender-offline--wdo--for-malware-detection.md b/mdop/dart-v8/microsoft-diagnostics-and-recovery-toolset--dart--users-should-use-windows-defender-offline--wdo--for-malware-detection.md index 78b6e42da3..f2a4047807 100644 --- a/mdop/dart-v8/microsoft-diagnostics-and-recovery-toolset--dart--users-should-use-windows-defender-offline--wdo--for-malware-detection.md +++ b/mdop/dart-v8/microsoft-diagnostics-and-recovery-toolset--dart--users-should-use-windows-defender-offline--wdo--for-malware-detection.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/operations-for-dart-80-dart-8.md b/mdop/dart-v8/operations-for-dart-80-dart-8.md index c495ff0ffd..c71925f264 100644 --- a/mdop/dart-v8/operations-for-dart-80-dart-8.md +++ b/mdop/dart-v8/operations-for-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md b/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md index 7cffb8401b..dc1608bbf2 100644 --- a/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md +++ b/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/planning-for-dart-80-dart-8.md b/mdop/dart-v8/planning-for-dart-80-dart-8.md index a7ab30d88b..55b249c5e7 100644 --- a/mdop/dart-v8/planning-for-dart-80-dart-8.md +++ b/mdop/dart-v8/planning-for-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md index 4f95c0b2fa..00fe0bfbd8 100644 --- a/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md +++ b/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md index 4acce8e180..3e41f760d4 100644 --- a/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md +++ b/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/planning-to-deploy-dart-80-dart-8.md b/mdop/dart-v8/planning-to-deploy-dart-80-dart-8.md index 60c6e5d180..57ade193c4 100644 --- a/mdop/dart-v8/planning-to-deploy-dart-80-dart-8.md +++ b/mdop/dart-v8/planning-to-deploy-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md b/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md index 10b50735d0..78ee035cb4 100644 --- a/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md +++ b/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/release-notes-for-dart-80--dart-8.md b/mdop/dart-v8/release-notes-for-dart-80--dart-8.md index 7ec6427eb0..a96b501caa 100644 --- a/mdop/dart-v8/release-notes-for-dart-80--dart-8.md +++ b/mdop/dart-v8/release-notes-for-dart-80--dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/release-notes-for-dart-80-sp1.md b/mdop/dart-v8/release-notes-for-dart-80-sp1.md index 4807afe2a9..28f2df8b60 100644 --- a/mdop/dart-v8/release-notes-for-dart-80-sp1.md +++ b/mdop/dart-v8/release-notes-for-dart-80-sp1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/release-notes-for-dart-81.md b/mdop/dart-v8/release-notes-for-dart-81.md index ed24c12ba0..d1183586b4 100644 --- a/mdop/dart-v8/release-notes-for-dart-81.md +++ b/mdop/dart-v8/release-notes-for-dart-81.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/security-and-privacy-for-dart-80-dart-8.md b/mdop/dart-v8/security-and-privacy-for-dart-80-dart-8.md index 2cfe65b9fa..f6a05dbbaf 100644 --- a/mdop/dart-v8/security-and-privacy-for-dart-80-dart-8.md +++ b/mdop/dart-v8/security-and-privacy-for-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/security-considerations-for-dart-80--dart-8.md b/mdop/dart-v8/security-considerations-for-dart-80--dart-8.md index c89debf994..716e3ed33f 100644 --- a/mdop/dart-v8/security-considerations-for-dart-80--dart-8.md +++ b/mdop/dart-v8/security-considerations-for-dart-80--dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md b/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md index 98189c70c5..1084a0fc4e 100644 --- a/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md +++ b/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/dart-v8/troubleshooting-dart-80-dart-8.md b/mdop/dart-v8/troubleshooting-dart-80-dart-8.md index d801caa77c..dd64f0665f 100644 --- a/mdop/dart-v8/troubleshooting-dart-80-dart-8.md +++ b/mdop/dart-v8/troubleshooting-dart-80-dart-8.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop ms.mktglfcycl: support ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/docfx.json b/mdop/docfx.json index f825997a00..55e32ba407 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -24,7 +24,9 @@ "globalMetadata": { "breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", - "ms.technology": "mdop", + "ms.technology": "windows", + "audience": "ITPro", + "manager": "dansimp", "ms.sitesec": "library", "ms.topic": "article", "ms.date": "04/05/2017", diff --git a/mdop/index.md b/mdop/index.md index 78fffc67fd..93ce634a80 100644 --- a/mdop/index.md +++ b/mdop/index.md @@ -2,7 +2,7 @@ title: MDOP Information Experience description: MDOP Information Experience ms.assetid: 12b8ab56-3267-450d-bb22-1c7e44cb8e52 -author: jamiejdt +author: dansimp ms.pagetype: mdop ms.mktglfcycl: manage ms.sitesec: library diff --git a/mdop/mbam-v1/about-mbam-10.md b/mdop/mbam-v1/about-mbam-10.md index 6649ff16d7..de3e35c13d 100644 --- a/mdop/mbam-v1/about-mbam-10.md +++ b/mdop/mbam-v1/about-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/accessibility-for-mbam-10.md b/mdop/mbam-v1/accessibility-for-mbam-10.md index 6e772a734a..f360475a2c 100644 --- a/mdop/mbam-v1/accessibility-for-mbam-10.md +++ b/mdop/mbam-v1/accessibility-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/administering-mbam-10-by-using-powershell.md b/mdop/mbam-v1/administering-mbam-10-by-using-powershell.md index 11d991351f..b9f38f7a3e 100644 --- a/mdop/mbam-v1/administering-mbam-10-by-using-powershell.md +++ b/mdop/mbam-v1/administering-mbam-10-by-using-powershell.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/administering-mbam-10-features.md b/mdop/mbam-v1/administering-mbam-10-features.md index 86fabb6cde..26d27aea64 100644 --- a/mdop/mbam-v1/administering-mbam-10-features.md +++ b/mdop/mbam-v1/administering-mbam-10-features.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/deploying-mbam-10-group-policy-objects.md b/mdop/mbam-v1/deploying-mbam-10-group-policy-objects.md index c6d78bd71f..f62d25bd4d 100644 --- a/mdop/mbam-v1/deploying-mbam-10-group-policy-objects.md +++ b/mdop/mbam-v1/deploying-mbam-10-group-policy-objects.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/deploying-mbam-10.md b/mdop/mbam-v1/deploying-mbam-10.md index 9c54063330..086a3a721d 100644 --- a/mdop/mbam-v1/deploying-mbam-10.md +++ b/mdop/mbam-v1/deploying-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/deploying-the-mbam-10-client.md b/mdop/mbam-v1/deploying-the-mbam-10-client.md index 3b9f55c539..df62ed3b09 100644 --- a/mdop/mbam-v1/deploying-the-mbam-10-client.md +++ b/mdop/mbam-v1/deploying-the-mbam-10-client.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/deploying-the-mbam-10-language-release-update.md b/mdop/mbam-v1/deploying-the-mbam-10-language-release-update.md index 1cf2e31d54..311a0ba253 100644 --- a/mdop/mbam-v1/deploying-the-mbam-10-language-release-update.md +++ b/mdop/mbam-v1/deploying-the-mbam-10-language-release-update.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md b/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md index 55c227b364..e802fbe9a3 100644 --- a/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md +++ b/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/evaluating-mbam-10.md b/mdop/mbam-v1/evaluating-mbam-10.md index a610d18cea..c245904370 100644 --- a/mdop/mbam-v1/evaluating-mbam-10.md +++ b/mdop/mbam-v1/evaluating-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/getting-started-with-mbam-10.md b/mdop/mbam-v1/getting-started-with-mbam-10.md index b54f281bf6..80cf2a07bf 100644 --- a/mdop/mbam-v1/getting-started-with-mbam-10.md +++ b/mdop/mbam-v1/getting-started-with-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/high-availability-for-mbam-10.md b/mdop/mbam-v1/high-availability-for-mbam-10.md index a7f2f2a89a..5817b9955d 100644 --- a/mdop/mbam-v1/high-availability-for-mbam-10.md +++ b/mdop/mbam-v1/high-availability-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/high-level-architecture-for-mbam-10.md b/mdop/mbam-v1/high-level-architecture-for-mbam-10.md index 73dfbdd35b..d01784a142 100644 --- a/mdop/mbam-v1/high-level-architecture-for-mbam-10.md +++ b/mdop/mbam-v1/high-level-architecture-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md b/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md index a8ca4fbd5c..9020faa354 100644 --- a/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md +++ b/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md b/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md index d76d6481b6..8390876b1e 100644 --- a/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md +++ b/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md b/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md index ec94256a72..739b6c100e 100644 --- a/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md +++ b/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md b/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md index 1951352a23..9183a1ebb8 100644 --- a/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md +++ b/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md b/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md index f7b3f615a5..7b594af29c 100644 --- a/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md +++ b/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md b/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md index 62464e8014..2117e28d4f 100644 --- a/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md +++ b/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel.md b/mdop/mbam-v1/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel.md index d10014b0d2..dbf5369cc9 100644 --- a/mdop/mbam-v1/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel.md +++ b/mdop/mbam-v1/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md index 7761a0065c..178bb1e922 100644 --- a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md +++ b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md index 668966c147..8415738e13 100644 --- a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md +++ b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md b/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md index ca6defb7b6..9a47bce6c6 100644 --- a/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md +++ b/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md index 978349f4d2..40aea24b1a 100644 --- a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md +++ b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md index ec68e9b91a..1043c5be7b 100644 --- a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md +++ b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md b/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md index 8dcdf2d88f..56b13e75d8 100644 --- a/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md +++ b/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md b/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md index f8a0500186..1ed110d24c 100644 --- a/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md +++ b/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-manage-mbam-administrator-roles-mbam-1.md b/mdop/mbam-v1/how-to-manage-mbam-administrator-roles-mbam-1.md index 7deb0b2e0a..71eda0e490 100644 --- a/mdop/mbam-v1/how-to-manage-mbam-administrator-roles-mbam-1.md +++ b/mdop/mbam-v1/how-to-manage-mbam-administrator-roles-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md b/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md index 02e890969a..6800cc91ac 100644 --- a/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md +++ b/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md b/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md index 3116ec7a92..48e9ef2121 100644 --- a/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md +++ b/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md b/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md index e0dec01036..8da7ef40e8 100644 --- a/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md +++ b/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md b/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md index 4cface3663..4205bfe3db 100644 --- a/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md +++ b/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md b/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md index b1d3a350ea..0e4e67dfcd 100644 --- a/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md +++ b/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md b/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md index 094d762b26..6425bd6b12 100644 --- a/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md +++ b/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md b/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md index bb5ddfe3f6..354f5be7d0 100644 --- a/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md +++ b/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/index.md b/mdop/mbam-v1/index.md index f7646af27e..b25186a196 100644 --- a/mdop/mbam-v1/index.md +++ b/mdop/mbam-v1/index.md @@ -1,55 +1,45 @@ --- title: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide description: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: 4086e721-db24-4439-bdcd-ac5ef901811f ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 04/19/2017 --- - # Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide - Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker drive encryption. With MBAM, you can select BitLocker encryption policy options that are appropriate to your enterprise and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the entire enterprise. In addition, you can access recovery key information when users forget their PIN or password, or when their BIOS or boot record changes. -[Getting Started with MBAM 1.0](getting-started-with-mbam-10.md) - -[About MBAM 1.0](about-mbam-10.md)**|**[Evaluating MBAM 1.0](evaluating-mbam-10.md)**|**[High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md)**|**[Accessibility for MBAM 1.0](accessibility-for-mbam-10.md)**|**[Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md) - -[Planning for MBAM 1.0](planning-for-mbam-10.md) - -[Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md)**|**[MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)**|**[Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md)**|**[MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)**|**[MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md) - -[Deploying MBAM 1.0](deploying-mbam-10.md) - -[Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)**|**[Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)**|**[Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)**|**[Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)**|**[MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md) - -[Operations for MBAM 1.0](operations-for-mbam-10.md) - -[Administering MBAM 1.0 Features](administering-mbam-10-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)**|**[Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md) - -[Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md) - -### More Information - -[Release Notes for MBAM 1.0](release-notes-for-mbam-10.md) -View updated product information and known issues for MBAM 1.0. - -[MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) -Learn about the latest MDOP information and resources. - -[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) -Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). - -  - -  - - - - +- [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md) + - [About MBAM 1.0](about-mbam-10.md) + - [Release Notes for MBAM 1.0](release-notes-for-mbam-10.md) + - [Evaluating MBAM 1.0](evaluating-mbam-10.md) + - [High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md) + - [Accessibility for MBAM 1.0](accessibility-for-mbam-10.md) + - [Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md) +- [Planning for MBAM 1.0](planning-for-mbam-10.md) + - [Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md) + - [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md) + - [Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md) + - [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md) + - [MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md) +- [Deploying MBAM 1.0](deploying-mbam-10.md) + - [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md) + - [Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md) + - [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md) + - [Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md) + - [MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md) +- [Operations for MBAM 1.0](operations-for-mbam-10.md) + - [Administering MBAM 1.0 Features](administering-mbam-10-features.md) + - [Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md) + - [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md) + - [Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md) +- [Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md) +## More Information +- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) + Find documentation, videos, and other resources for MDOP technologies. diff --git a/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md b/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md index 2bc9d1d30a..152ae6db90 100644 --- a/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md +++ b/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/maintaining-mbam-10.md b/mdop/mbam-v1/maintaining-mbam-10.md index 38d6ea5192..6cdfa7c140 100644 --- a/mdop/mbam-v1/maintaining-mbam-10.md +++ b/mdop/mbam-v1/maintaining-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/mbam-10-deployment-checklist.md b/mdop/mbam-v1/mbam-10-deployment-checklist.md index 24865d56ec..98918bcd19 100644 --- a/mdop/mbam-v1/mbam-10-deployment-checklist.md +++ b/mdop/mbam-v1/mbam-10-deployment-checklist.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/mbam-10-deployment-prerequisites.md b/mdop/mbam-v1/mbam-10-deployment-prerequisites.md index 700410a63d..efefe73d4b 100644 --- a/mdop/mbam-v1/mbam-10-deployment-prerequisites.md +++ b/mdop/mbam-v1/mbam-10-deployment-prerequisites.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/mbam-10-planning-checklist.md b/mdop/mbam-v1/mbam-10-planning-checklist.md index 97e5d82a85..f2ca3f0e3a 100644 --- a/mdop/mbam-v1/mbam-10-planning-checklist.md +++ b/mdop/mbam-v1/mbam-10-planning-checklist.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/mbam-10-supported-configurations.md b/mdop/mbam-v1/mbam-10-supported-configurations.md index b15e8336ad..71a4d85992 100644 --- a/mdop/mbam-v1/mbam-10-supported-configurations.md +++ b/mdop/mbam-v1/mbam-10-supported-configurations.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md b/mdop/mbam-v1/monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md index 35db4e0f57..e01d92edeb 100644 --- a/mdop/mbam-v1/monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md +++ b/mdop/mbam-v1/monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/operations-for-mbam-10.md b/mdop/mbam-v1/operations-for-mbam-10.md index 4f6a0e333e..2c21229603 100644 --- a/mdop/mbam-v1/operations-for-mbam-10.md +++ b/mdop/mbam-v1/operations-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/performing-bitlocker-management-with-mbam.md b/mdop/mbam-v1/performing-bitlocker-management-with-mbam.md index 0efb74fc83..466a1cc867 100644 --- a/mdop/mbam-v1/performing-bitlocker-management-with-mbam.md +++ b/mdop/mbam-v1/performing-bitlocker-management-with-mbam.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md index cd65628a24..00b1e7fdff 100644 --- a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md +++ b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md b/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md index c493b0b251..2820bf86ad 100644 --- a/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md +++ b/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md index eb5ac48c44..0705bc85f5 100644 --- a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md +++ b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md b/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md index f8a81e0385..e3fd8e1f24 100644 --- a/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md +++ b/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/planning-for-mbam-10.md b/mdop/mbam-v1/planning-for-mbam-10.md index d962c67909..633e4048d0 100644 --- a/mdop/mbam-v1/planning-for-mbam-10.md +++ b/mdop/mbam-v1/planning-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/planning-to-deploy-mbam-10.md b/mdop/mbam-v1/planning-to-deploy-mbam-10.md index 82f073a30e..0fe94548e9 100644 --- a/mdop/mbam-v1/planning-to-deploy-mbam-10.md +++ b/mdop/mbam-v1/planning-to-deploy-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md b/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md index c1751b7247..796672f8b3 100644 --- a/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md +++ b/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/privacy-statement-for-mbam-10.md b/mdop/mbam-v1/privacy-statement-for-mbam-10.md index cbb1202f49..53d2f37793 100644 --- a/mdop/mbam-v1/privacy-statement-for-mbam-10.md +++ b/mdop/mbam-v1/privacy-statement-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/release-notes-for-mbam-10.md b/mdop/mbam-v1/release-notes-for-mbam-10.md index aec1c1dab8..9b9be836c6 100644 --- a/mdop/mbam-v1/release-notes-for-mbam-10.md +++ b/mdop/mbam-v1/release-notes-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/security-and-privacy-for-mbam-10.md b/mdop/mbam-v1/security-and-privacy-for-mbam-10.md index 00c9e551f3..9b8209c9d4 100644 --- a/mdop/mbam-v1/security-and-privacy-for-mbam-10.md +++ b/mdop/mbam-v1/security-and-privacy-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v1/security-considerations-for-mbam-10.md b/mdop/mbam-v1/security-considerations-for-mbam-10.md index 60d75c4b33..bcfe42f061 100644 --- a/mdop/mbam-v1/security-considerations-for-mbam-10.md +++ b/mdop/mbam-v1/security-considerations-for-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/troubleshooting-mbam-10.md b/mdop/mbam-v1/troubleshooting-mbam-10.md index 9c07bf41b2..5a72af69f9 100644 --- a/mdop/mbam-v1/troubleshooting-mbam-10.md +++ b/mdop/mbam-v1/troubleshooting-mbam-10.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md b/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md index 069c0097c2..e6b066b08a 100644 --- a/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md +++ b/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/about-mbam-20-mbam-2.md b/mdop/mbam-v2/about-mbam-20-mbam-2.md index 403d43870d..f12cb7956f 100644 --- a/mdop/mbam-v2/about-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/about-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/about-mbam-20-sp1.md b/mdop/mbam-v2/about-mbam-20-sp1.md index 8b27fe1388..b5bf6aee5b 100644 --- a/mdop/mbam-v2/about-mbam-20-sp1.md +++ b/mdop/mbam-v2/about-mbam-20-sp1.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/about-the-computer-tpm-chip.md b/mdop/mbam-v2/about-the-computer-tpm-chip.md index 8fc5a07b1c..053703ed72 100644 --- a/mdop/mbam-v2/about-the-computer-tpm-chip.md +++ b/mdop/mbam-v2/about-the-computer-tpm-chip.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md b/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md index 62803ce9fd..d4ab5fa177 100644 --- a/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md b/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md index 87e053a66b..8331189deb 100644 --- a/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md +++ b/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/administering-mbam-20-using-powershell-mbam-2.md b/mdop/mbam-v2/administering-mbam-20-using-powershell-mbam-2.md index 38ce3f35cf..cd4cc7364f 100644 --- a/mdop/mbam-v2/administering-mbam-20-using-powershell-mbam-2.md +++ b/mdop/mbam-v2/administering-mbam-20-using-powershell-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md index fbbfcb6384..1ce8e1b6f2 100644 --- a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md +++ b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/04/2017 --- diff --git a/mdop/mbam-v2/deploying-mbam-20-group-policy-objects-mbam-2.md b/mdop/mbam-v2/deploying-mbam-20-group-policy-objects-mbam-2.md index 01574c06fa..a117c6af21 100644 --- a/mdop/mbam-v2/deploying-mbam-20-group-policy-objects-mbam-2.md +++ b/mdop/mbam-v2/deploying-mbam-20-group-policy-objects-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/deploying-mbam-20-mbam-2.md b/mdop/mbam-v2/deploying-mbam-20-mbam-2.md index 4f391c02e0..3123a95e40 100644 --- a/mdop/mbam-v2/deploying-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/deploying-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/deploying-mbam-with-configuration-manager-mbam2.md b/mdop/mbam-v2/deploying-mbam-with-configuration-manager-mbam2.md index d216401680..b7254c63e3 100644 --- a/mdop/mbam-v2/deploying-mbam-with-configuration-manager-mbam2.md +++ b/mdop/mbam-v2/deploying-mbam-with-configuration-manager-mbam2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/deploying-the-mbam-20-client-mbam-2.md b/mdop/mbam-v2/deploying-the-mbam-20-client-mbam-2.md index c9857d854e..ab113f1153 100644 --- a/mdop/mbam-v2/deploying-the-mbam-20-client-mbam-2.md +++ b/mdop/mbam-v2/deploying-the-mbam-20-client-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/deploying-the-mbam-20-server-infrastructure-mbam-2.md b/mdop/mbam-v2/deploying-the-mbam-20-server-infrastructure-mbam-2.md index 32a1b563d5..1b8e0bec49 100644 --- a/mdop/mbam-v2/deploying-the-mbam-20-server-infrastructure-mbam-2.md +++ b/mdop/mbam-v2/deploying-the-mbam-20-server-infrastructure-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/edit-the-configurationmof-file.md b/mdop/mbam-v2/edit-the-configurationmof-file.md index e06a21728b..09e536028a 100644 --- a/mdop/mbam-v2/edit-the-configurationmof-file.md +++ b/mdop/mbam-v2/edit-the-configurationmof-file.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/03/2017 --- diff --git a/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md b/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md index 4c52ea62b8..6499e380e6 100644 --- a/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md b/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md index c05335448c..9e4092ead8 100644 --- a/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md +++ b/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/getting-started-with-mbam-20-mbam-2.md b/mdop/mbam-v2/getting-started-with-mbam-20-mbam-2.md index e24afb3f59..bfbd547d4b 100644 --- a/mdop/mbam-v2/getting-started-with-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/getting-started-with-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/helping-end-users-manage-bitlocker.md b/mdop/mbam-v2/helping-end-users-manage-bitlocker.md index 351f43c2ea..72286236c4 100644 --- a/mdop/mbam-v2/helping-end-users-manage-bitlocker.md +++ b/mdop/mbam-v2/helping-end-users-manage-bitlocker.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/high-availability-for-mbam-20-mbam-2.md b/mdop/mbam-v2/high-availability-for-mbam-20-mbam-2.md index ccf0d2efd2..21008d0070 100644 --- a/mdop/mbam-v2/high-availability-for-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/high-availability-for-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md b/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md index 8e213175cb..105afce636 100644 --- a/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-brand-the-self-service-portal.md b/mdop/mbam-v2/how-to-brand-the-self-service-portal.md index d50446e82d..fadf286056 100644 --- a/mdop/mbam-v2/how-to-brand-the-self-service-portal.md +++ b/mdop/mbam-v2/how-to-brand-the-self-service-portal.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-create-or-edit-the-mof-files.md b/mdop/mbam-v2/how-to-create-or-edit-the-mof-files.md index 5e92294d61..4797ce3bfb 100644 --- a/mdop/mbam-v2/how-to-create-or-edit-the-mof-files.md +++ b/mdop/mbam-v2/how-to-create-or-edit-the-mof-files.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md b/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md index 26ec642679..10ff64c8e7 100644 --- a/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md +++ b/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md b/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md index cd58d1213c..85cef41291 100644 --- a/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md +++ b/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md b/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md index be34c7735b..5d87de60b6 100644 --- a/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md +++ b/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md b/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md index 1c4aec51cd..183ffd7a51 100644 --- a/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md +++ b/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md b/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md index 7e100cc0b6..8f124cd31e 100644 --- a/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md +++ b/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel-mbam-2.md b/mdop/mbam-v2/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel-mbam-2.md index 94480977b1..0371722265 100644 --- a/mdop/mbam-v2/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel-mbam-2.md +++ b/mdop/mbam-v2/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md index db6508b8b3..a9475663df 100644 --- a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md +++ b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md index f7c562da25..4a108246e2 100644 --- a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md +++ b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md b/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md index a01c49e93e..6ada7f3b2f 100644 --- a/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md +++ b/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md b/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md index 44d57820c6..d69f082425 100644 --- a/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md +++ b/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-manage-mbam-administrator-roles-mbam-2.md b/mdop/mbam-v2/how-to-manage-mbam-administrator-roles-mbam-2.md index 39812a5a36..8b70578b3a 100644 --- a/mdop/mbam-v2/how-to-manage-mbam-administrator-roles-mbam-2.md +++ b/mdop/mbam-v2/how-to-manage-mbam-administrator-roles-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-2.md b/mdop/mbam-v2/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-2.md index e449e25cfc..93609c42c5 100644 --- a/mdop/mbam-v2/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-2.md +++ b/mdop/mbam-v2/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md b/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md index f338e9a016..94028e58e1 100644 --- a/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md +++ b/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md b/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md index 7888f34d72..bdffa741a7 100644 --- a/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md +++ b/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md b/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md index dd4da603f5..47c7f9cf92 100644 --- a/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md +++ b/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md b/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md index 433c97297f..3ba78dbcad 100644 --- a/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md +++ b/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md b/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md index c562f3e90c..0702c3658e 100644 --- a/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md +++ b/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md b/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md index 9736d6ac88..09f2ccc21e 100644 --- a/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md +++ b/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-client.md b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-client.md index 0b67f68365..b9de2465f0 100644 --- a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-client.md +++ b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-client.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md index e9c34d8cd9..146fdd3729 100644 --- a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md +++ b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-use-the-help-desk-portal.md b/mdop/mbam-v2/how-to-use-the-help-desk-portal.md index 285a8e790c..1d863d9452 100644 --- a/mdop/mbam-v2/how-to-use-the-help-desk-portal.md +++ b/mdop/mbam-v2/how-to-use-the-help-desk-portal.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md b/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md index 298322fa61..34f203bd9c 100644 --- a/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md +++ b/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md index 06bda1be6f..7c89b836a2 100644 --- a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md +++ b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/index.md b/mdop/mbam-v2/index.md index 5337db9b65..ba76b06b55 100644 --- a/mdop/mbam-v2/index.md +++ b/mdop/mbam-v2/index.md @@ -1,52 +1,56 @@ --- title: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide description: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: fdb43f62-960a-4811-8802-50efdf04b4af ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 04/19/2017 --- - # Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide - Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 provides a simplified administrative interface that you can use to manage BitLocker drive encryption. In BitLocker Administration and Monitoring 2.0, you can select BitLocker drive encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. -[Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md) +## Outline -[About MBAM 2.0](about-mbam-20-mbam-2.md)**|**[Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md)**|**[About MBAM 2.0 SP1](about-mbam-20-sp1.md)**|**[Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)**|**[Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md)**|**[High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md)**|**[Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md) +- [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md) + - [About MBAM 2.0](about-mbam-20-mbam-2.md) + - [Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md) + - [About MBAM 2.0 SP1](about-mbam-20-sp1.md) + - [Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md) + - [Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md) + - [High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md) + - [Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md) +- [Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md) + - [Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md) + - [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md) + - [Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md) + - [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md) + - [MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md) +- [Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md) + - [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md) + - [Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md) + - [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md) + - [MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md) + - [Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md) +- [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md) + - [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md) + - [Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md) + - [Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md) + - [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md) + - [Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md) + - [Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md) + - [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md) +- [Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md) -[Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md) +## More Information -[Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md)**|**[MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)**|**[Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md)**|**[MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)**|**[MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md) +- [MDOP Information Experience](index.md) -[Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md) - -[Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)**|**[Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)**|**[Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)**|**[MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md)**|**[Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md) - -[Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md) - -[Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)**|**[Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)**|**[Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md)**|**[Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)**|** [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md) - -[Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md) - -### More Information - -- [Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md) - - View updated product information and known issues for MBAM 2.0. - -- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) - - Learn about the latest MDOP information and resources. - -- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) - - Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). + Find documentation, videos, and other resources for MDOP technologies.   diff --git a/mdop/mbam-v2/maintaining-mbam-20-mbam-2.md b/mdop/mbam-v2/maintaining-mbam-20-mbam-2.md index 054f13ffd9..382a0458c3 100644 --- a/mdop/mbam-v2/maintaining-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/maintaining-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md b/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md index a4c029a574..3cdb1e8d9b 100644 --- a/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md +++ b/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md b/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md index 2dab81a1ef..f74d87fc3e 100644 --- a/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md +++ b/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md b/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md index 00ef5df75b..5b07a90aff 100644 --- a/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md +++ b/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md index cee951bd2f..ca24661fe9 100644 --- a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md +++ b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md b/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md index 72c655763d..61fa70e2f9 100644 --- a/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md +++ b/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md b/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md index 403a3d2d2a..926638dfd3 100644 --- a/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md +++ b/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md b/mdop/mbam-v2/monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md index c66f0cea07..d4b80cfd3e 100644 --- a/mdop/mbam-v2/monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/operations-for-mbam-20-mbam-2.md b/mdop/mbam-v2/operations-for-mbam-20-mbam-2.md index a82ac9a07c..34efacc60e 100644 --- a/mdop/mbam-v2/operations-for-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/operations-for-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/performing-bitlocker-management-with-mbam-mbam-2.md b/mdop/mbam-v2/performing-bitlocker-management-with-mbam-mbam-2.md index 218286507e..5c2ed7373f 100644 --- a/mdop/mbam-v2/performing-bitlocker-management-with-mbam-mbam-2.md +++ b/mdop/mbam-v2/performing-bitlocker-management-with-mbam-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md index 129b9e694f..8f3dfa626b 100644 --- a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md +++ b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md index b2f00742d9..61c41aee4a 100644 --- a/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md +++ b/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md index cb5cb89526..b84c686064 100644 --- a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md +++ b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/planning-for-mbam-20-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-mbam-2.md index f872aba1de..49f97005ab 100644 --- a/mdop/mbam-v2/planning-for-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/planning-for-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md index 65b9bccf65..63dda787ef 100644 --- a/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md +++ b/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md b/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md index e825d97948..58205559b9 100644 --- a/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md b/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md index a125cec907..5a97d7bef6 100644 --- a/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md +++ b/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md b/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md index ac91e39c60..726098f4e6 100644 --- a/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: tracyp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md b/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md index 7cb8d1004c..2bbbd782ed 100644 --- a/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md b/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md index 003c3164cc..9fb4028a56 100644 --- a/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md +++ b/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/security-and-privacy-for-mbam-20-mbam-2.md b/mdop/mbam-v2/security-and-privacy-for-mbam-20-mbam-2.md index 8b5396b89e..0a0a6f60c0 100644 --- a/mdop/mbam-v2/security-and-privacy-for-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/security-and-privacy-for-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/troubleshooting-mbam-20-mbam-2.md b/mdop/mbam-v2/troubleshooting-mbam-20-mbam-2.md index 6c66308f9f..7ea7004d1c 100644 --- a/mdop/mbam-v2/troubleshooting-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/troubleshooting-mbam-20-mbam-2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md b/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md index a5bd540199..4e367f90d7 100644 --- a/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md +++ b/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md index 731bc11158..4e1f2addc4 100644 --- a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md +++ b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md b/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md index 7b3884f5c8..ab076703c4 100644 --- a/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md +++ b/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/using-mbam-with-configuration-manager.md b/mdop/mbam-v2/using-mbam-with-configuration-manager.md index 065e2ffd49..10be5afa15 100644 --- a/mdop/mbam-v2/using-mbam-with-configuration-manager.md +++ b/mdop/mbam-v2/using-mbam-with-configuration-manager.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v2/using-your-pin-or-password.md b/mdop/mbam-v2/using-your-pin-or-password.md index cdf27ed7a0..b2e8471007 100644 --- a/mdop/mbam-v2/using-your-pin-or-password.md +++ b/mdop/mbam-v2/using-your-pin-or-password.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index a24a6d32c9..3013d8a294 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -19,7 +19,7 @@ author: shortpatti This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 ### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 -[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=57157) +[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=58345) #### Steps to update the MBAM Server for existing MBAM environment 1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features). diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 9e5c96e03d..e5988391c0 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -1,7 +1,7 @@ --- title: Microsoft BitLocker Administration and Monitoring 2.5 description: Microsoft BitLocker Administration and Monitoring 2.5 -author: jamiejdt +author: dansimp ms.assetid: fd81d7de-b166-47e8-b6c7-d984830762b6 ms.pagetype: mdop, security ms.mktglfcycl: manage @@ -10,67 +10,61 @@ ms.prod: w10 ms.date: 04/19/2017 --- - # Microsoft BitLocker Administration and Monitoring 2.5 - Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM, see [About MBAM 2.5](about-mbam-25.md). -To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). +To obtain MBAM, see [How Do I Get MDOP](index.md#how-to-get-mdop). -[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md) +## Outline -[About MBAM 2.5](about-mbam-25.md)**|**[Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)**|**[About MBAM 2.5 SP1](about-mbam-25-sp1.md)**|**[Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md)**|**[Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)**|**[High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)**|**[Accessibility for MBAM 2.5](accessibility-for-mbam-25.md) +- [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md) + - [About MBAM 2.5](about-mbam-25.md) + - [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md) + - [About MBAM 2.5 SP1](about-mbam-25-sp1.md) + - [Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md) + - [Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md) + - [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md) + - [Accessibility for MBAM 2.5](accessibility-for-mbam-25.md) +- [Planning for MBAM 2.5](planning-for-mbam-25.md) + - [Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md) + - [MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md) + - [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md) + - [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md) + - [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md) + - [Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md) + - [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md) + - [Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md) + - [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md) + - [MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md) +- [Deploying MBAM 2.5](deploying-mbam-25.md) + - [Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md) + - [Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md) + - [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md) + - [MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md) + - [Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md) + - [Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md) +- [Operations for MBAM 2.5](operations-for-mbam-25.md) + - [Administering MBAM 2.5 Features](administering-mbam-25-features.md) + - [Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md) + - [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md) + - [Maintaining MBAM 2.5](maintaining-mbam-25.md) + - [Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md) +- [Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md) +- [Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md) + - [Client Event Logs](client-event-logs.md) + - [Server Event Logs](server-event-logs.md) -[Planning for MBAM 2.5](planning-for-mbam-25.md) - -[Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md)**|**[MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)**|**[Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)**|**[Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md)**|**[Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md)**|**[Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)**|**[MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)**|**[Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md)**|**[MBAM 2.5 Security Considerations](mbam-25-security-considerations.md)**|**[MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md) - -[Deploying MBAM 2.5](deploying-mbam-25.md) - -[Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)**|**[Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)**|**[Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)**|**[MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)**|**[Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)**|**[Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md) - -[Operations for MBAM 2.5](operations-for-mbam-25.md) - -[Administering MBAM 2.5 Features](administering-mbam-25-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)**|**[Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)**|**[Maintaining MBAM 2.5](maintaining-mbam-25.md)**|**[Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md) - -[Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md) - -[Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md) - -[Client Event Logs](client-event-logs.md)**|**[Server Event Logs](server-event-logs.md) - -### More Information - -- [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md) - - View updated product information and known issues for MBAM 2.5. - -- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) - - Learn about the latest MDOP information and resources. - -- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) - - Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). - -- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398) - - Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. - -- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) - - Guide of how to apply MBAM 2.5 SP1 Server hotfixes - -## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). -- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). - -  - -  +## More Information +- [MDOP Information Experience](index.md) + Find documentation, videos, and other resources for MDOP technologies. +- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398) + Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. + +- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) + Guide of how to apply MBAM 2.5 SP1 Server hotfixes diff --git a/mdop/medv-v1/about-med-v-10-sp1.md b/mdop/medv-v1/about-med-v-10-sp1.md index 56178030f7..f9d3fc4573 100644 --- a/mdop/medv-v1/about-med-v-10-sp1.md +++ b/mdop/medv-v1/about-med-v-10-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/about-med-v-10.md b/mdop/medv-v1/about-med-v-10.md index 88acba7244..8a99314de9 100644 --- a/mdop/medv-v1/about-med-v-10.md +++ b/mdop/medv-v1/about-med-v-10.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/about-this-guidemedv.md b/mdop/medv-v1/about-this-guidemedv.md index 223ee88fbe..cf20d13c06 100644 --- a/mdop/medv-v1/about-this-guidemedv.md +++ b/mdop/medv-v1/about-this-guidemedv.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/client-installation-command-line-reference.md b/mdop/medv-v1/client-installation-command-line-reference.md index 2556d5ec09..44326e2a47 100644 --- a/mdop/medv-v1/client-installation-command-line-reference.md +++ b/mdop/medv-v1/client-installation-command-line-reference.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/configuring-med-v-for-remote-networks.md b/mdop/medv-v1/configuring-med-v-for-remote-networks.md index a7a19283f2..108670ef04 100644 --- a/mdop/medv-v1/configuring-med-v-for-remote-networks.md +++ b/mdop/medv-v1/configuring-med-v-for-remote-networks.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md b/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md index 711eae625b..1b03f70a10 100644 --- a/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md +++ b/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/configuring-med-v-workspace-policies.md b/mdop/medv-v1/configuring-med-v-workspace-policies.md index d870b70e1c..34784f4a18 100644 --- a/mdop/medv-v1/configuring-med-v-workspace-policies.md +++ b/mdop/medv-v1/configuring-med-v-workspace-policies.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/creating-a-med-v-image.md b/mdop/medv-v1/creating-a-med-v-image.md index c784d59836..4b9d3222fb 100644 --- a/mdop/medv-v1/creating-a-med-v-image.md +++ b/mdop/medv-v1/creating-a-med-v-image.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/creating-a-med-v-workspacemedv-10-sp1.md b/mdop/medv-v1/creating-a-med-v-workspacemedv-10-sp1.md index 2445b5cb1a..49db131ccf 100644 --- a/mdop/medv-v1/creating-a-med-v-workspacemedv-10-sp1.md +++ b/mdop/medv-v1/creating-a-med-v-workspacemedv-10-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md b/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md index d04425394e..c73b1b9457 100644 --- a/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md +++ b/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v1/define-the-project-scope.md b/mdop/medv-v1/define-the-project-scope.md index ad5596df00..2d628bd096 100644 --- a/mdop/medv-v1/define-the-project-scope.md +++ b/mdop/medv-v1/define-the-project-scope.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md b/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md index 2002a545dc..52e0292edc 100644 --- a/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md +++ b/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md b/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md index e30f9def62..4167d9099f 100644 --- a/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md +++ b/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/design-the-med-v-image-repositories.md b/mdop/medv-v1/design-the-med-v-image-repositories.md index 0fd8aa49a6..8302861536 100644 --- a/mdop/medv-v1/design-the-med-v-image-repositories.md +++ b/mdop/medv-v1/design-the-med-v-image-repositories.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v1/design-the-med-v-server-infrastructure.md b/mdop/medv-v1/design-the-med-v-server-infrastructure.md index d3869802c5..40536204ff 100644 --- a/mdop/medv-v1/design-the-med-v-server-infrastructure.md +++ b/mdop/medv-v1/design-the-med-v-server-infrastructure.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md b/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md index 07a5fcee07..5165183f3c 100644 --- a/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md +++ b/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/getting-started-with-med-v.md b/mdop/medv-v1/getting-started-with-med-v.md index 48d652a788..969a8b0a46 100644 --- a/mdop/medv-v1/getting-started-with-med-v.md +++ b/mdop/medv-v1/getting-started-with-med-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/high-level-architecturemedv.md b/mdop/medv-v1/high-level-architecturemedv.md index bb6ca22e61..7badb94bbd 100644 --- a/mdop/medv-v1/high-level-architecturemedv.md +++ b/mdop/medv-v1/high-level-architecturemedv.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md index 5940eccaee..5d9bdb7412 100644 --- a/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md +++ b/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-apply-network-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-network-settings-to-a-med-v-workspace.md index 90e54bea2d..4846278e8e 100644 --- a/mdop/medv-v1/how-to-apply-network-settings-to-a-med-v-workspace.md +++ b/mdop/medv-v1/how-to-apply-network-settings-to-a-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-apply-performance-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-performance-settings-to-a-med-v-workspace.md index 95f5e5b56d..bb5b64f7e8 100644 --- a/mdop/medv-v1/how-to-apply-performance-settings-to-a-med-v-workspace.md +++ b/mdop/medv-v1/how-to-apply-performance-settings-to-a-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md index 966dd20f1e..197b944570 100644 --- a/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md +++ b/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md b/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md index 0e617603d1..3a7c44c436 100644 --- a/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md +++ b/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-configure-a-deployment-package.md b/mdop/medv-v1/how-to-configure-a-deployment-package.md index 191960b228..6d2a5b4f31 100644 --- a/mdop/medv-v1/how-to-configure-a-deployment-package.md +++ b/mdop/medv-v1/how-to-configure-a-deployment-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md b/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md index ce0b36eae2..7669269fc7 100644 --- a/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md +++ b/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-configure-image-pre-staging.md b/mdop/medv-v1/how-to-configure-image-pre-staging.md index 5d736b92b9..5503edfefa 100644 --- a/mdop/medv-v1/how-to-configure-image-pre-staging.md +++ b/mdop/medv-v1/how-to-configure-image-pre-staging.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- @@ -72,17 +72,17 @@ Image pre-staging is useful only for the initial image download. It is not suppo **NT AUTHORITY\\Authenticated Users:(OI)(CI)(special access:)** - **                                READ\_CONTROL** + **READ\_CONTROL** - **                                                                                SYNCHRONIZE** + **SYNCHRONIZE** - **                                                                                FILE\_GENERIC\_READ** + **FILE\_GENERIC\_READ** - **                                                                                                FILE\_READ\_DATA** + **FILE\_READ\_DATA** - **                                                                                FILE\_READ\_EA** + **FILE\_READ\_EA** - **                                                                                FILE\_READ\_ATTRIBUTES** + **FILE\_READ\_ATTRIBUTES** **NT AUTHORITY\\SYSTEM:(OI)(CI)F** diff --git a/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md b/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md index 91f9055689..5d812e35d6 100644 --- a/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md +++ b/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-configure-the-image-web-distribution-server.md b/mdop/medv-v1/how-to-configure-the-image-web-distribution-server.md index 2aca3bc496..3db5f49a03 100644 --- a/mdop/medv-v1/how-to-configure-the-image-web-distribution-server.md +++ b/mdop/medv-v1/how-to-configure-the-image-web-distribution-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspace.md b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspace.md index 6519e09c4a..61a363f290 100644 --- a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspace.md +++ b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md index 938c998f17..aded377291 100644 --- a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md +++ b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md b/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md index d37e201c72..6bea34fef3 100644 --- a/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md +++ b/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md b/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md index 258a58f9b0..463ab388e1 100644 --- a/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md +++ b/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md b/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md index 81edc52790..c63893f150 100644 --- a/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md +++ b/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-delete-a-med-v-image.md b/mdop/medv-v1/how-to-delete-a-med-v-image.md index 0167e493e8..02d9bb6115 100644 --- a/mdop/medv-v1/how-to-delete-a-med-v-image.md +++ b/mdop/medv-v1/how-to-delete-a-med-v-image.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-deploy-a-workspace-imagedeployment-package.md b/mdop/medv-v1/how-to-deploy-a-workspace-imagedeployment-package.md index 13cf016d4c..d849956376 100644 --- a/mdop/medv-v1/how-to-deploy-a-workspace-imagedeployment-package.md +++ b/mdop/medv-v1/how-to-deploy-a-workspace-imagedeployment-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-deploy-a-workspace-imageesds.md b/mdop/medv-v1/how-to-deploy-a-workspace-imageesds.md index a6b40105d0..5eb6dd5c1c 100644 --- a/mdop/medv-v1/how-to-deploy-a-workspace-imageesds.md +++ b/mdop/medv-v1/how-to-deploy-a-workspace-imageesds.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md b/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md index 269980cf59..babf8996d1 100644 --- a/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md +++ b/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-generate-reports-medvv2.md b/mdop/medv-v1/how-to-generate-reports-medvv2.md index 082e4a4e13..e9219aa508 100644 --- a/mdop/medv-v1/how-to-generate-reports-medvv2.md +++ b/mdop/medv-v1/how-to-generate-reports-medvv2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-import-and-export-a-policy.md b/mdop/medv-v1/how-to-import-and-export-a-policy.md index dec165468c..aaa08137dc 100644 --- a/mdop/medv-v1/how-to-import-and-export-a-policy.md +++ b/mdop/medv-v1/how-to-import-and-export-a-policy.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md b/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md index e21097b997..16597d58b2 100644 --- a/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md +++ b/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md b/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md index e84a2751f0..2ab92353b5 100644 --- a/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md +++ b/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md b/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md index 90bf368d23..908b387c82 100644 --- a/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md +++ b/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-install-med-v-clientesds.md b/mdop/medv-v1/how-to-install-med-v-clientesds.md index 57a88f7d96..46cf4d5fea 100644 --- a/mdop/medv-v1/how-to-install-med-v-clientesds.md +++ b/mdop/medv-v1/how-to-install-med-v-clientesds.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-localize-a-med-v-image.md b/mdop/medv-v1/how-to-localize-a-med-v-image.md index e118ce3dc9..b5f0bdf42a 100644 --- a/mdop/medv-v1/how-to-localize-a-med-v-image.md +++ b/mdop/medv-v1/how-to-localize-a-med-v-image.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-lock-and-unlock-a-workspace.md b/mdop/medv-v1/how-to-lock-and-unlock-a-workspace.md index 41bf6a6b2b..e620f98a5e 100644 --- a/mdop/medv-v1/how-to-lock-and-unlock-a-workspace.md +++ b/mdop/medv-v1/how-to-lock-and-unlock-a-workspace.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-pack-a-med-v-image.md b/mdop/medv-v1/how-to-pack-a-med-v-image.md index 613b801c36..08ccd86ef5 100644 --- a/mdop/medv-v1/how-to-pack-a-med-v-image.md +++ b/mdop/medv-v1/how-to-pack-a-med-v-image.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-set-advanced-file-transfer-options.md b/mdop/medv-v1/how-to-set-advanced-file-transfer-options.md index 755acfb23b..9c9183aebe 100644 --- a/mdop/medv-v1/how-to-set-advanced-file-transfer-options.md +++ b/mdop/medv-v1/how-to-set-advanced-file-transfer-options.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-set-med-v-workspace-deletion-options.md b/mdop/medv-v1/how-to-set-med-v-workspace-deletion-options.md index 9971961e86..f06380a126 100644 --- a/mdop/medv-v1/how-to-set-med-v-workspace-deletion-options.md +++ b/mdop/medv-v1/how-to-set-med-v-workspace-deletion-options.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-set-up-script-actions.md b/mdop/medv-v1/how-to-set-up-script-actions.md index 674cc2b942..cff5da73d1 100644 --- a/mdop/medv-v1/how-to-set-up-script-actions.md +++ b/mdop/medv-v1/how-to-set-up-script-actions.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md b/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md index d1d0b3b653..d77de77862 100644 --- a/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md +++ b/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md b/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md index bd490a205c..491c545b20 100644 --- a/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md +++ b/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md b/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md index 20febc9c9a..b765e2f19c 100644 --- a/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md +++ b/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-uninstall-med-v-componentsmedvv2.md b/mdop/medv-v1/how-to-uninstall-med-v-componentsmedvv2.md index d6d2fd0dd2..125a45d5b6 100644 --- a/mdop/medv-v1/how-to-uninstall-med-v-componentsmedvv2.md +++ b/mdop/medv-v1/how-to-uninstall-med-v-componentsmedvv2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-update-a-med-v-image.md b/mdop/medv-v1/how-to-update-a-med-v-image.md index bee3310208..742368d6ac 100644 --- a/mdop/medv-v1/how-to-update-a-med-v-image.md +++ b/mdop/medv-v1/how-to-update-a-med-v-image.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md b/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md index b0f1a3f4b5..18cf02c554 100644 --- a/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md +++ b/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-view-med-v-settings-and-general-information.md b/mdop/medv-v1/how-to-view-med-v-settings-and-general-information.md index bb70d8a60e..cae37d85c9 100644 --- a/mdop/medv-v1/how-to-view-med-v-settings-and-general-information.md +++ b/mdop/medv-v1/how-to-view-med-v-settings-and-general-information.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/how-to-work-with-reports.md b/mdop/medv-v1/how-to-work-with-reports.md index 0747b58a0d..d9c80fd178 100644 --- a/mdop/medv-v1/how-to-work-with-reports.md +++ b/mdop/medv-v1/how-to-work-with-reports.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/identify-the-number-of-med-v-instances.md b/mdop/medv-v1/identify-the-number-of-med-v-instances.md index 2454991da1..1d78567667 100644 --- a/mdop/medv-v1/identify-the-number-of-med-v-instances.md +++ b/mdop/medv-v1/identify-the-number-of-med-v-instances.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/index.md b/mdop/medv-v1/index.md index 807accc058..c056dfeeaf 100644 --- a/mdop/medv-v1/index.md +++ b/mdop/medv-v1/index.md @@ -1,12 +1,12 @@ --- title: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide description: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide -author: jamiejdt +author: dansimp ms.assetid: 7bc3e120-df77-4f4c-bc8e-7aaa4c2a6525 ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/installation-and-upgrade-checklists.md b/mdop/medv-v1/installation-and-upgrade-checklists.md index 48f64681a0..581101261f 100644 --- a/mdop/medv-v1/installation-and-upgrade-checklists.md +++ b/mdop/medv-v1/installation-and-upgrade-checklists.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/installing-and-configuring-med-v-components.md b/mdop/medv-v1/installing-and-configuring-med-v-components.md index 2c3191bd46..8128182f05 100644 --- a/mdop/medv-v1/installing-and-configuring-med-v-components.md +++ b/mdop/medv-v1/installing-and-configuring-med-v-components.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/key-scenarios-for-using-med-v.md b/mdop/medv-v1/key-scenarios-for-using-med-v.md index 206fbcc8f4..377facde64 100644 --- a/mdop/medv-v1/key-scenarios-for-using-med-v.md +++ b/mdop/medv-v1/key-scenarios-for-using-med-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-10-installation-checklist.md b/mdop/medv-v1/med-v-10-installation-checklist.md index 8e68457769..6e306306a6 100644 --- a/mdop/medv-v1/med-v-10-installation-checklist.md +++ b/mdop/medv-v1/med-v-10-installation-checklist.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-10-release-notesmedv-10.md b/mdop/medv-v1/med-v-10-release-notesmedv-10.md index 993d756655..ba7e8f9ef6 100644 --- a/mdop/medv-v1/med-v-10-release-notesmedv-10.md +++ b/mdop/medv-v1/med-v-10-release-notesmedv-10.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md b/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md index a439dfd41e..dce6ffe881 100644 --- a/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md +++ b/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md b/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md index 60cd668d0c..6beb4ac562 100644 --- a/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md +++ b/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md b/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md index 631070c928..2ae432d713 100644 --- a/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md +++ b/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md b/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md index 3d45628fd0..0ad376e710 100644 --- a/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md +++ b/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-client-operations.md b/mdop/medv-v1/med-v-client-operations.md index ecc32946a9..e295ac9750 100644 --- a/mdop/medv-v1/med-v-client-operations.md +++ b/mdop/medv-v1/med-v-client-operations.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-client-toolsv2.md b/mdop/medv-v1/med-v-client-toolsv2.md index 8d763f41b6..a49324c8b9 100644 --- a/mdop/medv-v1/med-v-client-toolsv2.md +++ b/mdop/medv-v1/med-v-client-toolsv2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-deployment-and-configuration.md b/mdop/medv-v1/med-v-deployment-and-configuration.md index 4360637610..38648cf7f4 100644 --- a/mdop/medv-v1/med-v-deployment-and-configuration.md +++ b/mdop/medv-v1/med-v-deployment-and-configuration.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-infrastructure-planning-and-design.md b/mdop/medv-v1/med-v-infrastructure-planning-and-design.md index 6ad5828d2b..a0654e7a12 100644 --- a/mdop/medv-v1/med-v-infrastructure-planning-and-design.md +++ b/mdop/medv-v1/med-v-infrastructure-planning-and-design.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-installation-prerequisites.md b/mdop/medv-v1/med-v-installation-prerequisites.md index ef53525088..08db5ec442 100644 --- a/mdop/medv-v1/med-v-installation-prerequisites.md +++ b/mdop/medv-v1/med-v-installation-prerequisites.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v1/med-v-operations.md b/mdop/medv-v1/med-v-operations.md index 4c5bed949c..c76249664e 100644 --- a/mdop/medv-v1/med-v-operations.md +++ b/mdop/medv-v1/med-v-operations.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-reporting.md b/mdop/medv-v1/med-v-reporting.md index 079276d2e5..17674e3619 100644 --- a/mdop/medv-v1/med-v-reporting.md +++ b/mdop/medv-v1/med-v-reporting.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md b/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md index e8b68e25fc..4413918e3f 100644 --- a/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md +++ b/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/overview-of-med-v.md b/mdop/medv-v1/overview-of-med-v.md index 1630db52bc..0d46bf93a7 100644 --- a/mdop/medv-v1/overview-of-med-v.md +++ b/mdop/medv-v1/overview-of-med-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/supported-configurationsmedv-orientation.md b/mdop/medv-v1/supported-configurationsmedv-orientation.md index f05c6462b7..c66ad41ec2 100644 --- a/mdop/medv-v1/supported-configurationsmedv-orientation.md +++ b/mdop/medv-v1/supported-configurationsmedv-orientation.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/technical-referencemedv-10-sp1.md b/mdop/medv-v1/technical-referencemedv-10-sp1.md index aaaad698a3..77b1fc1045 100644 --- a/mdop/medv-v1/technical-referencemedv-10-sp1.md +++ b/mdop/medv-v1/technical-referencemedv-10-sp1.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/troubleshooting-med-v.md b/mdop/medv-v1/troubleshooting-med-v.md index 60afd6e0d8..52b110ec3b 100644 --- a/mdop/medv-v1/troubleshooting-med-v.md +++ b/mdop/medv-v1/troubleshooting-med-v.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/updating-a-med-v-workspace-image.md b/mdop/medv-v1/updating-a-med-v-workspace-image.md index f5095643c7..c030f2922c 100644 --- a/mdop/medv-v1/updating-a-med-v-workspace-image.md +++ b/mdop/medv-v1/updating-a-med-v-workspace-image.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v1/using-the-med-v-management-console-user-interface.md b/mdop/medv-v1/using-the-med-v-management-console-user-interface.md index 9fc4f72eb1..58bf527214 100644 --- a/mdop/medv-v1/using-the-med-v-management-console-user-interface.md +++ b/mdop/medv-v1/using-the-med-v-management-console-user-interface.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/about-med-v-20.md b/mdop/medv-v2/about-med-v-20.md index d93dfacd2d..dd2c32be10 100644 --- a/mdop/medv-v2/about-med-v-20.md +++ b/mdop/medv-v2/about-med-v-20.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/authentication-of-med-v-end-users.md b/mdop/medv-v2/authentication-of-med-v-end-users.md index b9265d581c..843a257c5b 100644 --- a/mdop/medv-v2/authentication-of-med-v-end-users.md +++ b/mdop/medv-v2/authentication-of-med-v-end-users.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/command-line-options-for-med-v-installation-files.md b/mdop/medv-v2/command-line-options-for-med-v-installation-files.md index 414a684521..f6e9a21158 100644 --- a/mdop/medv-v2/command-line-options-for-med-v-installation-files.md +++ b/mdop/medv-v2/command-line-options-for-med-v-installation-files.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md b/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md index 42d933514a..66fc177330 100644 --- a/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md +++ b/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/configure-environment-prerequisites.md b/mdop/medv-v2/configure-environment-prerequisites.md index 23fec1d335..061ec06592 100644 --- a/mdop/medv-v2/configure-environment-prerequisites.md +++ b/mdop/medv-v2/configure-environment-prerequisites.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/configure-installation-prerequisites.md b/mdop/medv-v2/configure-installation-prerequisites.md index 04885dd2fb..efb17dc81e 100644 --- a/mdop/medv-v2/configure-installation-prerequisites.md +++ b/mdop/medv-v2/configure-installation-prerequisites.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md index 2bae530b8d..90b935ecef 100644 --- a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md +++ b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 11/01/2016 --- diff --git a/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md b/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md index 2cd2f9a102..83a07e743e 100644 --- a/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md +++ b/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/create-a-med-v-workspace-package.md b/mdop/medv-v2/create-a-med-v-workspace-package.md index 7dac2edf43..0409a20532 100644 --- a/mdop/medv-v2/create-a-med-v-workspace-package.md +++ b/mdop/medv-v2/create-a-med-v-workspace-package.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md index b3ff8ab2d9..a4506e27a5 100644 --- a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md +++ b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/define-and-plan-your-med-v-deployment.md b/mdop/medv-v2/define-and-plan-your-med-v-deployment.md index 0b0e1a18e9..ae00fa5f9f 100644 --- a/mdop/medv-v2/define-and-plan-your-med-v-deployment.md +++ b/mdop/medv-v2/define-and-plan-your-med-v-deployment.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/deploy-the-med-v-components.md b/mdop/medv-v2/deploy-the-med-v-components.md index 607d552f9d..13bcf6dbf1 100644 --- a/mdop/medv-v2/deploy-the-med-v-components.md +++ b/mdop/medv-v2/deploy-the-med-v-components.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/deploying-the-med-v-workspace-package.md b/mdop/medv-v2/deploying-the-med-v-workspace-package.md index 5296ed863d..d7c6ce9753 100644 --- a/mdop/medv-v2/deploying-the-med-v-workspace-package.md +++ b/mdop/medv-v2/deploying-the-med-v-workspace-package.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/deployment-of-med-v.md b/mdop/medv-v2/deployment-of-med-v.md index 9bd5ad5ee3..9681fb0717 100644 --- a/mdop/medv-v2/deployment-of-med-v.md +++ b/mdop/medv-v2/deployment-of-med-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/deployment-troubleshooting.md b/mdop/medv-v2/deployment-troubleshooting.md index 3556aa5667..551edaa3e3 100644 --- a/mdop/medv-v2/deployment-troubleshooting.md +++ b/mdop/medv-v2/deployment-troubleshooting.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md b/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md index f8f174a569..da66303d5f 100644 --- a/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md +++ b/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/determining-how-med-v-will-be-deployed.md b/mdop/medv-v2/determining-how-med-v-will-be-deployed.md index 84034b795d..7750f6a2bb 100644 --- a/mdop/medv-v2/determining-how-med-v-will-be-deployed.md +++ b/mdop/medv-v2/determining-how-med-v-will-be-deployed.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/end-to-end-deployment-scenario-for-med-v-20.md b/mdop/medv-v2/end-to-end-deployment-scenario-for-med-v-20.md index 1b2a195147..3856ccbf80 100644 --- a/mdop/medv-v2/end-to-end-deployment-scenario-for-med-v-20.md +++ b/mdop/medv-v2/end-to-end-deployment-scenario-for-med-v-20.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/end-to-end-operations-scenario-for-med-v-20.md b/mdop/medv-v2/end-to-end-operations-scenario-for-med-v-20.md index 508bff53d9..67d3cefef5 100644 --- a/mdop/medv-v2/end-to-end-operations-scenario-for-med-v-20.md +++ b/mdop/medv-v2/end-to-end-operations-scenario-for-med-v-20.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/end-to-end-planning-scenario-for-med-v-20.md b/mdop/medv-v2/end-to-end-planning-scenario-for-med-v-20.md index fb7cb8a0c5..679b4bb74d 100644 --- a/mdop/medv-v2/end-to-end-planning-scenario-for-med-v-20.md +++ b/mdop/medv-v2/end-to-end-planning-scenario-for-med-v-20.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/example-med-v-checklists.md b/mdop/medv-v2/example-med-v-checklists.md index 9f0a743c5f..8779d34476 100644 --- a/mdop/medv-v2/example-med-v-checklists.md +++ b/mdop/medv-v2/example-med-v-checklists.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/example-med-v-environment-planning-checklist.md b/mdop/medv-v2/example-med-v-environment-planning-checklist.md index 4a91991ac1..5901becc57 100644 --- a/mdop/medv-v2/example-med-v-environment-planning-checklist.md +++ b/mdop/medv-v2/example-med-v-environment-planning-checklist.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/example-med-v-image-preparation-checklist.md b/mdop/medv-v2/example-med-v-image-preparation-checklist.md index d1ddce73d0..99b5c5de4c 100644 --- a/mdop/medv-v2/example-med-v-image-preparation-checklist.md +++ b/mdop/medv-v2/example-med-v-image-preparation-checklist.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/example-med-v-project-planning-checklist.md b/mdop/medv-v2/example-med-v-project-planning-checklist.md index b0a5d1d39b..20208fccd3 100644 --- a/mdop/medv-v2/example-med-v-project-planning-checklist.md +++ b/mdop/medv-v2/example-med-v-project-planning-checklist.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/example-med-v-system-installation-checklist.md b/mdop/medv-v2/example-med-v-system-installation-checklist.md index de3ca2a590..d61559d1f1 100644 --- a/mdop/medv-v2/example-med-v-system-installation-checklist.md +++ b/mdop/medv-v2/example-med-v-system-installation-checklist.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md b/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md index f86a94139f..163025ee77 100644 --- a/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md +++ b/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/getting-started-with-med-vmedv2.md b/mdop/medv-v2/getting-started-with-med-vmedv2.md index de6c48b1d5..1515965dfb 100644 --- a/mdop/medv-v2/getting-started-with-med-vmedv2.md +++ b/mdop/medv-v2/getting-started-with-med-vmedv2.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/high-level-architecturemedv2.md b/mdop/medv-v2/high-level-architecturemedv2.md index a5adeabb7e..6f60819758 100644 --- a/mdop/medv-v2/high-level-architecturemedv2.md +++ b/mdop/medv-v2/high-level-architecturemedv2.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md index 0821577e21..0140b859a5 100644 --- a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md +++ b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 11/01/2016 --- diff --git a/mdop/medv-v2/how-to-create-a-test-environment.md b/mdop/medv-v2/how-to-create-a-test-environment.md index 18068b07ed..a7dbfca85a 100644 --- a/mdop/medv-v2/how-to-create-a-test-environment.md +++ b/mdop/medv-v2/how-to-create-a-test-environment.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md index 550099841d..9c0bc61d68 100644 --- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md +++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md index da44b5f136..6dcc4e29de 100644 --- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md +++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md index 7d9e7b0536..ce2798f0eb 100644 --- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md +++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md index 9271b1face..4daa663cad 100644 --- a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md +++ b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 11/01/2016 --- diff --git a/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md b/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md index 581db9047a..3255998810 100644 --- a/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md +++ b/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md b/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md index b933cc1510..8085afe33e 100644 --- a/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md +++ b/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md b/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md index a8214e0d7a..e53fe97cee 100644 --- a/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md +++ b/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md b/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md index 5708a84057..e0a740c3ec 100644 --- a/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md +++ b/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/how-to-test-application-publishing.md b/mdop/medv-v2/how-to-test-application-publishing.md index 0e21fda4c9..aceb82dbf6 100644 --- a/mdop/medv-v2/how-to-test-application-publishing.md +++ b/mdop/medv-v2/how-to-test-application-publishing.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 11/01/2016 --- diff --git a/mdop/medv-v2/how-to-test-url-redirection.md b/mdop/medv-v2/how-to-test-url-redirection.md index e003cb9d88..be02f53d3e 100644 --- a/mdop/medv-v2/how-to-test-url-redirection.md +++ b/mdop/medv-v2/how-to-test-url-redirection.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 11/01/2016 --- diff --git a/mdop/medv-v2/how-to-uninstall-the-med-v-components.md b/mdop/medv-v2/how-to-uninstall-the-med-v-components.md index 9a514186e2..b937152091 100644 --- a/mdop/medv-v2/how-to-uninstall-the-med-v-components.md +++ b/mdop/medv-v2/how-to-uninstall-the-med-v-components.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/how-to-verify-first-time-setup-settings.md b/mdop/medv-v2/how-to-verify-first-time-setup-settings.md index e7f28b9e80..c7e07d9a20 100644 --- a/mdop/medv-v2/how-to-verify-first-time-setup-settings.md +++ b/mdop/medv-v2/how-to-verify-first-time-setup-settings.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md b/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md index 99eeb385f5..a8ab87367d 100644 --- a/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md +++ b/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/index.md b/mdop/medv-v2/index.md index 5c86cb32d1..aa6fcbf448 100644 --- a/mdop/medv-v2/index.md +++ b/mdop/medv-v2/index.md @@ -1,12 +1,12 @@ --- title: Microsoft Enterprise Desktop Virtualization 2.0 description: Microsoft Enterprise Desktop Virtualization 2.0 -author: jamiejdt +author: dansimp ms.assetid: 84109be0-4613-42e9-85fc-fcda8de6e4c4 ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md b/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md index 6a9fb7c44b..e8ceecb9a4 100644 --- a/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md +++ b/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md b/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md index fc9d0a46a6..250f5c9b1d 100644 --- a/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md +++ b/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/manage-med-v-url-redirection.md b/mdop/medv-v2/manage-med-v-url-redirection.md index d55c3d0b60..f14da219a0 100644 --- a/mdop/medv-v2/manage-med-v-url-redirection.md +++ b/mdop/medv-v2/manage-med-v-url-redirection.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/manage-med-v-workspace-applications.md b/mdop/medv-v2/manage-med-v-workspace-applications.md index 59211673e6..f7038cbe03 100644 --- a/mdop/medv-v2/manage-med-v-workspace-applications.md +++ b/mdop/medv-v2/manage-med-v-workspace-applications.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/manage-med-v-workspace-settings.md b/mdop/medv-v2/manage-med-v-workspace-settings.md index 6161aed548..be8f5b08c0 100644 --- a/mdop/medv-v2/manage-med-v-workspace-settings.md +++ b/mdop/medv-v2/manage-med-v-workspace-settings.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/managing-applications-deployed-to-med-v-workspaces.md b/mdop/medv-v2/managing-applications-deployed-to-med-v-workspaces.md index 7d71f89c65..d89ba616c8 100644 --- a/mdop/medv-v2/managing-applications-deployed-to-med-v-workspaces.md +++ b/mdop/medv-v2/managing-applications-deployed-to-med-v-workspaces.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md b/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md index ccc7f402df..1c1d68922c 100644 --- a/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md +++ b/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md b/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md index c9a2d28a4c..4277a3ed48 100644 --- a/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md +++ b/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md index 4ceab3afe3..58f9226ff5 100644 --- a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md +++ b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md index f82ac07a75..34e986503c 100644 --- a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md +++ b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md b/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md index cf173e2d6d..66e002ef70 100644 --- a/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md +++ b/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md b/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md index 4dd09c0751..94e6dc437e 100644 --- a/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md +++ b/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/med-v-20-best-practices.md b/mdop/medv-v2/med-v-20-best-practices.md index e402342e9f..6d2adae7e4 100644 --- a/mdop/medv-v2/med-v-20-best-practices.md +++ b/mdop/medv-v2/med-v-20-best-practices.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/med-v-20-deployment-overview.md b/mdop/medv-v2/med-v-20-deployment-overview.md index eb8d227f1d..aecc8e0691 100644 --- a/mdop/medv-v2/med-v-20-deployment-overview.md +++ b/mdop/medv-v2/med-v-20-deployment-overview.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/med-v-20-release-notes.md b/mdop/medv-v2/med-v-20-release-notes.md index 51c9d5c1c7..959cff985c 100644 --- a/mdop/medv-v2/med-v-20-release-notes.md +++ b/mdop/medv-v2/med-v-20-release-notes.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/med-v-20-supported-configurations.md b/mdop/medv-v2/med-v-20-supported-configurations.md index f3b1110fd8..082fdcce21 100644 --- a/mdop/medv-v2/med-v-20-supported-configurations.md +++ b/mdop/medv-v2/med-v-20-supported-configurations.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/med-v-event-log-messages.md b/mdop/medv-v2/med-v-event-log-messages.md index 0eaa2bebad..337ce6e33e 100644 --- a/mdop/medv-v2/med-v-event-log-messages.md +++ b/mdop/medv-v2/med-v-event-log-messages.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/monitor-med-v-workspaces.md b/mdop/medv-v2/monitor-med-v-workspaces.md index f2c3f0b9f9..39790987a2 100644 --- a/mdop/medv-v2/monitor-med-v-workspaces.md +++ b/mdop/medv-v2/monitor-med-v-workspaces.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/monitoring-med-v-workspace-deployments.md b/mdop/medv-v2/monitoring-med-v-workspace-deployments.md index 13c103bc84..5622eb9a9b 100644 --- a/mdop/medv-v2/monitoring-med-v-workspace-deployments.md +++ b/mdop/medv-v2/monitoring-med-v-workspace-deployments.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/operations-for-med-v.md b/mdop/medv-v2/operations-for-med-v.md index adce3aa597..584edcd307 100644 --- a/mdop/medv-v2/operations-for-med-v.md +++ b/mdop/medv-v2/operations-for-med-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/operations-troubleshooting-medv2.md b/mdop/medv-v2/operations-troubleshooting-medv2.md index e32475aae0..a47f2e1541 100644 --- a/mdop/medv-v2/operations-troubleshooting-medv2.md +++ b/mdop/medv-v2/operations-troubleshooting-medv2.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/overview-of-med-vmedv2.md b/mdop/medv-v2/overview-of-med-vmedv2.md index 41fe819b84..8682b653fc 100644 --- a/mdop/medv-v2/overview-of-med-vmedv2.md +++ b/mdop/medv-v2/overview-of-med-vmedv2.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/planning-for-application-operating-system-compatibility.md b/mdop/medv-v2/planning-for-application-operating-system-compatibility.md index d45cb683cb..c542d50527 100644 --- a/mdop/medv-v2/planning-for-application-operating-system-compatibility.md +++ b/mdop/medv-v2/planning-for-application-operating-system-compatibility.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/planning-for-med-v.md b/mdop/medv-v2/planning-for-med-v.md index 9d40fa4ef6..ae3cd69ad0 100644 --- a/mdop/medv-v2/planning-for-med-v.md +++ b/mdop/medv-v2/planning-for-med-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/prepare-a-med-v-image.md b/mdop/medv-v2/prepare-a-med-v-image.md index 2796dbedaa..da36437444 100644 --- a/mdop/medv-v2/prepare-a-med-v-image.md +++ b/mdop/medv-v2/prepare-a-med-v-image.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/prepare-the-deployment-environment-for-med-v.md b/mdop/medv-v2/prepare-the-deployment-environment-for-med-v.md index 7eb0e906c5..1ed2801a3b 100644 --- a/mdop/medv-v2/prepare-the-deployment-environment-for-med-v.md +++ b/mdop/medv-v2/prepare-the-deployment-environment-for-med-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md b/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md index 4a1f38168d..1127851da2 100644 --- a/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md +++ b/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/security-and-protection-for-med-v.md b/mdop/medv-v2/security-and-protection-for-med-v.md index c05c03ed27..d4ccad2f97 100644 --- a/mdop/medv-v2/security-and-protection-for-med-v.md +++ b/mdop/medv-v2/security-and-protection-for-med-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/security-best-practices-for-med-v-operations.md b/mdop/medv-v2/security-best-practices-for-med-v-operations.md index fa5a61b526..bd23d54f15 100644 --- a/mdop/medv-v2/security-best-practices-for-med-v-operations.md +++ b/mdop/medv-v2/security-best-practices-for-med-v-operations.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/technical-reference-for-med-v.md b/mdop/medv-v2/technical-reference-for-med-v.md index b273ebdd42..e9f819cd55 100644 --- a/mdop/medv-v2/technical-reference-for-med-v.md +++ b/mdop/medv-v2/technical-reference-for-med-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/medv-v2/test-and-deploy-the-med-v-workspace-package.md b/mdop/medv-v2/test-and-deploy-the-med-v-workspace-package.md index d8d48b7fc4..1997d4910d 100644 --- a/mdop/medv-v2/test-and-deploy-the-med-v-workspace-package.md +++ b/mdop/medv-v2/test-and-deploy-the-med-v-workspace-package.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/testing-the-med-v-workspace-package.md b/mdop/medv-v2/testing-the-med-v-workspace-package.md index 4833b54dea..f28b7e1b9b 100644 --- a/mdop/medv-v2/testing-the-med-v-workspace-package.md +++ b/mdop/medv-v2/testing-the-med-v-workspace-package.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/troubleshooting-med-v-by-using-the-administration-toolkit.md b/mdop/medv-v2/troubleshooting-med-v-by-using-the-administration-toolkit.md index 9eec10ced2..737042b22b 100644 --- a/mdop/medv-v2/troubleshooting-med-v-by-using-the-administration-toolkit.md +++ b/mdop/medv-v2/troubleshooting-med-v-by-using-the-administration-toolkit.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/troubleshooting-med-vmedv2.md b/mdop/medv-v2/troubleshooting-med-vmedv2.md index 68e73550f9..0418c22024 100644 --- a/mdop/medv-v2/troubleshooting-med-vmedv2.md +++ b/mdop/medv-v2/troubleshooting-med-vmedv2.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/updating-med-v-20.md b/mdop/medv-v2/updating-med-v-20.md index 7d18165a6a..5b5c16d8a6 100644 --- a/mdop/medv-v2/updating-med-v-20.md +++ b/mdop/medv-v2/updating-med-v-20.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/viewing-and-configuring-med-v-logs.md b/mdop/medv-v2/viewing-and-configuring-med-v-logs.md index 831ec64b9b..e0444fb438 100644 --- a/mdop/medv-v2/viewing-and-configuring-med-v-logs.md +++ b/mdop/medv-v2/viewing-and-configuring-med-v-logs.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/viewing-med-v-workspace-configurations.md b/mdop/medv-v2/viewing-med-v-workspace-configurations.md index 8f95dc130d..8df18d9a30 100644 --- a/mdop/medv-v2/viewing-med-v-workspace-configurations.md +++ b/mdop/medv-v2/viewing-med-v-workspace-configurations.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/whats-new-in-med-v-20.md b/mdop/medv-v2/whats-new-in-med-v-20.md index 2068ac978f..70f277ff9c 100644 --- a/mdop/medv-v2/whats-new-in-med-v-20.md +++ b/mdop/medv-v2/whats-new-in-med-v-20.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md b/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md index 6b98064476..2d91d0e163 100644 --- a/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md +++ b/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w7 +ms.prod: w10 ms.date: 04/28/2017 --- diff --git a/mdop/solutions/application-publishing-and-client-interaction-for-app-v-5-solutions.md b/mdop/solutions/application-publishing-and-client-interaction-for-app-v-5-solutions.md index d5e3224942..3f173b9548 100644 --- a/mdop/solutions/application-publishing-and-client-interaction-for-app-v-5-solutions.md +++ b/mdop/solutions/application-publishing-and-client-interaction-for-app-v-5-solutions.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md b/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md index b2c6ffe718..747c14c3de 100644 --- a/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md +++ b/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md index 080458ef89..bd1795d759 100644 --- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md +++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/15/2018 --- diff --git a/mdop/solutions/index.md b/mdop/solutions/index.md index 6183633995..20c7e2da8e 100644 --- a/mdop/solutions/index.md +++ b/mdop/solutions/index.md @@ -1,12 +1,12 @@ --- title: MDOP Solutions and Scenarios description: MDOP Solutions and Scenarios -author: jamiejdt +author: dansimp ms.assetid: 1cb18bef-fbae-4e96-a4f1-90cf111c3b5f ms.pagetype: mdop ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/solutions/virtualizing-microsoft-office-2010-for-application-virtualization--app-v--50-solutions.md b/mdop/solutions/virtualizing-microsoft-office-2010-for-application-virtualization--app-v--50-solutions.md index 29150aab71..87a025ba59 100644 --- a/mdop/solutions/virtualizing-microsoft-office-2010-for-application-virtualization--app-v--50-solutions.md +++ b/mdop/solutions/virtualizing-microsoft-office-2010-for-application-virtualization--app-v--50-solutions.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md b/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md index 1bafd39be8..33f773621c 100644 --- a/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md +++ b/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md b/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md index ddac76e38c..b9209ac16f 100644 --- a/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md +++ b/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/about-user-experience-virtualization-10.md b/mdop/uev-v1/about-user-experience-virtualization-10.md index 14b915317b..9fa34927b9 100644 --- a/mdop/uev-v1/about-user-experience-virtualization-10.md +++ b/mdop/uev-v1/about-user-experience-virtualization-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/accessibility-for-ue-v.md b/mdop/uev-v1/accessibility-for-ue-v.md index 710364b2ab..79d9e9d678 100644 --- a/mdop/uev-v1/accessibility-for-ue-v.md +++ b/mdop/uev-v1/accessibility-for-ue-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/uev-v1/administering-ue-v-10.md b/mdop/uev-v1/administering-ue-v-10.md index 2bcd134ade..b5a5d8efb1 100644 --- a/mdop/uev-v1/administering-ue-v-10.md +++ b/mdop/uev-v1/administering-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/administering-ue-v-with-powershell-and-wmi.md b/mdop/uev-v1/administering-ue-v-with-powershell-and-wmi.md index 10ce670be1..cd78b0f3d8 100644 --- a/mdop/uev-v1/administering-ue-v-with-powershell-and-wmi.md +++ b/mdop/uev-v1/administering-ue-v-with-powershell-and-wmi.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/changing-the-frequency-of-ue-v-scheduled-tasks.md b/mdop/uev-v1/changing-the-frequency-of-ue-v-scheduled-tasks.md index ab2aa0c2ec..1416e566c1 100644 --- a/mdop/uev-v1/changing-the-frequency-of-ue-v-scheduled-tasks.md +++ b/mdop/uev-v1/changing-the-frequency-of-ue-v-scheduled-tasks.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/uev-v1/checklist-for-evaluating-line-of-business-applications-for-ue-v-10.md b/mdop/uev-v1/checklist-for-evaluating-line-of-business-applications-for-ue-v-10.md index 1ca4e1e44a..d41fbb33ce 100644 --- a/mdop/uev-v1/checklist-for-evaluating-line-of-business-applications-for-ue-v-10.md +++ b/mdop/uev-v1/checklist-for-evaluating-line-of-business-applications-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md b/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md index 4ff6a7f274..1d793732cd 100644 --- a/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md +++ b/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md b/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md index 57534783a3..b2fb85109b 100644 --- a/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md +++ b/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md b/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md index 7a2b1288e2..8ca6ac6836 100644 --- a/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md +++ b/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/deploying-the-settings-template-catalog-for-ue-v-10.md b/mdop/uev-v1/deploying-the-settings-template-catalog-for-ue-v-10.md index c0e408d050..b7aea24dd9 100644 --- a/mdop/uev-v1/deploying-the-settings-template-catalog-for-ue-v-10.md +++ b/mdop/uev-v1/deploying-the-settings-template-catalog-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/deploying-the-ue-v-agent.md b/mdop/uev-v1/deploying-the-ue-v-agent.md index 80f00c8ff1..9c6b40a75c 100644 --- a/mdop/uev-v1/deploying-the-ue-v-agent.md +++ b/mdop/uev-v1/deploying-the-ue-v-agent.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/deploying-ue-v-10.md b/mdop/uev-v1/deploying-ue-v-10.md index 58a93cbff2..9b56dbf52e 100644 --- a/mdop/uev-v1/deploying-ue-v-10.md +++ b/mdop/uev-v1/deploying-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/deploying-ue-v-settings-location-templates-for-ue-v-10.md b/mdop/uev-v1/deploying-ue-v-settings-location-templates-for-ue-v-10.md index fe939dc049..9485eeb780 100644 --- a/mdop/uev-v1/deploying-ue-v-settings-location-templates-for-ue-v-10.md +++ b/mdop/uev-v1/deploying-ue-v-settings-location-templates-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/edit-ue-v-settings-location-templates-with-the-ue-v-generator.md b/mdop/uev-v1/edit-ue-v-settings-location-templates-with-the-ue-v-generator.md index 70fac05e66..169f17d7ed 100644 --- a/mdop/uev-v1/edit-ue-v-settings-location-templates-with-the-ue-v-generator.md +++ b/mdop/uev-v1/edit-ue-v-settings-location-templates-with-the-ue-v-generator.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md b/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md index 1d1459418d..88b04b4510 100644 --- a/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md +++ b/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/uev-v1/high-level-architecture-for-ue-v-10.md b/mdop/uev-v1/high-level-architecture-for-ue-v-10.md index de0ffab797..df5036bb3c 100644 --- a/mdop/uev-v1/high-level-architecture-for-ue-v-10.md +++ b/mdop/uev-v1/high-level-architecture-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/index.md b/mdop/uev-v1/index.md index 49e6e8a74c..3fe3f036fa 100644 --- a/mdop/uev-v1/index.md +++ b/mdop/uev-v1/index.md @@ -1,12 +1,12 @@ --- title: Microsoft User Experience Virtualization (UE-V) 1.0 description: Microsoft User Experience Virtualization (UE-V) 1.0 -author: jamiejdt +author: dansimp ms.assetid: 7c2b59f6-bbe9-4373-8b08-c1738665a37b ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 04/19/2017 --- diff --git a/mdop/uev-v1/installing-the-ue-v-generator.md b/mdop/uev-v1/installing-the-ue-v-generator.md index 2729e3b8a1..821aca1fc3 100644 --- a/mdop/uev-v1/installing-the-ue-v-generator.md +++ b/mdop/uev-v1/installing-the-ue-v-generator.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md index 114fd6f250..cbdc80df01 100644 --- a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md +++ b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 07/12/2017 --- diff --git a/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md b/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md index efb3fdfb94..394c3b4ec6 100644 --- a/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md +++ b/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md b/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md index 9bacdae69b..337ac0882d 100644 --- a/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md +++ b/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md index de4bba54f9..5d165bb12f 100644 --- a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md +++ b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-sp1-release-notes.md b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-sp1-release-notes.md index c41b75222e..f7a444bf69 100644 --- a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-sp1-release-notes.md +++ b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-sp1-release-notes.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/uev-v1/migrating-ue-v-settings-packages.md b/mdop/uev-v1/migrating-ue-v-settings-packages.md index 0584788218..a1b84ee0b2 100644 --- a/mdop/uev-v1/migrating-ue-v-settings-packages.md +++ b/mdop/uev-v1/migrating-ue-v-settings-packages.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/operations-for-ue-v-10.md b/mdop/uev-v1/operations-for-ue-v-10.md index 1ca7174231..e2b682e720 100644 --- a/mdop/uev-v1/operations-for-ue-v-10.md +++ b/mdop/uev-v1/operations-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md b/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md index 41e30f2c3a..358b709352 100644 --- a/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md +++ b/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/planning-for-ue-v-10.md b/mdop/uev-v1/planning-for-ue-v-10.md index a1b74638d4..5e8d26f148 100644 --- a/mdop/uev-v1/planning-for-ue-v-10.md +++ b/mdop/uev-v1/planning-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/planning-for-ue-v-configuration-methods.md b/mdop/uev-v1/planning-for-ue-v-configuration-methods.md index 8e5be9114d..7df8ae7d06 100644 --- a/mdop/uev-v1/planning-for-ue-v-configuration-methods.md +++ b/mdop/uev-v1/planning-for-ue-v-configuration-methods.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/planning-for-ue-v-configuration.md b/mdop/uev-v1/planning-for-ue-v-configuration.md index f703d2f78a..107ce3f225 100644 --- a/mdop/uev-v1/planning-for-ue-v-configuration.md +++ b/mdop/uev-v1/planning-for-ue-v-configuration.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md b/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md index 79eebd7152..86c03473c2 100644 --- a/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md +++ b/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/preparing-your-environment-for-ue-v.md b/mdop/uev-v1/preparing-your-environment-for-ue-v.md index c361404d69..17d0fcb2c2 100644 --- a/mdop/uev-v1/preparing-your-environment-for-ue-v.md +++ b/mdop/uev-v1/preparing-your-environment-for-ue-v.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/restoring-application-and-windows-settings-synchronized-with-ue-v-10.md b/mdop/uev-v1/restoring-application-and-windows-settings-synchronized-with-ue-v-10.md index eeafde3a12..0e614c1ba2 100644 --- a/mdop/uev-v1/restoring-application-and-windows-settings-synchronized-with-ue-v-10.md +++ b/mdop/uev-v1/restoring-application-and-windows-settings-synchronized-with-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/security-and-privacy-for-ue-v-10.md b/mdop/uev-v1/security-and-privacy-for-ue-v-10.md index dd0f34f96c..8c096e4a6a 100644 --- a/mdop/uev-v1/security-and-privacy-for-ue-v-10.md +++ b/mdop/uev-v1/security-and-privacy-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md b/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md index 48f0163995..859ef68c82 100644 --- a/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md +++ b/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/uev-v1/supported-configurations-for-ue-v-10.md b/mdop/uev-v1/supported-configurations-for-ue-v-10.md index 2fca53cc15..38776f7cf8 100644 --- a/mdop/uev-v1/supported-configurations-for-ue-v-10.md +++ b/mdop/uev-v1/supported-configurations-for-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/uev-v1/troubleshooting-ue-v-10.md b/mdop/uev-v1/troubleshooting-ue-v-10.md index 81aa6256a0..85a8d4677a 100644 --- a/mdop/uev-v1/troubleshooting-ue-v-10.md +++ b/mdop/uev-v1/troubleshooting-ue-v-10.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/uev-v1/ue-v-10-security-considerations.md b/mdop/uev-v1/ue-v-10-security-considerations.md index ddbecb7393..0fec0a0670 100644 --- a/mdop/uev-v1/ue-v-10-security-considerations.md +++ b/mdop/uev-v1/ue-v-10-security-considerations.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/ue-v-checklist.md b/mdop/uev-v1/ue-v-checklist.md index 03c5bb4c70..50eda2adfd 100644 --- a/mdop/uev-v1/ue-v-checklist.md +++ b/mdop/uev-v1/ue-v-checklist.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/user-experience-virtualization-privacy-statement.md b/mdop/uev-v1/user-experience-virtualization-privacy-statement.md index ecbbabaa59..2be967fb55 100644 --- a/mdop/uev-v1/user-experience-virtualization-privacy-statement.md +++ b/mdop/uev-v1/user-experience-virtualization-privacy-statement.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 08/30/2016 --- diff --git a/mdop/uev-v1/validate-ue-v-settings-location-templates-with-ue-v-generator.md b/mdop/uev-v1/validate-ue-v-settings-location-templates-with-ue-v-generator.md index 7b2ac97915..0f1b3de72d 100644 --- a/mdop/uev-v1/validate-ue-v-settings-location-templates-with-ue-v-generator.md +++ b/mdop/uev-v1/validate-ue-v-settings-location-templates-with-ue-v-generator.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v1/working-with-custom-ue-v-templates-and-the-ue-v-generator.md b/mdop/uev-v1/working-with-custom-ue-v-templates-and-the-ue-v-generator.md index 14ed81bb52..dd61401c21 100644 --- a/mdop/uev-v1/working-with-custom-ue-v-templates-and-the-ue-v-generator.md +++ b/mdop/uev-v1/working-with-custom-ue-v-templates-and-the-ue-v-generator.md @@ -9,7 +9,7 @@ ms.author: ellevin ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w8 +ms.prod: w10 ms.date: 06/16/2016 --- diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md index a18ae22ef9..d918fb1b54 100644 --- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md @@ -193,7 +193,7 @@ You’ll need to deploy a settings storage location, a standard network share wh -**Security Note:  ** +**Security Note:** If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor: diff --git a/mdop/uev-v2/index.md b/mdop/uev-v2/index.md index 5e5f69c25f..b0a92410ba 100644 --- a/mdop/uev-v2/index.md +++ b/mdop/uev-v2/index.md @@ -1,7 +1,7 @@ --- title: Microsoft User Experience Virtualization (UE-V) 2.x description: Microsoft User Experience Virtualization (UE-V) 2.x -author: jamiejdt +author: dansimp ms.assetid: b860fed0-b846-415d-bdd6-ba60231a64be ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 10be832452..2825ff309d 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -33,6 +33,7 @@ "globalMetadata": { "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json", "ms.author": "trudyha", + "audience": "ITPro", "ms.technology": "windows", "ms.topic": "article", "ms.date": "05/09/2017", diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 57281ea6e2..9df4554e37 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -33,6 +33,7 @@ "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", + "audience": "ITPro", "ms.topic": "article", "_op_documentIdPathDepotMapping": { "./": { diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index f7c9b35003..ee08c91bcf 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -33,6 +33,7 @@ "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", + "audience": "ITPro", "ms.topic": "article", "ms.author": "elizapo", "feedback_system": "GitHub", diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 371e401c1a..a828991d9d 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -162,9 +162,13 @@ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneMusic_8wekyb3d8bbwe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneVideo_8wekyb3d8bbwe] -``` +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.3DBuilder_8wekyb3d8bbwe] +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.HEVCVideoExtension_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Messaging_8wekyb3d8bbwe] +``` [Get-AppxPackage](https://docs.microsoft.com/powershell/module/appx/get-appxpackage) [Get-AppxPackage -allusers](https://docs.microsoft.com/powershell/module/appx/get-appxpackage) diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 8052f02284..3928061aa3 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -19,6 +19,9 @@ ms.date: 05/20/2019 - Windows 10 - Windows 10 Mobile +> [!NOTE] +> As of Windows Insider Build 18956, sideloading is enabled by default. Now, you can deploy a signed package onto a device without a special configuration. + "Line-of-Business" (LOB) apps are present in a wide range of businesses and organizations. Organizations value these apps because they solve problems unique to each business. When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1 diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 7edad5cf25..878b065aa7 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -17,7 +17,7 @@ ms.topic: troubleshooting ## Overview -This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or wwitches, it won't be an end-to-end Microsoft solution. +This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution. ## Scenarios diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index c5967a88c3..bb9c73976e 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -33,6 +33,7 @@ "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", + "audience": "ITPro", "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index fa0bee9334..0cd8b04e7c 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -1,7 +1,7 @@ --- title: ApplicationControl CSP description: ApplicationControl CSP -ms.author: dansimp@microsoft.com +ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 4f5c622cc0..7dc2e66ea2 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -1,7 +1,7 @@ --- title: ApplicationControl CSP description: ApplicationControl CSP -ms.author: dansimp@microsoft.com +ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 22a816cc20..79fb1d0045 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -156,22 +156,8 @@ Each of the previous nodes contains one or more of the following leaf nodes:

          Policy

          Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.

          -

          Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.

          -

          For CodeIntegrity/Policy, you can use the certutil -encode command line tool to encode the data to base-64.

          -

          Here is a sample certutil invocation:

          - -``` -certutil -encode WinSiPolicy.p7b WinSiPolicy.cer -``` - -

          An alternative to using certutil would be to use the following PowerShell invocation:

          - -``` -[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) -``` - -

          If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.

          -

          Data type is string. Supported operations are Get, Add, Delete, and Replace.

          +

          For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace.

          +

          For CodeIntegrity/Policy, data type is Base64. Supported operations are Get, Add, Delete, and Replace.

          EnforcementMode

          @@ -186,6 +172,8 @@ certutil -encode WinSiPolicy.p7b WinSiPolicy.cer +> [!NOTE] +> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP. ## Find publisher and product name of apps diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 87f038c663..80079aaef9 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -37,7 +37,7 @@ manager: dansimp - LastErrorDescription - SyncStatusDescription - SyncProgress - - Sync + - Sync - PublishXML - AppVDynamicPolicy diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 8d704d0165..2191e66e9c 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -277,23 +277,23 @@ Supported operation is Get. **DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq** Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask. -- 0x0: System meets hardware configuration requirements -- 0x1: SecureBoot required -- 0x2: DMA Protection required -- 0x4: HyperV not supported for Guest VM -- 0x8: HyperV feature is not available +- 0x0: System meets hardware configuration requirements +- 0x1: SecureBoot required +- 0x2: DMA Protection required +- 0x4: HyperV not supported for Guest VM +- 0x8: HyperV feature is not available Supported operation is Get. **DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** Added in Windows, version 1709. Virtualization-based security status. Value is one of the following: -- 0 - Running -- 1 - Reboot required -- 2 - 64 bit architecture required -- 3 - not licensed -- 4 - not configured -- 5 - System doesn't meet hardware requirements -- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details +- 0 - Running +- 1 - Reboot required +- 2 - 64 bit architecture required +- 3 - not licensed +- 4 - not configured +- 5 - System doesn't meet hardware requirements +- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details Supported operation is Get. @@ -301,11 +301,11 @@ Supported operation is Get. **DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus** Added in Windows, version 1709. Local System Authority (LSA) credential guard status. -- 0 - Running -- 1 - Reboot required -- 2 - Not licensed for Credential Guard -- 3 - Not configured -- 4 - VBS not running +- 0 - Running +- 1 - Reboot required +- 2 - Not licensed for Credential Guard +- 3 - Not configured +- 4 - VBS not running Supported operation is Get. diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index f97a70c2f7..548a34e79e 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -19,20 +19,23 @@ This is a step-by-step guide to configuring ADMX-backed policies in MDM. Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: -- Find the policy from the list ADMX-backed policies. -- Find the Group Policy related information from the MDM policy description. -- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. -- Create the data payload for the SyncML. +- Find the policy from the list ADMX-backed policies. +- Find the Group Policy related information from the MDM policy description. +- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. +- Create the data payload for the SyncML. -See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) for a walk-through using Intune. +See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-using-microsoft-intune/) for a walk-through using Intune. >[!TIP] >Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](https://docs.microsoft.com/intune/administrative-templates-windows) ## Enable a policy +> [!NOTE] +> See [Understanding ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies). + 1. Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description. - - GP English name + - GP English name - GP name - GP ADMX file name - GP path diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md index 85e0516dfd..429bf2fe21 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md @@ -1,7 +1,7 @@ --- title: EnrollmentStatusTracking CSP description: EnrollmentStatusTracking CSP -ms.author: dansimp@microsoft.com +ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index 40733a7170..080db28b5c 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -1,7 +1,7 @@ --- title: EnrollmentStatusTracking CSP description: EnrollmentStatusTracking CSP -ms.author: dansimp@microsoft.com +ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 1fad0a54a6..386f5a8c48 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -14,13 +14,13 @@ ms.topic: # How Mobile Device Management Providers support eSIM Management on Windows The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following: -- Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties. -- Assess solution type that you would like to provide your customers -- Batch/offline solution -- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. -- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to -- Real-time solution -- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. -- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used +- Onboard to Azure Active Directory +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties. +- Assess solution type that you would like to provide your customers +- Batch/offline solution +- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. +- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to +- Real-time solution +- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. +- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used **Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index b9bc55a06a..682ae5b63d 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -44,7 +44,7 @@ The MDM security baseline includes policies that cover the following areas: For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see: - [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip) - - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) +- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows) diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 564059ef4e..e35af4bde2 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -16,13 +16,13 @@ manager: dansimp The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703. The following conditions are supported: -- Network traffic from a specific application name -- Network traffic from specific source or destination ports -- Network traffic from a specific IP protocol (TCP, UDP, or both) +- Network traffic from a specific application name +- Network traffic from specific source or destination ports +- Network traffic from a specific IP protocol (TCP, UDP, or both) The following actions are supported: -- Layer 2 tagging using a IEEE 802.1p priority value -- Layer 3 tagging using a differentiated services code point (DSCP) value +- Layer 2 tagging using a IEEE 802.1p priority value +- Layer 3 tagging using a differentiated services code point (DSCP) value > [!NOTE] > The NetworkQoSPolicy configuration service provider is supported only in Microsoft Surface Hub. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index bb80f306e7..5ce6a56526 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -537,7 +537,7 @@ Added in Windows 10, version 1607. Boolean value that disables the launch of al ADMX Info: -- GP English name: *Disable all apps from Microsoft Store * +- GP English name: *Disable all apps from Microsoft Store* - GP name: *DisableStoreApps* - GP path: *Windows Components/Store* - GP ADMX file name: *WindowsStore.admx* diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index a397e2cdfa..6553368bef 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -629,9 +629,9 @@ ADMX Info: Supported values: -- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit. -- 0 - Never send tracking information. -- 1 - Send tracking information. +- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit. +- 0 - Never send tracking information. +- 1 - Send tracking information. Most restricted value: 1 diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 524745b05b..1682e10bd8 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -387,12 +387,12 @@ Specifies whether device lock is enabled. > [!Important] > **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: > - **DevicePasswordEnabled** is the parent policy of the following: -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MinDevicePasswordComplexCharacters  -> - DevicePasswordExpiration -> - DevicePasswordHistory +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MinDevicePasswordComplexCharacters  +> - DevicePasswordExpiration +> - DevicePasswordHistory > - MaxDevicePasswordFailedAttempts > - MaxInactivityTimeDeviceLock diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index d13267b269..c39e01b943 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -13428,7 +13428,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T ADMX Info: -- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer * +- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer* - GP name: *VerMgmtDisableRunThisTime* - GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -16504,7 +16504,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy. ADMX Info: -- GP English name: *Security Zones: Use only machine settings * +- GP English name: *Security Zones: Use only machine settings* - GP name: *Security_HKLM_only* - GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index ba8a7d6310..f176045650 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -365,7 +365,7 @@ If you disable or do not configure this policy setting, the WinRM service will n The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges. -You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. +You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty. diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 81727ffef1..e2a1e35daf 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -806,11 +806,11 @@ If the policy is not specified, the behavior will be that no pages are affected. The format of the PageVisibilityList value is as follows: -- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. -- There are two variants: one that shows only the given pages and one which hides the given pages. -- The first variant starts with the string "showonly:" and the second with the string "hide:". -- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. -- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi". +- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. +- There are two variants: one that shows only the given pages and one which hides the given pages. +- The first variant starts with the string "showonly:" and the second with the string "hide:". +- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. +- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi". The default value for this setting is an empty string, which is interpreted as show everything. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index af2069854f..65f8aca2b1 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1068,7 +1068,7 @@ If you disable or don't configure this policy setting, the Delete diagnostic dat ADMX Info: -- GP English name: *Disable deleting diagnostic data * +- GP English name: *Disable deleting diagnostic data* - GP name: *DisableDeviceDelete* - GP element: *DisableDeviceDelete* - GP path: *Data Collection and Preview Builds* @@ -1131,7 +1131,7 @@ If you disable or don't configure this policy setting, the Diagnostic Data Viewe ADMX Info: -- GP English name: *Disable diagnostic data viewer. * +- GP English name: *Disable diagnostic data viewer.* - GP name: *DisableDiagnosticDataViewer* - GP element: *DisableDiagnosticDataViewer* - GP path: *Data Collection and Preview Builds* diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 92367a4c2e..fbef0fce58 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1053,7 +1053,7 @@ Supported values: -Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. +Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. @@ -1071,8 +1071,8 @@ The following list shows the supported values: - 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) - 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) - 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) -- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). -- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. +- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). +- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903) diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 233e581a91..33001ff094 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -23,8 +23,8 @@ In addition to standard policies, the Policy CSP can now also handle ADMX-backed ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: -- OS settings: Computer Configuration/Administrative Templates -- Application settings: User Configuration/Administrative Templates +- OS settings: Computer Configuration/Administrative Templates +- Application settings: User Configuration/Administrative Templates In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are leveraged to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), is not required. @@ -42,17 +42,17 @@ To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrat The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the “Publishing Server 2 Settings” is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. Group Policy option button setting: -- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. - - The MDM client stack receives this data, which causes the Policy CSP to update the device’s registry per the ADMX-backed policy definition. +- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: + - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. + - The MDM client stack receives this data, which causes the Policy CSP to update the device’s registry per the ADMX-backed policy definition. -- If **Disabled** is selected and you click **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. - - The MDM client stack receives this command, which causes the Policy CSP to either delete the device’s registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition. +- If **Disabled** is selected and you click **Apply**, the following events occur: + - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. + - The MDM client stack receives this command, which causes the Policy CSP to either delete the device’s registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition. -- If **Not Configured** is selected and you click **Apply**, the following events occur: - - MDM ISV server sets up a Delete SyncML command. - - The MDM client stack receives this command, which causes the Policy CSP to delete the device’s registry settings per the ADMX-backed policy definition. +- If **Not Configured** is selected and you click **Apply**, the following events occur: + - MDM ISV server sets up a Delete SyncML command. + - The MDM client stack receives this command, which causes the Policy CSP to delete the device’s registry settings per the ADMX-backed policy definition. The following diagram shows the main display for the Group Policy Editor. diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index f5372d05f6..58a5040b72 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -196,7 +196,7 @@ Values: **CheckApplicability** -``` syntax +```xml @@ -223,7 +223,7 @@ Values: **Edition** -``` syntax +```xml @@ -241,7 +241,7 @@ Values: **LicenseKeyType** -``` syntax +```xml @@ -259,7 +259,7 @@ Values: **Status** -``` syntax +```xml @@ -277,7 +277,7 @@ Values: **UpgradeEditionWithProductKey** -``` syntax +```xml @@ -304,7 +304,7 @@ Values: **UpgradeEditionWithLicense** -``` syntax +```xml diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md index ea9dd8e10a..ffd68aa965 100644 --- a/windows/client-management/mdm/windowssecurityauditing-csp.md +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -39,7 +39,7 @@ Supported operations are Get and Replace. Enable logging of audit events. -``` syntax +```xml diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 146160c8a3..ac7e1e2391 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -171,7 +171,7 @@ Run the following command to verify the Windows update installation and dates: Dism /Image:: /Get-packages ``` -After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages: +After you run this command, you will see the **Install pending** and **Uninstall Pending** packages: ![Dism output](images/pendingupdate.png) diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 26d48d6ccb..0c13fc8950 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -107,8 +107,8 @@ You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that More information on how to use Dumpchk.exe to check your dump files: -- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) -- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) +- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) +- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) ### Pagefile Settings diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index 920e5a1ff0..664dc7700e 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -145,8 +145,8 @@ If the computer is no longer frozen and now is running in a good state, use the Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. -- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) -- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) +- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) +- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) Learn how to use Dumpchk.exe to check your dump files: diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 3dc34d0551..9790bdb770 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -27,11 +27,11 @@ Employees increasingly depend on smartphones to complete daily work tasks, but t Windows 10 supports end-to-end device lifecycle management to give companies control over their devices, data, and apps. Devices can easily be incorporated into standard lifecycle practices, from device enrollment, configuration, and application management to maintenance, monitoring, and retirement using a comprehensive mobile device management solution. **In this article** -- [Deploy](#deploy) -- [Configure](#configure) -- [Apps](#apps) -- [Manage](#manage) -- [Retire](#retire) +- [Deploy](#deploy) +- [Configure](#configure) +- [Apps](#apps) +- [Manage](#manage) +- [Retire](#retire) ## Deploy @@ -365,18 +365,18 @@ You can define and deploy APN profiles in MDM systems that configure cellular da - **APN name** The APN name - *IP connection type* The IP connection type; set to one of the following values: - - IPv4 only - - IPv6 only - - IPv4 and IPv6 concurrently - - IPv6 with IPv4 provided by 46xlat + - IPv4 only + - IPv6 only + - IPv4 and IPv6 concurrently + - IPv6 with IPv4 provided by 46xlat - **LTE attached** Whether the APN should be attached as part of an LTE Attach - **APN class ID** The globally unique identifier that defines the APN class to the modem - **APN authentication type** The APN authentication type; set to one of the following values: - - None - - Auto - - PAP - - CHAP - - MSCHAPv2 + - None + - Auto + - PAP + - CHAP + - MSCHAPv2 - **User name** The user account when users select Password Authentication Protocol (PAP), CHAP, or MSCHAPv2 authentication in APN authentication type - **Password** The password for the user account specified in User name - **Integrated circuit card ID** The integrated circuit card ID associated with the cellular connection profile diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 4389cbd5e6..037e389943 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -2,7 +2,7 @@ title: Configure Windows 10 taskbar (Windows 10) description: Admins can pin apps to users' taskbars. keywords: ["taskbar layout","pin apps"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: dansimp diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index aa221c4b9e..7ac4b1ff90 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -176,7 +176,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed 2. [Export the Start layout](#export-the-start-layout). 3. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: - ``` syntax + ```xml ``` diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 1ca640e263..af378be469 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -33,6 +33,7 @@ "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", + "audience": "ITPro", "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index fa57936276..bbe21777b6 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -68,7 +68,7 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app Kiosk Browser settings | Use this setting to --- | --- -Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

          For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

          For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs. Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

          If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 2cde6940fa..ff9c230e83 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -26,7 +26,7 @@ ms.topic: article ## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1903, and Windows 10 Prerelease +>Updated for Windows 10, version 1903, and Windows 10 Insider Preview (19H2, 20H1 builds). ```xml @@ -255,7 +255,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` ## [Preview] Global Profile Sample XML -Global Profile is currently supported in Windows 10 Prerelease. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. +Global Profile is currently supported in Windows 10 Insider Preview (19H2, 20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in ```xml @@ -394,7 +394,7 @@ Below sample shows dedicated profile and global profile mixed usage, aauser woul ``` ## [Preview] Folder Access sample xml -In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in current Windows 10 Prerelease. +In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granulatity and easier use, and is available in Windows 10 Insider Preview (19H2, 20H1 builds). IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Note that Downloads and Removable Drives can be allowed at the same time. @@ -636,7 +636,7 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n ## XSD for AssignedAccess configuration XML >[!NOTE] ->Updated for Windows 10, version 1903 and Windows 10 Prerelease. +>Updated for Windows 10, version 1903 and Windows 10 Insider Preview (19H2, 20H1 builds). Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ```xml @@ -859,7 +859,7 @@ Here is the schema for new features introduced in Windows 10 1809 release ``` -Schema for Windows 10 prerelease +Schema for Windows 10 Insider Preview (19H2, 20H1 builds) ```xml ``` -To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature which is added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. ```xml diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index bd8806ab06..b825b767ae 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -5,7 +5,7 @@ ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E ms.reviewer: manager: dansimp keywords: ["runtime provisioning", "provisioning package"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: dansimp diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index a906cf7e68..cc40946bcb 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -2,7 +2,7 @@ title: Provision PCs with apps and certificates (Windows 10) description: Create a provisioning package to apply settings to a PC running Windows 10. keywords: ["runtime provisioning", "provisioning package"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: dansimp diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index b6d2e80dc0..cbcb56ed0d 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -2,7 +2,7 @@ title: Provision PCs with apps (Windows 10) description: Add apps to a Windows 10 provisioning package. keywords: ["runtime provisioning", "provisioning package"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: dansimp diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 61ab4d40ae..139dcce1bb 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -2,7 +2,7 @@ title: Set up a shared or guest PC with Windows 10 (Windows 10) description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios. keywords: ["shared pc mode"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: dansimp diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index 529e59e779..520de10950 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -53,6 +53,7 @@ The XML schema for `LayoutModification.xml` requires the following order for tag 1. TopMFUApps 1. CustomTaskbarLayoutCollection 1. InkWorkspaceTopApps +1. StartLayoutCollection Comments are not supported in the `LayoutModification.xml` file. @@ -66,6 +67,8 @@ Comments are not supported in the `LayoutModification.xml` file. >- Do not add multiple rows of comments. The following table lists the supported elements and attributes for the LayoutModification.xml file. +> [!NOTE] +> RequiredStartGroupsCollection and AppendGroup syntax only apply when the Import-StartLayout method is used for building and deploying Windows images. | Element | Attributes | Description | | --- | --- | --- | diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 299ba40be7..156e4af29b 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -241,7 +241,7 @@ Version identifies the version of the settings location template for administrat **Hint:** You can save notes about version changes using XML comment tags ``, for example: -``` syntax +```xml RTM) of the file back to quality update RTM/base - version and forward differential (VRTM--->R) from feature update RTM/base - version to the target version. Also, use null differential hydration to - hydrate null compressed files. - -- Stage the hydrated files (full file), forward differentials (under ‘f’ - folder) and reverse differentials (under ‘r’ folder) or null compressed - files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). - -- Resolve any dependencies and install components. - -- Clean up older state (VN-1); the previous state VN is retained for - uninstallation and restoration or repair. - -### **Resilient Hydration** - -To ensure resiliency against component store corruption or missing files that -could occur due to susceptibility of certain types of hardware to file system -corruption, a corruption repair service has been traditionally used to recover -the component store automatically (“automatic corruption repair”) or on demand -(“manual corruption repair”) using an online or local repair source. This -service will continue to offer the ability to repair and recover content for -hydration and successfully install an update, if needed. - -When corruption is detected during update operations, automatic corruption -repair will start as usual and use the Baseless Patch Storage File published to -Windows Update for each update to fix corrupted manifests, binary differentials, -or hydrated or full files. Baseless patch storage files will contain reverse and -forward differentials and full files for each updated component. Integrity of -the repair files will be hash verified. - -Corruption repair will use the component manifest to detect missing files and -get hashes for corruption detection. During update installation, new registry -flags for each differential staged on the machine will be set. When automatic -corruption repair runs, it will scan hydrated files using the manifest and -differential files using the flags. If the differential cannot be found or -verified, it will be added to the list of corruptions to repair. - -### Lazy automatic corruption repair - -“Lazy automatic corruption repair” runs during update operations to detect -corrupted binaries and differentials. While applying an update, if hydration of -any file fails, "lazy" automatic corruption repair automatically starts, -identifies the corrupted binary or differential file, and then adds it to the -corruption list. Later, the update operation continues as far as it can go, so -that "lazy" automatic corruption repair can collect as many corrupted files to fix -as possible. At the end of the hydration section, the update fails, and -automatic corruption repair starts. Automatic corruption repair runs as usual -and at the end of its operation, adds the corruption list generated by "lazy" -automatic corruption repair on top of the new list to repair. Automatic -corruption repair then repairs the files on the corruption list and installation -of the update will succeed on the next attempt. +--- +title: Windows Updates using forward and reverse differentials +description: A technique to produce compact software updates optimized for any origin and destination revision pair +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 10/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Updates using forward and reverse differentials + + +Windows 10 monthly quality updates are cumulative, containing all previously +released fixes to ensure consistency and simplicity. For an operating system +platform like Windows 10, which stays in support for multiple years, the size of +monthly quality updates can quickly grow large, thus directly impacting network +bandwidth consumption. + +Today, this problem is addressed by using express downloads, where differential +downloads for every changed file in the update are generated based on selected +historical revisions plus the base version. In this paper, we introduce a new +technique to build compact software update packages that are applicable to any +revision of the base version, and then describe how Windows 10 quality updates +uses this technique. + +## General Terms + +The following general terms apply throughout this document: + +- *Base version*: A major software release with significant changes, such as + Windows 10, version 1809 (Windows 10 Build 17763.1) + +- *Revision*: Minor releases in between the major version releases, such as + KB4464330 (Windows 10 Build 17763.55) + +- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that + contain full binaries or files + +## Introduction + +In this paper, we introduce a new technique that can produce compact software +updates optimized for any origin/destination revision pair. It does this by +calculating forward the differential of a changed file from the base version and +its reverse differential back to the base version. Both forward and reverse +differentials are then packaged as an update and distributed to the endpoints +running the software to be updated. The update package contents can be symbolized as follows: + +![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) + +The endpoints that have the base version of the file (V0) hydrate the target +revision (VN) by applying a simple transformation: + +![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) + +The endpoints that have revision N of the file (VN), hydrate the target revision +(VR) by applying the following set of transformations: + +![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) + +The endpoints retain the reverse differentials for the software revision they +are on, so that it can be used for hydrating and applying next revision update. + +By using a common baseline, this technique produces a single update package with +numerous advantages: + +- Compact in size + +- Applicable to all baselines + +- Simple to build + +- Efficient to install + +- Redistributable + +Historically, download sizes of Windows 10 quality updates (Windows 10, version +1803 and older supported versions of Windows 10) are optimized by using express +download. Express download is optimized such that updating Windows 10 systems +will download the minimum number of bytes. This is achieved by generating +differentials for every updated file based on selected historical base revisions +of the same file + its base or RTM version. + +For example, if the October monthly quality update has updated Notepad.exe, +differentials for Notepad.exe file changes from September to October, August to +October, July to October, June to October, and from the original feature release +to October are generated. All these differentials are stored in a Patch Storage +File (PSF, also referred to as “express download files”) and hosted or cached on +Windows Update or other update management or distribution servers (for example, +Windows Server Update Services (WSUS), System Center Configuration Manager, or a +non-Microsoft update management or distribution server that supports express +updates). A device leveraging express updates uses network protocol to determine +optimal differentials, then downloads only what is needed from the update +distribution endpoints. + +The flipside of express download is that the size of PSF files can be very large +depending on the number of historical baselines against which differentials were +calculated. Downloading and caching large PSF files to on-premises or remote +update distribution servers is problematic for most organizations, hence they +are unable to leverage express updates to keep their fleet of devices running +Windows 10 up to date. Secondly, due to the complexity of generating +differentials and size of the express files that need to be cached on update +distribution servers, it is only feasible to generate express download files for +the most common baselines, thus express updates are only applicable to selected +baselines. Finally, calculation of optimal differentials is expensive in terms +of system memory utilization, especially for low-cost systems, impacting their +ability to download and apply an update seamlessly. + +In the following sections, we describe how Windows 10 quality updates will +leverage this technique based on forward and reverse differentials for newer +releases of Windows 10 and Windows Server to overcome the challenges with +express downloads. + +## High-level Design + +### Update packaging + +Windows 10 quality update packages will contain forward differentials from +quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM +(∆N→RTM) for each file that has changed since RTM. By using the RTM version as +the baseline, we ensure that all devices will have an identical payload. Update +package metadata, content manifests, and forward and reverse differentials will +be packaged into a cabinet file (.cab). This .cab file, and the applicability +logic, will also be wrapped in Microsoft Standalone Update (.msu) format. + +There can be cases where new files are added to the system during servicing. +These files will not have RTM baselines, thus forward and reverse differentials +cannot be used. In these scenarios, null differentials will be used to handle +servicing. Null differentials are the slightly compressed and optimized version +of the full binaries. Update packages can have either +forward or reverse differentials, or null differential of any given binary in +them. The following image symbolizes the content of a Windows 10 quality update installer: + +![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) + +### Hydration and installation + +Once the usual applicability checks are performed on the update package and are +determined to be applicable, the Windows component servicing infrastructure will +hydrate the full files during pre-installation and then proceed with the usual +installation process. + +Below is a high-level sequence of activities that the component servicing +infrastructure will run in a transaction to complete installation of the update: + +- Identify all files that are required to install the update. + +- Hydrate each of necessary files using current version (VN) of the file, + reverse differential (VN--->RTM) of the file back to quality update RTM/base + version and forward differential (VRTM--->R) from feature update RTM/base + version to the target version. Also, use null differential hydration to + hydrate null compressed files. + +- Stage the hydrated files (full file), forward differentials (under ‘f’ + folder) and reverse differentials (under ‘r’ folder) or null compressed + files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). + +- Resolve any dependencies and install components. + +- Clean up older state (VN-1); the previous state VN is retained for + uninstallation and restoration or repair. + +### **Resilient Hydration** + +To ensure resiliency against component store corruption or missing files that +could occur due to susceptibility of certain types of hardware to file system +corruption, a corruption repair service has been traditionally used to recover +the component store automatically (“automatic corruption repair”) or on demand +(“manual corruption repair”) using an online or local repair source. This +service will continue to offer the ability to repair and recover content for +hydration and successfully install an update, if needed. + +When corruption is detected during update operations, automatic corruption +repair will start as usual and use the Baseless Patch Storage File published to +Windows Update for each update to fix corrupted manifests, binary differentials, +or hydrated or full files. Baseless patch storage files will contain reverse and +forward differentials and full files for each updated component. Integrity of +the repair files will be hash verified. + +Corruption repair will use the component manifest to detect missing files and +get hashes for corruption detection. During update installation, new registry +flags for each differential staged on the machine will be set. When automatic +corruption repair runs, it will scan hydrated files using the manifest and +differential files using the flags. If the differential cannot be found or +verified, it will be added to the list of corruptions to repair. + +### Lazy automatic corruption repair + +“Lazy automatic corruption repair” runs during update operations to detect +corrupted binaries and differentials. While applying an update, if hydration of +any file fails, "lazy" automatic corruption repair automatically starts, +identifies the corrupted binary or differential file, and then adds it to the +corruption list. Later, the update operation continues as far as it can go, so +that "lazy" automatic corruption repair can collect as many corrupted files to fix +as possible. At the end of the hydration section, the update fails, and +automatic corruption repair starts. Automatic corruption repair runs as usual +and at the end of its operation, adds the corruption list generated by "lazy" +automatic corruption repair on top of the new list to repair. Automatic +corruption repair then repairs the files on the corruption list and installation +of the update will succeed on the next attempt. diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 101adcbb48..20ecac8ae7 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -1,74 +1,74 @@ ---- -title: Introduction to the Windows Insider Program for Business -description: Introduction to the Windows Insider Program for Business and why IT Pros should join it -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 03/01/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Introduction to the Windows Insider Program for Business - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. - -The Windows Insider Program for Business gives you the opportunity to: - -* Get early access to Windows Insider Preview Builds. -* Provide feedback to Microsoft in real time by using the Feedback Hub app. -* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. -* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. -* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. -* Track feedback provided through the Feedback Hub App across your organization. - -Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. - -The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. - - -[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
          -Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. - - -## Explore new Windows 10 features in Insider Previews -Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| -|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | -|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
          - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
          - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | -|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
          - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
          - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | - -## Validate Insider Preview builds -Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: - -- Get a head start on your Windows validation process -- Identify issues sooner to accelerate your Windows deployment -- Engage Microsoft earlier for help with potential compatibility issues -- Deploy Windows 10 Semi-Annual releases faster and more confidently -- Maximize the 18-month support Window that comes with each Semi-Annual release. - - - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| -|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| -|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | -|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | -|Guidance | Application and infrastructure validation:
          - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
          - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
          - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| - +--- +title: Introduction to the Windows Insider Program for Business +description: Introduction to the Windows Insider Program for Business and why IT Pros should join it +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 03/01/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Introduction to the Windows Insider Program for Business + + +**Applies to** + +- Windows 10 + +> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. + +The Windows Insider Program for Business gives you the opportunity to: + +* Get early access to Windows Insider Preview Builds. +* Provide feedback to Microsoft in real time by using the Feedback Hub app. +* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. +* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. +* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. +* Track feedback provided through the Feedback Hub App across your organization. + +Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. + +The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. + + +[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
          +Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. + + +## Explore new Windows 10 features in Insider Previews +Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| +|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | +|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
          - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
          - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | +|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
          - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
          - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | + +## Validate Insider Preview builds +Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: + +- Get a head start on your Windows validation process +- Identify issues sooner to accelerate your Windows deployment +- Engage Microsoft earlier for help with potential compatibility issues +- Deploy Windows 10 Semi-Annual releases faster and more confidently +- Maximize the 18-month support Window that comes with each Semi-Annual release. + + + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| +|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| +|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | +|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | +|Guidance | Application and infrastructure validation:
          - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
          - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
          - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| + diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md index e6962491e6..135d1670a5 100644 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ b/windows/deployment/update/change-history-for-update-windows-10.md @@ -1,52 +1,52 @@ ---- -title: Change history for Update Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.author: greglin -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Change history for Update Windows 10 - -This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment). - ->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). - -## September 2018 - -| New or changed topic | Description | -| --- | --- | -| [Get started with Windows Update](windows-update-overview.md) | New | - - -## RELEASE: Windows 10, version 1709 - -The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). - -## September 2017 - -| New or changed topic | Description | -| --- | --- | -| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | - -## July 2017 - -All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). - -## May 2017 - -| New or changed topic | Description | -| --- | --- | -| [Manage additional Windows Update settings](waas-wu-settings.md) | New | - -## RELEASE: Windows 10, version 1703 - -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: -* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) -* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) +--- +title: Change history for Update Windows 10 (Windows 10) +description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.author: greglin +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Change history for Update Windows 10 + +This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment). + +>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). + +## September 2018 + +| New or changed topic | Description | +| --- | --- | +| [Get started with Windows Update](windows-update-overview.md) | New | + + +## RELEASE: Windows 10, version 1709 + +The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). + +## September 2017 + +| New or changed topic | Description | +| --- | --- | +| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | + +## July 2017 + +All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). + +## May 2017 + +| New or changed topic | Description | +| --- | --- | +| [Manage additional Windows Update settings](waas-wu-settings.md) | New | + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index a81062fdc3..eb1b10ab08 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -1,78 +1,78 @@ ---- -title: Get started with Device Health -description: Configure Device Health in Azure Monitor to monitor health (such as crashes and sign-in failures) for your Windows 10 devices. -keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.date: 10/29/2018 -ms.reviewer: -manager: laurawi -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Get started with Device Health - -This topic explains the steps necessary to configure your environment for Windows Analytics Device Health. - -- [Get started with Device Health](#get-started-with-device-health) - - [Add the Device Health solution to your Azure subscription](#add-the-device-health-solution-to-your-azure-subscription) - - [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) - - [Use Device Health to monitor device crashes, app crashes, sign-in failures, and more](#use-device-health-to-monitor-device-crashes-app-crashes-sign-in-failures-and-more) - - [Related topics](#related-topics) - - - -## Add the Device Health solution to your Azure subscription - -Device Health is offered as a *solution* which you link to a new or existing [Azure Monitor](https://azure.microsoft.com/services/monitor/) *workspace* within your Azure *subscription*. To configure this, follows these steps: - -1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. - - >[!NOTE] - > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health. - -2. In the Azure portal select **Create a resource**, search for "Device Health", and then select **Create** on the **Device Health** solution. - ![Azure portal page highlighting + Create a resource and with Device Health selected](images/CreateSolution-Part1-Marketplace.png) - - ![Azure portal showing Device Health fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](images/CreateSolution-Part2-Create.png) -3. Choose an existing workspace or create a new workspace to host the Device Health solution. - ![Azure portal showing Azure Monitor workspace fly-in](images/CreateSolution-Part3-Workspace.png) - - If you are using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace. - - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **per GB**. -4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**. - ![Azure portal showing workspace selected and with Create button highlighted](images/CreateSolution-Part4-WorkspaceSelected.png) -5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. - ![Azure portal all services page with Azure Monitor found and selected as favorite](images/CreateSolution-Part5-GoToResource.png) - - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Device Health solution. - - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. - -## Enroll devices in Windows Analytics - -Once you've added Device Health to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Device Health there are two key steps for enrollment: -1. Deploy your CommercialID (from Device Health Settings page) to your Windows 10 devices (typically using Group Policy or similar) -2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Group Policy or similar). Note that the [Limit Enhanced](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function. -For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - -After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it may take 48-72 hours for the first data to appear in the solution. Until then, the Device Health tile will show "Performing Assessment." - -## Use Device Health to monitor device crashes, app crashes, sign-in failures, and more - -Once your devices are enrolled and data is flowing, you can move on to [Using Device Health](device-health-using.md). - ->[!NOTE] ->You can remove the Device Health solution from your workspace if you no longer want to monitor your organization’s devices. Windows diagnostic data will continue to be shared with Microsoft as normal as per the diagnostic data sharing settings on the devices. - -## Related topics - -[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
          -For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) +--- +title: Get started with Device Health +description: Configure Device Health in Azure Monitor to monitor health (such as crashes and sign-in failures) for your Windows 10 devices. +keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.date: 10/29/2018 +ms.reviewer: +manager: laurawi +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Get started with Device Health + +This topic explains the steps necessary to configure your environment for Windows Analytics Device Health. + +- [Get started with Device Health](#get-started-with-device-health) + - [Add the Device Health solution to your Azure subscription](#add-the-device-health-solution-to-your-azure-subscription) + - [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) + - [Use Device Health to monitor device crashes, app crashes, sign-in failures, and more](#use-device-health-to-monitor-device-crashes-app-crashes-sign-in-failures-and-more) + - [Related topics](#related-topics) + + + +## Add the Device Health solution to your Azure subscription + +Device Health is offered as a *solution* which you link to a new or existing [Azure Monitor](https://azure.microsoft.com/services/monitor/) *workspace* within your Azure *subscription*. To configure this, follows these steps: + +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. + + >[!NOTE] + > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health. + +2. In the Azure portal select **Create a resource**, search for "Device Health", and then select **Create** on the **Device Health** solution. + ![Azure portal page highlighting + Create a resource and with Device Health selected](images/CreateSolution-Part1-Marketplace.png) + + ![Azure portal showing Device Health fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](images/CreateSolution-Part2-Create.png) +3. Choose an existing workspace or create a new workspace to host the Device Health solution. + ![Azure portal showing Azure Monitor workspace fly-in](images/CreateSolution-Part3-Workspace.png) + - If you are using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **per GB**. +4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**. + ![Azure portal showing workspace selected and with Create button highlighted](images/CreateSolution-Part4-WorkspaceSelected.png) +5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. + ![Azure portal all services page with Azure Monitor found and selected as favorite](images/CreateSolution-Part5-GoToResource.png) + - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Device Health solution. + - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. + +## Enroll devices in Windows Analytics + +Once you've added Device Health to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Device Health there are two key steps for enrollment: +1. Deploy your CommercialID (from Device Health Settings page) to your Windows 10 devices (typically using Group Policy or similar) +2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Group Policy or similar). Note that the [Limit Enhanced](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function. +For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + +After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it may take 48-72 hours for the first data to appear in the solution. Until then, the Device Health tile will show "Performing Assessment." + +## Use Device Health to monitor device crashes, app crashes, sign-in failures, and more + +Once your devices are enrolled and data is flowing, you can move on to [Using Device Health](device-health-using.md). + +>[!NOTE] +>You can remove the Device Health solution from your workspace if you no longer want to monitor your organization’s devices. Windows diagnostic data will continue to be shared with Microsoft as normal as per the diagnostic data sharing settings on the devices. + +## Related topics + +[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
          +For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 8fe9a785eb..027f6cd65b 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -1,84 +1,84 @@ ---- -title: Monitor the health of devices with Device Health -ms.reviewer: -manager: laurawi -description: You can use Device Health in Azure Portal to monitor the frequency and causes of crashes and misbehaving apps on devices in your network. -keywords: oms, operations management suite, wdav, health, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Monitor the health of devices with Device Health - -## Introduction - -Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity. - -Like Upgrade Readiness and Update Compliance, Device Health is a solution built in Azure Portal, a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your Azure Portal workspace for its use. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) . - -Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the Azure Portal solution gallery and add it to your Azure Portal workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so. - - -Device Health provides the following: - -- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced -- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes -- Notification of Windows Information Protection misconfigurations that send prompts to end users -- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 diagnostic data - -See the following topics in this guide for detailed information about configuring and using the Device Health solution: - -- [Get started with Device Health](device-health-get-started.md): How to add Device Health to your environment. -- [Using Device Health](device-health-using.md): How to begin using Device Health. - -An overview of the processes used by the Device Health solution is provided below. - -## Device Health licensing - -Use of Windows Analytics Device Health requires one of the following licenses: - -- Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance -- Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5) -- Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5) -- Windows VDA E3 or E5 per-device or per-user subscription - - -You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health. - - -## Device Health architecture - -The Device Health architecture and data flow is summarized by the following five-step process: - - - -**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
          -**(2)** Diagnostic data is analyzed by the Microsoft Telemetry Service.
          -**(3)** Diagnostic data is pushed from the Microsoft Telemetry Service to your Azure Portal workspace.
          -**(4)** Diagnostic data is available in the Device Health solution.
          -**(5)** You are now able to proactively monitor Device Health issues in your environment.
          - -These steps are illustrated in following diagram: - - [![](images/analytics-architecture.png)](images/analytics-architecture.png) - ->[!NOTE] ->This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - - - -  -## Related topics - -[Get started with Device Health](device-health-get-started.md) - -[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md) - -For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) +--- +title: Monitor the health of devices with Device Health +ms.reviewer: +manager: laurawi +description: You can use Device Health in Azure Portal to monitor the frequency and causes of crashes and misbehaving apps on devices in your network. +keywords: oms, operations management suite, wdav, health, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Monitor the health of devices with Device Health + +## Introduction + +Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity. + +Like Upgrade Readiness and Update Compliance, Device Health is a solution built in Azure Portal, a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your Azure Portal workspace for its use. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) . + +Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the Azure Portal solution gallery and add it to your Azure Portal workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so. + + +Device Health provides the following: + +- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced +- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes +- Notification of Windows Information Protection misconfigurations that send prompts to end users +- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 diagnostic data + +See the following topics in this guide for detailed information about configuring and using the Device Health solution: + +- [Get started with Device Health](device-health-get-started.md): How to add Device Health to your environment. +- [Using Device Health](device-health-using.md): How to begin using Device Health. + +An overview of the processes used by the Device Health solution is provided below. + +## Device Health licensing + +Use of Windows Analytics Device Health requires one of the following licenses: + +- Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance +- Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5) +- Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5) +- Windows VDA E3 or E5 per-device or per-user subscription + + +You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health. + + +## Device Health architecture + +The Device Health architecture and data flow is summarized by the following five-step process: + + + +**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
          +**(2)** Diagnostic data is analyzed by the Microsoft Telemetry Service.
          +**(3)** Diagnostic data is pushed from the Microsoft Telemetry Service to your Azure Portal workspace.
          +**(4)** Diagnostic data is available in the Device Health solution.
          +**(5)** You are now able to proactively monitor Device Health issues in your environment.
          + +These steps are illustrated in following diagram: + + [![](images/analytics-architecture.png)](images/analytics-architecture.png) + +>[!NOTE] +>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + + + +  +## Related topics + +[Get started with Device Health](device-health-get-started.md) + +[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md) + +For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md index 7b26d6be23..7cd119e52b 100644 --- a/windows/deployment/update/feature-update-conclusion.md +++ b/windows/deployment/update/feature-update-conclusion.md @@ -1,24 +1,24 @@ ---- -title: Best practices for feature updates - conclusion -description: Final thoughts about how to deploy feature updates -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/09/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Conclusion - -**Applies to**: Windows 10 - -Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. - -Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. - +--- +title: Best practices for feature updates - conclusion +description: Final thoughts about how to deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/09/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Conclusion + +**Applies to**: Windows 10 + +Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. + +Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. + diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index b945d2692b..0fbe54bae5 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -1,261 +1,261 @@ ---- -title: Best practices - deploy feature updates during maintenance windows -description: Learn how to deploy feature updates during a maintenance window -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/09/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Deploy feature updates during maintenance windows - -**Applies to**: Windows 10 - -Use the following information to deploy feature updates during a maintenance window. - -## Get ready to deploy feature updates - -### Step 1: Configure maintenance windows - -1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. -2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). -3. On the **Home** tab, in the **Properties** group, choose **Properties**. -4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. -5. Complete the `` Schedule dialog. -6. Select from the Apply this schedule to drop-down list. -7. Choose **OK** and then close the **\ Properties** dialog box. - -### Step 2: Review computer restart device settings - -If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. - -For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. - ->[!NOTE] -> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. ->- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** ->- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** - -### Step 3: Enable Peer Cache - -Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. - -[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). - -### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) - -If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. - -%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini - -``` -[SetupConfig] -Priority=Normal -``` - -You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. - -``` -#Parameters -Param( - [string] $PriorityValue = "Normal" - ) - -#Variable for ini file path -$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" - -#Variables for SetupConfig -$iniSetupConfigSlogan = "[SetupConfig]" -$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} - -#Init SetupConfig content -$iniSetupConfigContent = @" -$iniSetupConfigSlogan -"@ - -#Build SetupConfig content with settings -foreach ($k in $iniSetupConfigKeyValuePair.Keys) -{ - $val = $iniSetupConfigKeyValuePair[$k] - - $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") -} - -#Write content to file -New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force - -Disclaimer -Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is -provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without -limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk -arising out of the use or performance of the sample script and documentation remains with you. In no event shall -Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable -for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, -loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script -or documentation, even if Microsoft has been advised of the possibility of such damages. -``` - ->[!NOTE] ->If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. - -## Manually deploy feature updates - -The following sections provide the steps to manually deploy a feature update. - -### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. -3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. - -4. Save the search for future use. - -### Step 2: Download the content for the feature update(s) -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. - -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. - - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - - >[!NOTE] - >The deployment package source location that you specify cannot be used by another software deployment package. - - >[!IMPORTANT] - >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - - >[!IMPORTANT] - >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - - >[!NOTE] - >The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: - - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - - - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - - >[!NOTE] - >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. - - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. - -#### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. -4. On the **Home** tab, in the Content group, click **View Status**. - -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: - - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - >[!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - - >[!NOTE] - >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. - - >[!WARNING] - >Before you can use this option, computers and networks must be configured for Wake On LAN. - - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. -6. On the Scheduling page, configure the following settings: - - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - >[!NOTE] - >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - - >[!NOTE] - >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - - >[!NOTE] - >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - - >[!IMPORTANT] - >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. - - >[!NOTE] - >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - >[!NOTE] - >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - - >[!NOTE] - >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). - -### Step 4: Monitor the deployment status -After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: - -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. +--- +title: Best practices - deploy feature updates during maintenance windows +description: Learn how to deploy feature updates during a maintenance window +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/09/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Deploy feature updates during maintenance windows + +**Applies to**: Windows 10 + +Use the following information to deploy feature updates during a maintenance window. + +## Get ready to deploy feature updates + +### Step 1: Configure maintenance windows + +1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. +2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). +3. On the **Home** tab, in the **Properties** group, choose **Properties**. +4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. +5. Complete the `` Schedule dialog. +6. Select from the Apply this schedule to drop-down list. +7. Choose **OK** and then close the **\ Properties** dialog box. + +### Step 2: Review computer restart device settings + +If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. + +For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. + +>[!NOTE] +> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. +>- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** +>- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** + +### Step 3: Enable Peer Cache + +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + >[!NOTE] + >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + + >[!NOTE] + >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index f3cf3adf07..61469bed82 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -1,43 +1,43 @@ ---- -title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices -description: Learn how to deploy feature updates to your mission critical devices -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/10/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices - -**Applies to**: Windows 10 - -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. - -For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). - -Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: - -- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. -- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. - -You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - -- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. -- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. - -If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. - -Use the following information: - - -- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) -- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) -- [Conclusion](feature-update-conclusion.md) +--- +title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices +description: Learn how to deploy feature updates to your mission critical devices +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/10/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices + +**Applies to**: Windows 10 + +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. + +For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). + +Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: + +- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. +- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. + +You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: + +- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. +- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. + +If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. + +Use the following information: + + +- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) +- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) +- [Conclusion](feature-update-conclusion.md) diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index fe17e6fb8e..8b7e286eab 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -4,6 +4,7 @@ description: Learn how to manually deploy feature updates ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.author: greglin @@ -69,6 +70,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys) #Write content to file New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force +<# Disclaimer Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without @@ -78,6 +80,7 @@ Microsoft, its authors, or anyone else involved in the creation, production, or for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script or documentation, even if Microsoft has been advised of the possibility of such damages. +#> ``` >[!NOTE] diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 9940f89253..9d1e2e68e3 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -1,26 +1,26 @@ ---- -title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM -description: Learn how to make FoD and language packs available when you're using WSUS/SCCM -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: article -ms.author: greglin -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 03/13/2019 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# How to make Features on Demand and language packs available when you're using WSUS/SCCM - -> Applies to: Windows 10 - -As of Windows 10 version 1709, you cannot use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FOD) and language packs for Windows 10 clients locally. Instead, you can enforce a Group Policy setting that tells the clients to pull them directly from Windows Update. You can also host FOD and language packs on a network share, but starting with Windows 10 version 1809, FOD and language packs can only be installed from Windows Update. - -For Windows domain environments running WSUS or SCCM, change the **Specify settings for optional component installation and component repair** policy to enable downloading FOD and language packs from Windows Update. This setting is located in `Computer Configuration\Administrative Templates\System` in the Group Policy Editor. - -Changing this policy does not affect how other updates are distributed. They continue to come from WSUS or SCCM as you have scheduled them. - -Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). +--- +title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM +description: Learn how to make FoD and language packs available when you're using WSUS/SCCM +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: article +ms.author: greglin +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 03/13/2019 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# How to make Features on Demand and language packs available when you're using WSUS/SCCM + +> Applies to: Windows 10 + +As of Windows 10 version 1709, you cannot use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FOD) and language packs for Windows 10 clients locally. Instead, you can enforce a Group Policy setting that tells the clients to pull them directly from Windows Update. You can also host FOD and language packs on a network share, but starting with Windows 10 version 1809, FOD and language packs can only be installed from Windows Update. + +For Windows domain environments running WSUS or SCCM, change the **Specify settings for optional component installation and component repair** policy to enable downloading FOD and language packs from Windows Update. This setting is located in `Computer Configuration\Administrative Templates\System` in the Group Policy Editor. + +Changing this policy does not affect how other updates are distributed. They continue to come from WSUS or SCCM as you have scheduled them. + +Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 34a10dc134..0cce8e0389 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -1,146 +1,146 @@ ---- -title: How Windows Update works -description: Learn how Windows Update works, including architecture and troubleshooting -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# How does Windows Update work? - ->Applies to: Windows 10 - -The Windows Update workflow has four core areas of functionality: - -### Scan - -1. Orchestrator schedules the scan. -2. Orchestrator verifies admin approvals and policies for download. - - -### Download -1. Orchestrator initiates downloads. -2. Windows Update downloads manifest files and provides them to the arbiter. -3. The arbiter evaluates the manifest and tells the Windows Update client to download files. -4. Windows Update client downloads files in a temporary folder. -5. The arbiter stages the downloaded files. - - -### Install -1. Orchestrator initates the installation. -2. The arbiter calls the installer to install the package. - - -### Commit -1. Orchestrator initiates a restart. -2. The arbiter finalizes before the restart. - - -## How updating works -During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. - -## Scanning updates -![Windows Update scanning step](images/update-scan-step.png) - -The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. - -When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. - -Make sure you're familiar with the following terminology related to Windows Update scan: - -|Term|Definition| -|----|----------| -|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| -|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| -|Child update|Leaf update that's bundled by another update; contains payload.| -|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| -|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | -|Full scan|Scan with empty datastore.| -|Delta scan|Scan with updates from previous scan already cached in datastore.| -|Online scan|Scan that hits network and goes against server on cloud. | -|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | -|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| -|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| -|Software sync|Part of the scan that looks at software updates only (OS and apps).| -|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| -|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | - -### How Windows Update scanning works - -Windows Update takes the following sets of actions when it runs a scan. - -#### Starts the scan for updates -When users start scanning in Windows Update through the Settings panel, the following occurs: - -- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. -- "Agent" messages: queueing the scan, then actually starting the work: - - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. - - Windows Update uses the thread ID filtering to concentrate on one particular task. - - ![Windows Update scan log 1](images/update-scan-log-1.png) - -#### Identifies service IDs - -- Service IDs indicate which update source is being scanned. - Note The next screen shot shows Microsoft Update and the Flighting service. - -- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. - ![Windows Update scan log 2](images/update-scan-log-2.png) -- Common service IDs - - >[!IMPORTANT] - >ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. - -|Service|ServiceId| -|-------|---------| -|Unspecified / Default|WU, MU or WSUS
          00000000-0000-0000-0000-000000000000 | -|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| -|MU|7971f918-a847-4430-9279-4a52d1efe18d| -|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| -|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| -|WSUS or SCCM|Via ServerSelection::ssManagedServer
          3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | -|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| - -#### Finds network faults -Common update failure is caused due to network issues. To find the root of the issue: - -- Look for "ProtocolTalker" messages to see client-server sync network traffic. -- "SOAP faults" can be either client- or server-side issues; read the message. -- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. - - >[!NOTE] - >Warning messages for SLS can be ignored if the search is against WSUS/SCCM. - -- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. - ![Windows Update scan log 3](images/update-scan-log-3.png) - -## Downloading updates -![Windows Update download step](images/update-download-step.png) - -Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. - -To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. - -For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). - -## Installing updates -![Windows Update install step](images/update-install-step.png) - -When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". - -The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. - -## Committing Updates -![Windows Update commit step](images/update-commit-step.png) - -When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. - -For more information see [Manage device restarts after updates](waas-restart.md). +--- +title: How Windows Update works +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# How does Windows Update work? + +>Applies to: Windows 10 + +The Windows Update workflow has four core areas of functionality: + +### Scan + +1. Orchestrator schedules the scan. +2. Orchestrator verifies admin approvals and policies for download. + + +### Download +1. Orchestrator initiates downloads. +2. Windows Update downloads manifest files and provides them to the arbiter. +3. The arbiter evaluates the manifest and tells the Windows Update client to download files. +4. Windows Update client downloads files in a temporary folder. +5. The arbiter stages the downloaded files. + + +### Install +1. Orchestrator initates the installation. +2. The arbiter calls the installer to install the package. + + +### Commit +1. Orchestrator initiates a restart. +2. The arbiter finalizes before the restart. + + +## How updating works +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. + +## Scanning updates +![Windows Update scanning step](images/update-scan-step.png) + +The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. + +When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. + +Make sure you're familiar with the following terminology related to Windows Update scan: + +|Term|Definition| +|----|----------| +|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| +|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| +|Child update|Leaf update that's bundled by another update; contains payload.| +|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| +|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | +|Full scan|Scan with empty datastore.| +|Delta scan|Scan with updates from previous scan already cached in datastore.| +|Online scan|Scan that hits network and goes against server on cloud. | +|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | +|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| +|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| +|Software sync|Part of the scan that looks at software updates only (OS and apps).| +|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| +|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | + +### How Windows Update scanning works + +Windows Update takes the following sets of actions when it runs a scan. + +#### Starts the scan for updates +When users start scanning in Windows Update through the Settings panel, the following occurs: + +- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. +- "Agent" messages: queueing the scan, then actually starting the work: + - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. + - Windows Update uses the thread ID filtering to concentrate on one particular task. + + ![Windows Update scan log 1](images/update-scan-log-1.png) + +#### Identifies service IDs + +- Service IDs indicate which update source is being scanned. + Note The next screen shot shows Microsoft Update and the Flighting service. + +- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. + ![Windows Update scan log 2](images/update-scan-log-2.png) +- Common service IDs + + >[!IMPORTANT] + >ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. + +|Service|ServiceId| +|-------|---------| +|Unspecified / Default|WU, MU or WSUS
          00000000-0000-0000-0000-000000000000 | +|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| +|MU|7971f918-a847-4430-9279-4a52d1efe18d| +|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| +|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| +|WSUS or SCCM|Via ServerSelection::ssManagedServer
          3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | +|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| + +#### Finds network faults +Common update failure is caused due to network issues. To find the root of the issue: + +- Look for "ProtocolTalker" messages to see client-server sync network traffic. +- "SOAP faults" can be either client- or server-side issues; read the message. +- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. + + >[!NOTE] + >Warning messages for SLS can be ignored if the search is against WSUS/SCCM. + +- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. + ![Windows Update scan log 3](images/update-scan-log-3.png) + +## Downloading updates +![Windows Update download step](images/update-download-step.png) + +Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. + +To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. + +For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). + +## Installing updates +![Windows Update install step](images/update-install-step.png) + +When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". + +The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. + +## Committing Updates +![Windows Update commit step](images/update-commit-step.png) + +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. + +For more information see [Manage device restarts after updates](waas-restart.md). diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index da75754d7f..4f38f8583c 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -1,131 +1,131 @@ ---- -title: Olympia Corp enrollment guidelines -description: Olympia Corp enrollment guidelines -ms.author: greglin -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: greg-lindsay -ms.reviewer: -manager: laurawi -keywords: insider, trial, enterprise, lab, corporation, test ---- - -# Olympia Corp - -## What is Windows Insider Lab for Enterprise and Olympia Corp? - -Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. - -As an Olympia user, you will have an opportunity to: - -- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). -- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. -- Validate and test pre-release software in your environment. -- Provide feedback. -- Interact with engineering team members through a variety of communication channels. - ->[!Note] ->Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. - -For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). - -To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). - -## Enrollment guidelines - -Welcome to Olympia Corp. Here are the steps needed to enroll. - -As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. - -Choose one of the following two enrollment options: - -- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. - -- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. - - - -### Set up an Azure Active Directory-REGISTERED Windows 10 device - -This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/1-3.png) - -4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/1-4.png) - -5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. - -6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. - -7. Create a PIN for signing into your Olympia corporate account. - -8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - - - -### Set up Azure Active Directory-JOINED Windows 10 device - -- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect**, then click **Join this device to Azure Active Directory**. - - ![Update your password](images/2-3.png) - -4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/2-4.png) - -5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/2-5.png) - -6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. - -8. Create a PIN for signing into your Olympia corporate account. - -9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -10. Restart your device. - -11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. - -12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - ->[!NOTE] -> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. - +--- +title: Olympia Corp enrollment guidelines +description: Olympia Corp enrollment guidelines +ms.author: greglin +ms.topic: article +ms.prod: w10 +ms.technology: windows +audience: itpro author: greg-lindsay +ms.reviewer: +manager: laurawi +keywords: insider, trial, enterprise, lab, corporation, test +--- + +# Olympia Corp + +## What is Windows Insider Lab for Enterprise and Olympia Corp? + +Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. + +As an Olympia user, you will have an opportunity to: + +- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). +- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. +- Validate and test pre-release software in your environment. +- Provide feedback. +- Interact with engineering team members through a variety of communication channels. + +>[!Note] +>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. + +For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). + +To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). + +## Enrollment guidelines + +Welcome to Olympia Corp. Here are the steps needed to enroll. + +As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. + +Choose one of the following two enrollment options: + +- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. + +- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. + + + +### Set up an Azure Active Directory-REGISTERED Windows 10 device + +This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/1-3.png) + +4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/1-4.png) + +5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. + +6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. + +7. Create a PIN for signing into your Olympia corporate account. + +8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + + + +### Set up Azure Active Directory-JOINED Windows 10 device + +- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect**, then click **Join this device to Azure Active Directory**. + + ![Update your password](images/2-3.png) + +4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/2-4.png) + +5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/2-5.png) + +6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. + +8. Create a PIN for signing into your Olympia corporate account. + +9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +10. Restart your device. + +11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. + +12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + +>[!NOTE] +> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. + diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 99e3295e19..1f23ccbc44 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -1,56 +1,56 @@ ---- -title: Servicing stack updates (Windows 10) -description: Servicing stack updates improve the code that installs the other updates. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 11/29/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Servicing stack updates - - -**Applies to** - -- Windows 10, Windows 8.1, Windows 8, Windows 7 - -## What is a servicing stack update? -Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. - -## Why should servicing stack updates be installed and kept up to date? - -Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. - -## When are they released? - -Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." - ->[!NOTE] ->You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). - -## What's the difference between a servicing stack update and a cumulative update? - -Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. - -Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. - - -## Is there any special guidance? - -Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. - -Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. - -## Installation notes - -* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. -* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. -* Servicing stack update releases are specific to the operating system version (build number), much like quality updates. -* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). +--- +title: Servicing stack updates (Windows 10) +description: Servicing stack updates improve the code that installs the other updates. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 11/29/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Servicing stack updates + + +**Applies to** + +- Windows 10, Windows 8.1, Windows 8, Windows 7 + +## What is a servicing stack update? +Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. + +## Why should servicing stack updates be installed and kept up to date? + +Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. + +## When are they released? + +Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." + +>[!NOTE] +>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). + +## What's the difference between a servicing stack update and a cumulative update? + +Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. + +Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. + + +## Is there any special guidance? + +Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. + +Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. + +## Installation notes + +* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. +* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. +* Servicing stack update releases are specific to the operating system version (build number), much like quality updates. +* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index f89a5f7dbf..a637aea0a8 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -7,8 +7,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin +audience: itpro +author: jaimeo +ms.author: jaimeo keywords: oms, operations management suite, optimization, downloads, updates, log analytics ms.localizationpriority: medium ms.collection: M365-analytics @@ -21,11 +22,9 @@ The Update Compliance solution of Windows Analytics provides you with informatio ![DO status](images/UC_workspace_DO_status.png) > [!IMPORTANT] -> There are currently two known issues affecting the Delivery Optimization status displayed in these blades: ->- Devices running Windows 10, version 1803 or older versions are not sending the correct configuration profile. As a result, the information in the Device Configuration blade might not accurately reflect the settings in your environment. ->- Some devices running Windows 10, version 1809 report the Delivery Optimization DownloadMode configuration value as the sequential value in the list of possible configurations rather than the actual configured value. For example, a device that is configured as HTTP + Group (2), will be shown as HTTP + Internet (3) in Update Compliance. +> There is a known issue with the way device configuration is displayed for Delivery Optimization. Some devices running Windows 10, versions 1809 or 1903 report the Delivery Optimization DownloadMode configuration value as the sequential value in the list of possible configurations rather than the actual configured value. For example, a device that is configured as HTTP + Group (2), will be shown as HTTP + Internet (3) in Update Compliance. > ->Look for fixes for both of these issues in a forthcoming update. +>**This issue is now fixed by installing the 2019-07 cumulative update appropriate for the device.** ## Delivery Optimization Status diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index eb806c7b40..8d6fa2501e 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -1,49 +1,49 @@ ---- -title: Update Compliance - Feature Update Status report -ms.reviewer: -manager: laurawi -description: an overview of the Feature Update Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Feature Update Status - -![The Feature Update Status report](images/UC_workspace_FU_status.png) - -The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). - -## Overall Feature Update Status - -The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. - -## Deployment Status by Servicing Channel - -To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in. - -Refer to the following list for what each state means: -* **Installed** devices are devices that have completed installation for the given update. -* When a device is counted as **In Progress**, it has begun the feature update installation. -* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days. -* Devices that have failed the given feature update installation are counted as **Update failed**. -* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. - -## Compatibility holds - -Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. - -To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). - -### Opting out of compatibility hold - -Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. - - -Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. - +--- +title: Update Compliance - Feature Update Status report +ms.reviewer: +manager: laurawi +description: an overview of the Feature Update Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Feature Update Status + +![The Feature Update Status report](images/UC_workspace_FU_status.png) + +The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). + +## Overall Feature Update Status + +The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. + +## Deployment Status by Servicing Channel + +To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in. + +Refer to the following list for what each state means: +* **Installed** devices are devices that have completed installation for the given update. +* When a device is counted as **In Progress**, it has begun the feature update installation. +* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days. +* Devices that have failed the given feature update installation are counted as **Update failed**. +* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. + +## Compatibility holds + +Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. + +To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). + +### Opting out of compatibility hold + +Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. + + +Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. + diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 4a3ce5b3d2..8a005eb69d 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -1,75 +1,75 @@ ---- -title: Get started with Update Compliance (Windows 10) -ms.reviewer: -manager: laurawi -description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network. -keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Get started with Update Compliance -This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. - -Steps are provided in sections that follow the recommended setup process: - -1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites). -2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription). -3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). -4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates, Windows Defender Antivirus status, and Delivery Optimization. - -## Update Compliance prerequisites -Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: -1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. -2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them. -3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. -4. To show device names for versions of Windows 10 starting with 1803 in Windows Analytics you must opt in. For details about this, see the "AllowDeviceNameinTelemetry (in Windows 10)" entry in the table in the [Distributing policies at scale](windows-analytics-get-started.md#deploying-windows-analytics-at-scale) section of [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). -5. To use the Windows Defender Status, devices must be E3-licensed and have Cloud Protection enabled. E5-licensed devices will not appear here. For E5 devices, you should use [Windows Defender ATP](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) instead. For more information on Windows 10 Enterprise licensing, see [Windows 10 Enterprise: FAQ for IT Professionals](https://docs.microsoft.com/windows/deployment/planning/windows-10-enterprise-faq-itpro). - -## Add Update Compliance to your Azure subscription -Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: - -1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. - -> [!NOTE] -> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. - -2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. - -![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) - -3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. - -![Update Compliance solution creation](images/UC_01_marketplace_create.png) - -4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. - - If you already have another Windows Analytics solution, you should use the same workspace. - - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **per GB**. - -![Update Compliance workspace creation](images/UC_02_workspace_create.png) - -5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. - -![Update Compliance workspace selection](images/UC_03_workspace_select.png) - -6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. - -![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) - -## Enroll devices in Windows Analytics -Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are two key steps for enrollment: -1. Deploy your Commercial ID (from the Update Compliance Settings page) to your Windows 10 devices (typically by using Group Policy, [Mobile Device Management](https://docs.microsoft.com/windows/client-management/windows-10-mobile-and-mdm), [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) or similar). -2. Ensure the Windows Diagnostic Data setting on devices is set to at least Basic (typically using Group Policy or similar). For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - -After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. +--- +title: Get started with Update Compliance (Windows 10) +ms.reviewer: +manager: laurawi +description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network. +keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Get started with Update Compliance +This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. + +Steps are provided in sections that follow the recommended setup process: + +1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites). +2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription). +3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). +4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates, Windows Defender Antivirus status, and Delivery Optimization. + +## Update Compliance prerequisites +Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: +1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. +2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them. +3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. +4. To show device names for versions of Windows 10 starting with 1803 in Windows Analytics you must opt in. For details about this, see the "AllowDeviceNameinTelemetry (in Windows 10)" entry in the table in the [Distributing policies at scale](windows-analytics-get-started.md#deploying-windows-analytics-at-scale) section of [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). +5. To use the Windows Defender Status, devices must be E3-licensed and have Cloud Protection enabled. E5-licensed devices will not appear here. For E5 devices, you should use [Windows Defender ATP](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) instead. For more information on Windows 10 Enterprise licensing, see [Windows 10 Enterprise: FAQ for IT Professionals](https://docs.microsoft.com/windows/deployment/planning/windows-10-enterprise-faq-itpro). + +## Add Update Compliance to your Azure subscription +Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: + +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. + +> [!NOTE] +> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. + +2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. + +![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) + +3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. + +![Update Compliance solution creation](images/UC_01_marketplace_create.png) + +4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. + - If you already have another Windows Analytics solution, you should use the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **per GB**. + +![Update Compliance workspace creation](images/UC_02_workspace_create.png) + +5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. + +![Update Compliance workspace selection](images/UC_03_workspace_select.png) + +6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. + +![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) + +## Enroll devices in Windows Analytics +Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are two key steps for enrollment: +1. Deploy your Commercial ID (from the Update Compliance Settings page) to your Windows 10 devices (typically by using Group Policy, [Mobile Device Management](https://docs.microsoft.com/windows/client-management/windows-10-mobile-and-mdm), [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) or similar). +2. Ensure the Windows Diagnostic Data setting on devices is set to at least Basic (typically using Group Policy or similar). For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + +After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 44c72f9275..1ece514b2e 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -1,57 +1,57 @@ ---- -title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10) -ms.reviewer: -manager: laurawi -description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network. -keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Monitor Windows Updates with Update Compliance - -## Introduction - -Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to: - -* Monitor Windows 10 Professional, Education, and Enterprise security, quality, and feature updates. -* View a report of device and update issues related to compliance that need attention. -* See the status of Windows Defender Antivirus signatures and threats. -* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md). - -Update Compliance is offered through the Azure portal, and is available free for devices that meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). - -Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal). - -See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: - -- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. -- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. - -## Update Compliance architecture - -The Update Compliance architecture and data flow is summarized by the following four-step process: - -1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
          -2. Diagnostic data is analyzed by the Update Compliance Data Service.
          -3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
          -4. Diagnostic data is available in the Update Compliance solution.
          - - ->[!NOTE] ->This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - - - -  -## Related topics - -[Get started with Update Compliance](update-compliance-get-started.md)
          -[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) +--- +title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10) +ms.reviewer: +manager: laurawi +description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network. +keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Monitor Windows Updates with Update Compliance + +## Introduction + +Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to: + +* Monitor Windows 10 Professional, Education, and Enterprise security, quality, and feature updates. +* View a report of device and update issues related to compliance that need attention. +* See the status of Windows Defender Antivirus signatures and threats. +* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md). + +Update Compliance is offered through the Azure portal, and is available free for devices that meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). + +Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal). + +See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: + +- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. +- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. + +## Update Compliance architecture + +The Update Compliance architecture and data flow is summarized by the following four-step process: + +1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
          +2. Diagnostic data is analyzed by the Update Compliance Data Service.
          +3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
          +4. Diagnostic data is available in the Update Compliance solution.
          + + +>[!NOTE] +>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + + + +  +## Related topics + +[Get started with Update Compliance](update-compliance-get-started.md)
          +[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index 1dff2b7467..be35a79469 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -1,46 +1,46 @@ ---- -title: Update Compliance - Need Attention! report -ms.reviewer: -manager: laurawi -description: an overview of the Update Compliance Need Attention! report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Needs attention! -![Needs attention section](images/UC_workspace_needs_attention.png) - -The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. - ->[!NOTE] ->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. - -The different issues are broken down by Device Issues and Update Issues: - -## Device Issues - -* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. -* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. - -## Update Issues - -* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. -* **Cancelled**: This issue occurs when a user cancels the update process. -* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. -* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. -* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. - -Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. - ->[!NOTE] ->This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. - -## List of Queries - -The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. +--- +title: Update Compliance - Need Attention! report +ms.reviewer: +manager: laurawi +description: an overview of the Update Compliance Need Attention! report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Needs attention! +![Needs attention section](images/UC_workspace_needs_attention.png) + +The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. + +>[!NOTE] +>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. + +The different issues are broken down by Device Issues and Update Issues: + +## Device Issues + +* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. +* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. + +## Update Issues + +* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. +* **Cancelled**: This issue occurs when a user cancels the update process. +* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. +* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. +* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. + +Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. + +>[!NOTE] +>This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. + +## List of Queries + +The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md index 44de7e6407..4af9e5897a 100644 --- a/windows/deployment/update/update-compliance-perspectives.md +++ b/windows/deployment/update/update-compliance-perspectives.md @@ -1,65 +1,65 @@ ---- -title: Update Compliance - Perspectives -ms.reviewer: -manager: laurawi -description: an overview of Update Compliance Perspectives -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Perspectives - -![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) - -Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. - -There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. - -The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. - -The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). - -## Deployment status - -The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: - -| State | Description | -| --- | --- | -| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | -| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | -| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | -| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | -| Cancelled | The update was cancelled. | -| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | -| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | -| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | -| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | - -## Detailed deployment status - -The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: - -| State | Description | -| --- | --- | -| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | -| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | -| Update offered | The device has been offered the update, but has not begun downloading it. | -| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | -| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | -| Download Started | The update has begun downloading on the device. | -| Download Succeeded | The update has successfully completed downloading. | -| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | -| Install Started | Installation of the update has begun. | -| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. -| Reboot Pending | The device has a scheduled reboot to apply the update. | -| Reboot Initiated | The scheduled reboot has been initiated. | -| Update Completed/Commit | The update has successfully installed. | - ->[!NOTE] ->Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. +--- +title: Update Compliance - Perspectives +ms.reviewer: +manager: laurawi +description: an overview of Update Compliance Perspectives +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Perspectives + +![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) + +Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. + +There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. + +The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. + +The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). + +## Deployment status + +The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: + +| State | Description | +| --- | --- | +| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | +| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | +| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | +| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | +| Cancelled | The update was cancelled. | +| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | +| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | +| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | +| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | + +## Detailed deployment status + +The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: + +| State | Description | +| --- | --- | +| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | +| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | +| Update offered | The device has been offered the update, but has not begun downloading it. | +| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | +| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | +| Download Started | The update has begun downloading on the device. | +| Download Succeeded | The update has successfully completed downloading. | +| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | +| Install Started | Installation of the update has begun. | +| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. +| Reboot Pending | The device has a scheduled reboot to apply the update. | +| Reboot Initiated | The scheduled reboot has been initiated. | +| Update Completed/Commit | The update has successfully installed. | + +>[!NOTE] +>Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 77c1d488c8..501c1bcb57 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -1,94 +1,94 @@ ---- -title: Using Update Compliance (Windows 10) -ms.reviewer: -manager: laurawi -description: Explains how to begin usihg Update Compliance. -keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Use Update Compliance - -In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Windows Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). - - -Update Compliance: -- Provides detailed deployment data for Windows 10 security, quality, and feature updates. -- Reports when devices have issues related to updates that need attention. -- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). -- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md). -- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. - -## The Update Compliance tile -After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile: - -![Update Compliance tile no data](images/UC_tile_assessing.png) - -When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: - -![Update Compliance tile with data](images/UC_tile_filled.png) - -The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed. - -## The Update Compliance workspace - -![Update Compliance workspace view](images/UC_workspace_needs_attention.png) - -When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. - -### Overview blade - -![The Overview blade](images/UC_workspace_overview_blade.png) - -Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: -* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. -* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. -* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. - -The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). - -The following is a breakdown of the different sections available in Update Compliance: -* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates. -* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. -* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment. -* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Selecting this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus or devices that do not meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites) to be assessed. -* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. - - -## Update Compliance data latency -Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows: - -Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate that each data type is sent and how long it takes to be ready for Update Compliance varies, roughly outlined below. - -| Data Type | Refresh Rate | Data Latency | -|--|--|--| -|WaaSUpdateStatus | Once per day |4 hours | -|WaaSInsiderStatus| Once per day |4 hours | -|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours | -|WDAVStatus|On signature update|24 hours | -|WDAVThreat|On threat detection|24 hours | -|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours | -|WUDOStatus|Once per day|12 hours | - -This means you should generally expect to see new data every 24-36 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh). - -## Using Log Analytics - -Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance. - -See below for a few topics related to Log Analytics: -* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). -* To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards). -* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. - -## Related topics - -[Get started with Update Compliance](update-compliance-get-started.md) +--- +title: Using Update Compliance (Windows 10) +ms.reviewer: +manager: laurawi +description: Explains how to begin usihg Update Compliance. +keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Use Update Compliance + +In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Windows Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). + + +Update Compliance: +- Provides detailed deployment data for Windows 10 security, quality, and feature updates. +- Reports when devices have issues related to updates that need attention. +- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). +- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md). +- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. + +## The Update Compliance tile +After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile: + +![Update Compliance tile no data](images/UC_tile_assessing.png) + +When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: + +![Update Compliance tile with data](images/UC_tile_filled.png) + +The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed. + +## The Update Compliance workspace + +![Update Compliance workspace view](images/UC_workspace_needs_attention.png) + +When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. + +### Overview blade + +![The Overview blade](images/UC_workspace_overview_blade.png) + +Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: +* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. +* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. +* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. + +The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). + +The following is a breakdown of the different sections available in Update Compliance: +* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates. +* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. +* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment. +* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Selecting this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus or devices that do not meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites) to be assessed. +* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. + + +## Update Compliance data latency +Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows: + +Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate that each data type is sent and how long it takes to be ready for Update Compliance varies, roughly outlined below. + +| Data Type | Refresh Rate | Data Latency | +|--|--|--| +|WaaSUpdateStatus | Once per day |4 hours | +|WaaSInsiderStatus| Once per day |4 hours | +|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours | +|WDAVStatus|On signature update|24 hours | +|WDAVThreat|On threat detection|24 hours | +|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours | +|WUDOStatus|Once per day|12 hours | + +This means you should generally expect to see new data every 24-36 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh). + +## Using Log Analytics + +Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance. + +See below for a few topics related to Log Analytics: +* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). +* To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards). +* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. + +## Related topics + +[Get started with Update Compliance](update-compliance-get-started.md) diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index 716a071e38..35deef9366 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -1,42 +1,42 @@ ---- -title: Update Compliance - Windows Defender AV Status report -ms.reviewer: -manager: laurawi -description: an overview of the Windows Defender AV Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Defender AV Status - -![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) - -The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. - ->[!NOTE] ->Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx). - -# Windows Defender AV Status sections -The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. - -The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. - -Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: -* **Signature out of date** devices are devices with a signature older than 14 days. -* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. -* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. -* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. -* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. - -## Windows Defender data latency -Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. - -## Related topics - -- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) +--- +title: Update Compliance - Windows Defender AV Status report +ms.reviewer: +manager: laurawi +description: an overview of the Windows Defender AV Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Defender AV Status + +![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) + +The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. + +>[!NOTE] +>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx). + +# Windows Defender AV Status sections +The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. + +The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. + +Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: +* **Signature out of date** devices are devices with a signature older than 14 days. +* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. +* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. +* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. +* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. + +## Windows Defender data latency +Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. + +## Related topics + +- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 6e8a4ba345..826846e2fb 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -1,3 +1,4 @@ +<<<<<<< HEAD --- title: Configure BranchCache for Windows 10 updates (Windows 10) description: Use BranchCache to optimize network bandwidth during update deployment. @@ -69,3 +70,76 @@ In addition to these steps, there is one requirement for WSUS to be able to use - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Deploy Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md) - [Manage device restarts after updates](waas-restart.md) +======= +--- +title: Configure BranchCache for Windows 10 updates (Windows 10) +description: Use BranchCache to optimize network bandwidth during update deployment. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.date: 07/27/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Configure BranchCache for Windows 10 updates + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. + +- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. + + >[!TIP] + >Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution. + +- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf. + +For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](https://technet.microsoft.com/library/dd637832(v=ws.10).aspx). + +## Configure clients for BranchCache + +Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter’s Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx). + +In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. + +## Configure servers for BranchCache + +You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager. + +For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide). + +In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode. + +>[!NOTE] +>Configuration Manager only supports Distributed Cache mode. + + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +- [Deploy Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) +>>>>>>> 1682d137057c63a81145c556ac06a5eea8c576b6 diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 137311779d..36aa2a2099 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -6,6 +6,7 @@ description: You can use Group Policy or your mobile device management (MDM) ser ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.author: greglin @@ -27,8 +28,8 @@ ms.topic: article You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). ->[!IMPORTANT] ->For Windows Update for Business policies to be honored, the diagnostic data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). +> [!IMPORTANT] +> Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 415928e9ba..fec88b2720 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -7,6 +7,7 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.author: greglin @@ -116,7 +117,7 @@ Download mode dictates which download sources clients are allowed to use when do ### Group ID -By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. +By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. [//]: # (SCCM Boundary Group option; GroupID Source policy) diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 848ed759c2..f21112405f 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -1,190 +1,190 @@ ---- -title: Set up Delivery Optimization -ms.reviewer: -manager: laurawi -description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 -keywords: oms, operations management suite, wdav, updates, downloads, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Set up Delivery Optimization for Windows 10 updates - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -## Recommended Delivery Optimization settings - -Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greates impact if particular situations exist in your deployment: - -- Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)? -- If you use boundary groups in your topology, how many devices are present in a given group? -- What percentage of your devices are mobile? -- Do your devices have a lot of free space on their drives? -- Do you have a lab scenario with many devices on AC power? - ->[!NOTE] ->These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set. - -Quick-reference table: - -| Use case | Policy | Recommended value | Reason | -| --- | --- | --- | --- | -| Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology | -| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads | -| Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain | -| Labs with AC-powered devices | Content Expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | - - -### Hybrid WAN scenario - -For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. - - - - -To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DODownloadMode to 1 or 2. - -### Hub and spoke topology with boundary groups - -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection). - - - -To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. - - -### Large number of mobile devices - -If you have a mobile workforce with a great many mobile devices, set Delivery Optimization to allow uploads on battery power, while limiting the use to prevent battery drain. A setting for **DOMinBatteryPercentageAllowedToUpload** of 60% is a good starting point, though you might want to adjust it later. - -To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60. - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinBatteryPercentageAllowedToUpload** to 60. - -### Plentiful free space and large numbers of devices - -Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. - -[//]: # (default of 50 aimed at consumer) - -To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinFileSizeToCache** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). - -### Lab scenario - -In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period. - -To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **6048000** (7 days) or more (up to 30 days). - -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days). - -[//]: # (material about "preferred" devices; remove MinQos/MaxCacheAge; table format?) - - -## Monitor Delivery Optimization -[//]: # (How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%) - -### Windows PowerShell cmdlets - -**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization. - -#### Analyze usage - -`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs. - -| Key | Value | -| --- | --- | -| File ID | A GUID that identifies the file being processed | -| Priority | Priority of the download; values are **foreground** or **background** | -| FileSize | Size of the file | -| TotalBytesDownloaded | The number of bytes from any source downloaded so far | -| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | -| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | -| BytesfromHTTP | Total number of bytes received over HTTP | -| DownloadDuration | Total download time in seconds | -| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | -| NumPeers | Indicates the total number of peers returned from the service. | -| PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | -| ExpireOn | The target expiration date and time for the file. | -| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | - -`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: - -- Number of files downloaded  -- Number of files uploaded  -- Total bytes downloaded  -- Total bytes uploaded  -- Average transfer size (download); that is, the number bytes downloaded divided by the number of files  -- Average transfer size (upload); the number of bytes uploaded divided by the number of files -- Peer efficiency; same as PercentPeerCaching - -Using the `-Verbose` option returns additional information: - -- Bytes from peers (per type)  -- Bytes from CDN (the number of bytes received over HTTP) -- Average number of peer connections per download  - -Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. - -Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. - -#### Manage the Delivery Optimization cache - -**Starting in Windows 10, version 1903:** - -`set-DeliveryOptimizationStatus -ExpireOn [date time]` extends the expiration of all files in the cache. You can set the expiration immediately for all files that are in the "caching" state. For files in progress ("downloading"), the expiration is applied once the download is complete. You can set the expiration up to one year from the current date and time. - -`set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache. - -You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3. - -`set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation. - -`set-DeliveryOptimizationStatus -Pin [False] -File ID [FileID]` "unpins" a file, so that it will be deleted when the expiration date and time are rreached. The file is included in the cache quota calculation. - -`delete-DeliveryOptimizationCache` lets you clear files from the cache and remove all persisted data related to them. You can use these options with this cmdlet: - -- `-FileID` specifies a particular file to delete. -- `-IncludePinnedFiles` deletes all files that are pinned. -- `-Force` deletes the cache with no prompts. - - -#### Work with Delivery Optimization logs - -**Starting in Windows 10, version 1803:** - -`Get-DeliveryOptimizationLog [-Path ] [-Flush]` - -If `Path` is not specified, this cmdlet reads all logs from the dosvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops dosvc before reading logs. - -Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content ` or something similar. - -[//]: # (section on what to look for in logs, list of peers, connection failures) - - - -[//]: # (possibly move to Troubleshooting) - -### Monitor with Update Compliance - -The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. - -![DO status](images/UC_workspace_DO_status.png) - -For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md). - +--- +title: Set up Delivery Optimization +ms.reviewer: +manager: laurawi +description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 +keywords: oms, operations management suite, wdav, updates, downloads, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Set up Delivery Optimization for Windows 10 updates + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +## Recommended Delivery Optimization settings + +Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greates impact if particular situations exist in your deployment: + +- Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)? +- If you use boundary groups in your topology, how many devices are present in a given group? +- What percentage of your devices are mobile? +- Do your devices have a lot of free space on their drives? +- Do you have a lab scenario with many devices on AC power? + +>[!NOTE] +>These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set. + +Quick-reference table: + +| Use case | Policy | Recommended value | Reason | +| --- | --- | --- | --- | +| Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology | +| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads | +| Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain | +| Labs with AC-powered devices | Content Expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | + + +### Hybrid WAN scenario + +For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. + + + + +To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DODownloadMode to 1 or 2. + +### Hub and spoke topology with boundary groups + +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection). + + + +To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. + + +### Large number of mobile devices + +If you have a mobile workforce with a great many mobile devices, set Delivery Optimization to allow uploads on battery power, while limiting the use to prevent battery drain. A setting for **DOMinBatteryPercentageAllowedToUpload** of 60% is a good starting point, though you might want to adjust it later. + +To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60. + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinBatteryPercentageAllowedToUpload** to 60. + +### Plentiful free space and large numbers of devices + +Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. + +[//]: # (default of 50 aimed at consumer) + +To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinFileSizeToCache** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). + +### Lab scenario + +In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period. + +To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **6048000** (7 days) or more (up to 30 days). + +To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days). + +[//]: # (material about "preferred" devices; remove MinQos/MaxCacheAge; table format?) + + +## Monitor Delivery Optimization +[//]: # (How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%) + +### Windows PowerShell cmdlets + +**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization. + +#### Analyze usage + +`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs. + +| Key | Value | +| --- | --- | +| File ID | A GUID that identifies the file being processed | +| Priority | Priority of the download; values are **foreground** or **background** | +| FileSize | Size of the file | +| TotalBytesDownloaded | The number of bytes from any source downloaded so far | +| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | +| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | +| BytesfromHTTP | Total number of bytes received over HTTP | +| DownloadDuration | Total download time in seconds | +| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | +| NumPeers | Indicates the total number of peers returned from the service. | +| PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | +| ExpireOn | The target expiration date and time for the file. | +| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | + +`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: + +- Number of files downloaded  +- Number of files uploaded  +- Total bytes downloaded  +- Total bytes uploaded  +- Average transfer size (download); that is, the number bytes downloaded divided by the number of files  +- Average transfer size (upload); the number of bytes uploaded divided by the number of files +- Peer efficiency; same as PercentPeerCaching + +Using the `-Verbose` option returns additional information: + +- Bytes from peers (per type)  +- Bytes from CDN (the number of bytes received over HTTP) +- Average number of peer connections per download  + +Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. + +Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. + +#### Manage the Delivery Optimization cache + +**Starting in Windows 10, version 1903:** + +`set-DeliveryOptimizationStatus -ExpireOn [date time]` extends the expiration of all files in the cache. You can set the expiration immediately for all files that are in the "caching" state. For files in progress ("downloading"), the expiration is applied once the download is complete. You can set the expiration up to one year from the current date and time. + +`set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache. + +You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3. + +`set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation. + +`set-DeliveryOptimizationStatus -Pin [False] -File ID [FileID]` "unpins" a file, so that it will be deleted when the expiration date and time are rreached. The file is included in the cache quota calculation. + +`delete-DeliveryOptimizationCache` lets you clear files from the cache and remove all persisted data related to them. You can use these options with this cmdlet: + +- `-FileID` specifies a particular file to delete. +- `-IncludePinnedFiles` deletes all files that are pinned. +- `-Force` deletes the cache with no prompts. + + +#### Work with Delivery Optimization logs + +**Starting in Windows 10, version 1803:** + +`Get-DeliveryOptimizationLog [-Path ] [-Flush]` + +If `Path` is not specified, this cmdlet reads all logs from the dosvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops dosvc before reading logs. + +Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content ` or something similar. + +[//]: # (section on what to look for in logs, list of peers, connection failures) + + + +[//]: # (possibly move to Troubleshooting) + +### Monitor with Update Compliance + +The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. + +![DO status](images/UC_workspace_DO_status.png) + +For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md). + diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 6364181d33..1f15840c95 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -7,6 +7,7 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.author: greglin @@ -116,7 +117,7 @@ For the payloads (optional): **Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. -**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimizatio uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). +**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). ## Troubleshooting diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index 454491e609..b1122abef6 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -1,51 +1,51 @@ ---- -title: Windows as a service -ms.prod: w10 -ms.topic: article -ms.manager: elizapo -author: greg-lindsay -ms.author: greglin -ms.date: 12/19/2018 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- -# Windows as a service - More news - -Here's more news about [Windows as a service](windows-as-a-service.md): - - +--- +title: Windows as a service +ms.prod: w10 +ms.topic: article +ms.manager: elizapo +audience: itpro author: greg-lindsay +ms.author: greglin +ms.date: 12/19/2018 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- +# Windows as a service - More news + +Here's more news about [Windows as a service](windows-as-a-service.md): + + diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index b0f8130317..765d69d2cc 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -5,9 +5,18 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature, ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +<<<<<<< HEAD author: jaimeo ms.localizationpriority: medium ms.author: jaimeo +======= +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro +author: greg-lindsay +ms.date: 09/24/2018 +>>>>>>> 1682d137057c63a81145c556ac06a5eea8c576b6 ms.reviewer: manager: laurawi ms.topic: article @@ -74,13 +83,18 @@ There are currently two release channels for Windows 10: >[!IMPORTANT] >With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. The "Semi-Annual Channel (Targeted)" designation is no longer used. For more information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). ->[!NOTE] +> [!NOTE] >For additional information, see the section about [Servicing Channels](#servicing-channels). > >You can also read the blog post [Waas simplified and aligned](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. +<<<<<<< HEAD >[!IMPORTANT] >Devices on the Semi-Annual Channel must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). +======= +> [!IMPORTANT] +> Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). +>>>>>>> 1682d137057c63a81145c556ac06a5eea8c576b6 ### Feature updates @@ -107,8 +121,8 @@ With that in mind, Windows 10 offers three servicing channels. The [Windows Insi The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools). ->[!NOTE] ->Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). +> [!NOTE] +> Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). ### Semi-Annual Channel @@ -130,20 +144,24 @@ Organizations are expected to initiate targeted deployment on Semi-Annual Channe Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools. ->[!NOTE] ->Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. +> [!NOTE] +> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. > +<<<<<<< HEAD >Long-term Servicing channel is not intended for deployment on most or all the devicess in an organization; it should be used only for special-purpose devices. As a general guideline, a devices with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel. +======= +> Long-term Servicing channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel. +>>>>>>> 1682d137057c63a81145c556ac06a5eea8c576b6 Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. ->[!NOTE] ->Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). +> [!NOTE] +> Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. ->[!NOTE] ->If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel. +> [!NOTE] +> If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel. ### Windows Insider @@ -151,10 +169,15 @@ For many IT pros, gaining visibility into feature updates early—before they’ Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](waas-windows-insider-for-business.md). +<<<<<<< HEAD >[!NOTE] >Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. +======= +> [!NOTE] +> Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. +>>>>>>> 1682d137057c63a81145c556ac06a5eea8c576b6 > ->The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. +> The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 9e0f207f1f..fda8dac6f6 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -7,9 +7,11 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature, ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay ms.topic: article ms.collection: M365-modern-desktop --- @@ -19,7 +21,7 @@ ms.collection: M365-modern-desktop > > **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.** -Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates. +Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need to understand how best to leverage a modern workplace to support system updates. The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2). diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 2cf601685a..9646afd361 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -4,9 +4,11 @@ description: Additional settings to control the behavior of Windows Update (WU) ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.localizationpriority: medium -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay ms.date: 07/27/2017 ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md new file mode 100644 index 0000000000..30f7702f19 --- /dev/null +++ b/windows/deployment/update/waas-wufb-intune.md @@ -0,0 +1,293 @@ +--- +title: Walkthrough use Intune to configure Windows Update for Business (Windows 10) +description: Configure Windows Update for Business settings using Microsoft Intune. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 07/27/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Walkthrough: use Microsoft Intune to configure Windows Update for Business + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +>[!IMPORTANT] +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +> +>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. + +You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. + +Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build. + +To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. + +>[!NOTE] +>Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune) + +## Configure Windows Update for Business in Windows 10, version 1511 + +In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). + +- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices. +- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release. + +>[!NOTE] +>Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only. + +### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral + +1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. + +2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. + + ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) + +3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. + +5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. + +7. In the **Value** box, type **1**, and then click **OK**. + + >[!NOTE] + >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. + + ![Settings for this policy](images/waas-wufb-intune-step7a.png) + +8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**. + +9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. + + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + +10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. + +You have now configured the **Ring 4 Broad business users** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates. + +### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals + +1. In the Policy workspace, click **Configuration Policies**, and then click **Add**. + +2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +3. Name the policy **Windows Update for Business – CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. + In this policy, you add two OMA-URI settings, one for each deferment type. + +4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**. + +7. Click **OK** to save the setting. + +8. In the **OMA-URI Settings** section, click **Add**. + +9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**. + +11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**. + +12. In the **Value** box, type **1**. + +13. Click **OK** to save the setting. + +14. In the **OMA-URI Settings** section, click **Add**. + +15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**. + +17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**. + +18. In the **Value** box, type **1**. + +19. Click **OK** to save the setting. + + Three settings should appear in the **Windows Update for Business – CBB2** policy. + + ![Settings for CBB2 policy](images/waas-wufb-intune-step19a.png) + +20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt. + +21. In the **Manage Deployment** dialog box, select the **Ring 5 Broad business users #2** computer group, click **Add**, and then click **OK**. + +## Configure Windows Update for Business in Windows 10 version 1607 + +To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. + +In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates: + +- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 28 days after they are released. +- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch. +- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days. + +### Configure Ring 2 Pilot Business Users policy + +1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. + +2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. + + ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) + +3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**. + +4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. + +7. In the **Value** box, type **0**, and then click **OK**. + + >[!NOTE] + >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. + + ![Settings for this policy](images/waas-wufb-intune-cb2a.png) + +8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. + +8. In **Setting name**, type **Defer feature updates for 28 days**, and then select **Integer** from the **Data type** list. +10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. +11. In the **Value** box, type **28**, and then click **OK**. + + ![Settings for this policy](images/waas-wufb-intune-step11a.png) + +9. Click **Save Policy**. + +9. In the **Deploy Policy: Windows Update for Business – CB2** dialog box, click **Yes**. + + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + +10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**. + +You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they’re available. + +### Configure Ring 4 Broad business users policy + +2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. + + ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) + +3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. + +5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. + +7. In the **Value** box, type **1**, and then click **OK**. + + >[!NOTE] + >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. + + +8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. + +9. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list. + +10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. + +11. In the **Value** box, type **0**, and then click **OK**. + + ![Settings for this policy](images/waas-wufb-intune-cbb1a.png) + +12. Click **Save Policy**. + +13. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. + + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + +14. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. + +You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates. + + +### Configure Ring 5 Broad business users \#2 policy + +2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. + + ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) + +3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. + +4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. + +5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. + +6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. + +7. In the **Value** box, type **1**, and then click **OK**. + + >[!NOTE] + >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. + + +8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. + +9. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list. + +10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**. + +11. In the **Value** box, type **7**, and then click **OK**. + +12. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. + +13. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list. + +14. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. + +15. In the **Value** box, type **14**, and then click **OK**. + + ![Settings for this policy](images/waas-wufb-intune-cbb2a.png) + +16. Click **Save Policy**. + +17. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**. + + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + +18. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**. + +## Related topics + +- [Update Windows 10 in the enterprise](index.md) +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) + + + + + + + + diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index a68b265218..423c82f71c 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -1,293 +1,293 @@ ---- -title: Frequently asked questions and troubleshooting Windows Analytics -ms.reviewer: -manager: laurawi -description: Frequently asked questions about Windows Analytics and steps to take when things go wrong -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Frequently asked questions and troubleshooting Windows Analytics - ->[!IMPORTANT] ->**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). - -This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. This FAQ, along with the [Windows Analytics Technical Community](https://techcommunity.microsoft.com/t5/Windows-Analytics/ct-p/WindowsAnalytics), are recommended resources to consult before contacting Microsoft support. - -## Troubleshooting common problems - -If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here. - -[Devices not appearing in Upgrade Readiness](#devices-not-appearing-in-upgrade-readiness) - -[Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) - -[Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) - -[Apps not appearing in Device Health App Reliability](#apps-not-appearing-in-device-health-app-reliability) - -[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb) - -[Upgrade Readiness shows many "Computers with incomplete data"](#upgrade-readiness-shows-many-computers-with-incomplete-data) - -[Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices) - -[Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices) - -[Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices) - -[Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results](#custom-log-queries-using-the-abnormalshutdowncount-field-of-device-health-show-zero-or-lower-than-expected-results) - -[Disable Upgrade Readiness](#disable-upgrade-readiness) - -[Exporting large data sets](#exporting-large-data-sets) - - -### Devices not appearing in Upgrade Readiness - -In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use. - -Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices within a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/You-can-now-check-on-the-status-of-your-computers-within-hours/ba-p/187213) on the Tech Community Blog. - ->[!NOTE] -> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it. - -If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues: - -1. Download and extract the [Upgrade Readiness Deployment Script](https://www.microsoft.com/download/details.aspx?id=53327). Ensure that the **Pilot/Diagnostics** folder is included. -2. Edit the script as described in [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md). -3. Check that `isVerboseLogging` is set to `$true`. -4. Run the script again. Log files will be saved to the directory specified in the script. -5. Check the output of the script in the command window and/or log **UA_dateTime_machineName.txt** to ensure that all steps were completed successfully. -6. If you are still seeing errors you can't diagnose, then consider open a support case with Microsoft Support through your regular channel and provide this information. - -If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally. - -If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog. - -If you have deployed images that have not been generalized, then many of them might have the same ID and so Windows Analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps: -1. Net stop diagtrack -2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f -3. Net start diagtrack - -#### Devices not appearing in Device Health Device Reliability - -[![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png) - -If you have devices that appear in other solutions, but not Device Health (the Device Health overview tile shows "Performing Assessment" or the device count is lower than expected), follow these steps to investigate the issue: -1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again. -2. Confirm that the devices are running Windows 10. -3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). -4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full). - - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the IT policy path. - - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the user preference (Settings app) path. - - IMPORTANT: By convention (and in earlier versions of Windows 10) the IT policy would take precedence over any user preference. Starting with Windows 10, version 1803, the user can lower the device's effective value even when an IT policy is set. This change assists organizations in complying with regional or organizational expectations about user control over privacy settings. For organizations where user control of privacy settings is not required, the previous behavior (IT policy path always wins) can be enabled using the new policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**. -5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. -6. Wait 48 hours for activity to appear in the reports. -7. If you need additional troubleshooting, contact Microsoft Support. - - -### Device crashes not appearing in Device Health Device Reliability - -[![Device Reliability tile showing crash count highlighted](images/device-reliability-crash-count.png)](images/device-reliability-crash-count.png) - -If you know that devices are experiencing stop error crashes that do not seem to be reflected in the count of devices with crashes, follow these steps to investigate the issue: - -1. Verify that devices are reporting data properly by following the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) section of this topic. -2. Trigger a known crash on a test device by using a tool such as [NotMyFault](https://docs.microsoft.com/sysinternals/downloads/notmyfault) from Windows Sysinternals. -3. Verify that Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): - - - Verify that the value "Disabled" (REG_DWORD), if set, is 0. - - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. - - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. - -4. Verify that WER can reach all diagnostic endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md)--if WER can only reach some of the endpoints, it could be included in the device count while not reporting crashes. -5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this: - - [![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png) - - You can use the following Windows PowerShell snippet to summarize recent occurrences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). - - ```powershell - $limitToMostRecentNEvents = 20 - Get-WinEvent -FilterHashTable @{ProviderName="Windows Error Reporting"; ID=1001} | - ?{ $_.Properties[2].Value -match "crash|blue" } | - % { [pscustomobject]@{ - TimeCreated=$_.TimeCreated - WEREvent=$_.Properties[2].Value - BucketId=$_.Properties[0].Value - ContextHint = $( - if($_.Properties[2].Value -eq "bluescreen"){"kernel"} - else{ $_.Properties[5].Value } - ) - }} | Select-Object -First $limitToMostRecentNEvents - ``` - The output should look something like this: - [![Typical output for this snippet](images/device-reliability-event1001-PSoutput.png)](images/device-reliability-event1001-PSoutput.png) - -6. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. -7. Wait 48 hours for activity to appear in the reports. -8. If you need additional troubleshooting, contact Microsoft Support. - -#### Endpoint connectivity - -Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - -If you are using proxy server authentication, it's worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER only uploads error reports in the machine context, so whitelisting endpoints to allow non-authenticated access was typically used. In Windows 10, version 1703 and later versions, WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access. - - -For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication). - -### Apps not appearing in Device Health App Reliability - -[![App Reliability tile showing relability events trend](images/app-reliability.png)](images/app-reliability.png) - -If apps that you know are crashing do not appear in App Reliability, follow these steps to investigate the issue: - -1. Double-check the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) and [Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) sections of this topic. -2. Confirm that an in-scope application has crashed on an enrolled device. Keep the following points in mind: - - Not all user-mode crashes are included in App Reliability, which tracks only apps that have a GUI, have been used interactively by a user, and are not part of the operating system. - - Enrolling more devices helps to ensure that there are enough naturally occurring app crashes. - - You can also use test apps which are designed to crash on demand. - -3. Verify that *per-user* Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKCU\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): - - - Verify that the value "Disabled" (REG_DWORD), if set, is 0. - - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. - - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. -4. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. -5. Wait 48 hours for activity to appear in the reports. -6. If you need additional troubleshooting, contact Microsoft Support. - - -### Upgrade Readiness shows many "Computers with outdated KB" -If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: - -[![Upgrade Readiness tile showing Computers with outdated KB datum in red box](images/outdated_outdated.png)](images/outdated_outdated.png) - -On Windows 7 SP1 and Windows 8.1 devices, you must deploy the compatibility update as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - -Note that the compatibility update retains the same KB number when a new version is released, so even if the update is installed on your devices, *they might not be running the latest version*. The compatibility update is now a critical update, so you can check that the latest version is installed from your management tool. - - -### Upgrade Readiness shows many "Computers with incomplete data" -If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: - -[![Upgrade Readiness tile showing Computers with incomplete data datum in red box](images/outdated_incomplete.png)](images/outdated_incomplete.png) - -Download the latest deployment script and run it on an affected device to check for issues. See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. Remember to wait up to 48-72 hours to see the results. -See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity. - - -If this becomes a recurring issue, schedule a full inventory scan monthly, as per the device enrollment guidelines for deployment at scale. - - - -### Upgrade Readiness doesn't show app inventory data on some devices -Upgrade Readiness only collects app inventory on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). - - -### Upgrade Readiness doesn't show IE site discovery data from some devices -Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.) - -Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level. - -There are two additional configurations to check: -1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction. -2. Make sure IE is not running in InPrivate mode. - -Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). - ->[!NOTE] -> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. - -### Device names not appearing for Windows 10 devices -Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. - -### Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results -This issue affects custom queries of the Device Health data by using the **Logs > Search page** or API. It does not impact any of the built-in tiles or reports of the Device Health solution. The **AbnormalShutdownCount** field of the **DHOSReliability** data table represents abnormal shutdowns other than crashes, such as sudden power loss or holding down the power button. - -We have identified an incompatibility between AbnormalShutdownCount and the Limited Enhanced diagnostic data level on Windows 10, versions 1709, 1803, and 1809. Such devices do not send the abnormal shutdown signal to Microsoft. You should not rely on AbnormalShutdownCount in your custom queries unless you use any one of the following workarounds: - - -- Upgrade devices to Windows 10, version 1903 when available. Participants in the Windows Insider program can preview this change using Windows Insider builds. -- Change the diagnostic data setting from devices running Windows 10, versions 1709, 1803, and 1809 normal Enhanced level instead of Limited Enhanced. -- Use alternative data from devices to track abnormal shutdowns. For example, you can forward abnormal shutdown events from the Windows Event Log to your Log Analytics workspace by using the Log Analytics agent. Suggested events to forward include: - - Log: System, ID: 41, Source: Kernel-Power - - Log System, ID: 6008, Source: EventLog - - - -### Disable Upgrade Readiness - -If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: - -1. Unsubscribe from the Upgrade Readiness solution in Azure Portal. In Azure Portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. - - ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png) - -2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**: - - **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* - - **Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). - -3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. -4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". - -### Exporting large data sets - -Azure Log Analytics is optimized for advanced analytics of large data sets and can efficiently generate summaries and analytics for them. The query language is not optimized (or intended) for returning large raw data sets and has built-in limits to protect against overuse. There are times when it might be necessary to get more data than this, but that should be done sparingly since this is not the intended way to use Azure Log Analytics. The following code snippet shows how to retrieve data from UAApp one “page” at a time: - -``` -let snapshot = toscalar(UAApp | summarize max(TimeGenerated)); -let pageSize = 100000; -let pageNumber = 0; - -UAApp -| where TimeGenerated == snapshot and IsRollup==true and RollupLevel=="Granular" and Importance == "Low install count" -| order by AppName, AppVendor, AppVersion desc -| serialize -| where row_number(0) >= (pageSize * pageNumber) -| take pageSize -``` - - - -## Other common questions - -### What are the requirements and costs for Windows Analytics solutions? - -| Windows Analytics solution| Windows license requirements | Windows version requirements | Minimum diagnostic data requirements | -|----------------------|-----------------------------------|------------------------------|------------------------------| -| Upgrade Readiness | No additional requirements | Windows 7 with Service Pack 1, Windows 8.1, Windows 10 | Basic level in most cases; Enhanced level to support Windows 10 app usage data and IE site discovery | -| Update Compliance | No additional requirements | Windows 10 | Basic level | -| Device Health | **Any** of the following licenses:
          - Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance
          - Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)
          - Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
          - Windows VDA E3 or E5 per-device or per-user subscription
          - Windows Server 2016 or later | Windows 10 | - For Windows 10 version 1709 or later: Enhanced (Limited)
          - For earlier versions: Enhanced - ->[!NOTE] -> Regarding licensing requirements for Device Health, you do not need per-seat licensing, but only enough licenses to cover your total device usage. For example, if you have 100 E3 licenses, you can monitor 100 devices with Device Health. - -Beyond the cost of Windows operating system licenses, there is no additional cost for using Windows Analytics. Within Azure Log Analytics, Windows Analytics is "zero-rated;" this means it is excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you have chosen. To be more specific, Azure Log Analytics is available in different pricing tiers as described in [Pricing - Log Analytics](https://azure.microsoft.com/pricing/details/log-analytics/). -- If you are using the free tier, which has a cap on the amount of data collected per day, the Windows Analytics data will not count towards this cap. You will be able to collect all the Windows Analytics data from your devices and still have the full cap available for collecting additional data from other sources. -- If you are using a paid tier that charges per GB of data collected, the Windows Analytics data will not be charged. You will be able to collect all the Windows Analytics data from your devices and not incur any costs. - -Note that different Azure Log Analytics plans have different data retention periods, and the Windows Analytics solutions inherit the workspace's data retention policy. So, for example, if your workspace is on the free plan then Windows Analytics will retain the last week's worth of "daily snapshots" that are collected in the workspace. - - -### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade? -System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”. - -Currently, you can choose the criteria you wish to use: -- To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). -- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. - -### How does Upgrade Readiness collect the inventory of devices and applications? -For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. +--- +title: Frequently asked questions and troubleshooting Windows Analytics +ms.reviewer: +manager: laurawi +description: Frequently asked questions about Windows Analytics and steps to take when things go wrong +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Frequently asked questions and troubleshooting Windows Analytics + +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + +This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. This FAQ, along with the [Windows Analytics Technical Community](https://techcommunity.microsoft.com/t5/Windows-Analytics/ct-p/WindowsAnalytics), are recommended resources to consult before contacting Microsoft support. + +## Troubleshooting common problems + +If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here. + +[Devices not appearing in Upgrade Readiness](#devices-not-appearing-in-upgrade-readiness) + +[Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) + +[Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) + +[Apps not appearing in Device Health App Reliability](#apps-not-appearing-in-device-health-app-reliability) + +[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb) + +[Upgrade Readiness shows many "Computers with incomplete data"](#upgrade-readiness-shows-many-computers-with-incomplete-data) + +[Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices) + +[Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices) + +[Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices) + +[Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results](#custom-log-queries-using-the-abnormalshutdowncount-field-of-device-health-show-zero-or-lower-than-expected-results) + +[Disable Upgrade Readiness](#disable-upgrade-readiness) + +[Exporting large data sets](#exporting-large-data-sets) + + +### Devices not appearing in Upgrade Readiness + +In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use. + +Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices within a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/You-can-now-check-on-the-status-of-your-computers-within-hours/ba-p/187213) on the Tech Community Blog. + +>[!NOTE] +> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it. + +If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues: + +1. Download and extract the [Upgrade Readiness Deployment Script](https://www.microsoft.com/download/details.aspx?id=53327). Ensure that the **Pilot/Diagnostics** folder is included. +2. Edit the script as described in [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md). +3. Check that `isVerboseLogging` is set to `$true`. +4. Run the script again. Log files will be saved to the directory specified in the script. +5. Check the output of the script in the command window and/or log **UA_dateTime_machineName.txt** to ensure that all steps were completed successfully. +6. If you are still seeing errors you can't diagnose, then consider open a support case with Microsoft Support through your regular channel and provide this information. + +If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally. + +If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog. + +If you have deployed images that have not been generalized, then many of them might have the same ID and so Windows Analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps: +1. Net stop diagtrack +2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f +3. Net start diagtrack + +#### Devices not appearing in Device Health Device Reliability + +[![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png) + +If you have devices that appear in other solutions, but not Device Health (the Device Health overview tile shows "Performing Assessment" or the device count is lower than expected), follow these steps to investigate the issue: +1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again. +2. Confirm that the devices are running Windows 10. +3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). +4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full). + - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the IT policy path. + - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the user preference (Settings app) path. + - IMPORTANT: By convention (and in earlier versions of Windows 10) the IT policy would take precedence over any user preference. Starting with Windows 10, version 1803, the user can lower the device's effective value even when an IT policy is set. This change assists organizations in complying with regional or organizational expectations about user control over privacy settings. For organizations where user control of privacy settings is not required, the previous behavior (IT policy path always wins) can be enabled using the new policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**. +5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. +6. Wait 48 hours for activity to appear in the reports. +7. If you need additional troubleshooting, contact Microsoft Support. + + +### Device crashes not appearing in Device Health Device Reliability + +[![Device Reliability tile showing crash count highlighted](images/device-reliability-crash-count.png)](images/device-reliability-crash-count.png) + +If you know that devices are experiencing stop error crashes that do not seem to be reflected in the count of devices with crashes, follow these steps to investigate the issue: + +1. Verify that devices are reporting data properly by following the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) section of this topic. +2. Trigger a known crash on a test device by using a tool such as [NotMyFault](https://docs.microsoft.com/sysinternals/downloads/notmyfault) from Windows Sysinternals. +3. Verify that Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): + + - Verify that the value "Disabled" (REG_DWORD), if set, is 0. + - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. + - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. + +4. Verify that WER can reach all diagnostic endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md)--if WER can only reach some of the endpoints, it could be included in the device count while not reporting crashes. +5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this: + + [![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png) + + You can use the following Windows PowerShell snippet to summarize recent occurrences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). + + ```powershell + $limitToMostRecentNEvents = 20 + Get-WinEvent -FilterHashTable @{ProviderName="Windows Error Reporting"; ID=1001} | + ?{ $_.Properties[2].Value -match "crash|blue" } | + % { [pscustomobject]@{ + TimeCreated=$_.TimeCreated + WEREvent=$_.Properties[2].Value + BucketId=$_.Properties[0].Value + ContextHint = $( + if($_.Properties[2].Value -eq "bluescreen"){"kernel"} + else{ $_.Properties[5].Value } + ) + }} | Select-Object -First $limitToMostRecentNEvents + ``` + The output should look something like this: + [![Typical output for this snippet](images/device-reliability-event1001-PSoutput.png)](images/device-reliability-event1001-PSoutput.png) + +6. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. +7. Wait 48 hours for activity to appear in the reports. +8. If you need additional troubleshooting, contact Microsoft Support. + +#### Endpoint connectivity + +Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + +If you are using proxy server authentication, it's worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER only uploads error reports in the machine context, so whitelisting endpoints to allow non-authenticated access was typically used. In Windows 10, version 1703 and later versions, WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access. + + +For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication). + +### Apps not appearing in Device Health App Reliability + +[![App Reliability tile showing relability events trend](images/app-reliability.png)](images/app-reliability.png) + +If apps that you know are crashing do not appear in App Reliability, follow these steps to investigate the issue: + +1. Double-check the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) and [Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) sections of this topic. +2. Confirm that an in-scope application has crashed on an enrolled device. Keep the following points in mind: + - Not all user-mode crashes are included in App Reliability, which tracks only apps that have a GUI, have been used interactively by a user, and are not part of the operating system. + - Enrolling more devices helps to ensure that there are enough naturally occurring app crashes. + - You can also use test apps which are designed to crash on demand. + +3. Verify that *per-user* Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKCU\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): + + - Verify that the value "Disabled" (REG_DWORD), if set, is 0. + - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. + - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. +4. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. +5. Wait 48 hours for activity to appear in the reports. +6. If you need additional troubleshooting, contact Microsoft Support. + + +### Upgrade Readiness shows many "Computers with outdated KB" +If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: + +[![Upgrade Readiness tile showing Computers with outdated KB datum in red box](images/outdated_outdated.png)](images/outdated_outdated.png) + +On Windows 7 SP1 and Windows 8.1 devices, you must deploy the compatibility update as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). + +Note that the compatibility update retains the same KB number when a new version is released, so even if the update is installed on your devices, *they might not be running the latest version*. The compatibility update is now a critical update, so you can check that the latest version is installed from your management tool. + + +### Upgrade Readiness shows many "Computers with incomplete data" +If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: + +[![Upgrade Readiness tile showing Computers with incomplete data datum in red box](images/outdated_incomplete.png)](images/outdated_incomplete.png) + +Download the latest deployment script and run it on an affected device to check for issues. See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. Remember to wait up to 48-72 hours to see the results. +See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity. + + +If this becomes a recurring issue, schedule a full inventory scan monthly, as per the device enrollment guidelines for deployment at scale. + + + +### Upgrade Readiness doesn't show app inventory data on some devices +Upgrade Readiness only collects app inventory on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). + + +### Upgrade Readiness doesn't show IE site discovery data from some devices +Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.) + +Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level. + +There are two additional configurations to check: +1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction. +2. Make sure IE is not running in InPrivate mode. + +Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). + +>[!NOTE] +> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. + +### Device names not appearing for Windows 10 devices +Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. + +### Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results +This issue affects custom queries of the Device Health data by using the **Logs > Search page** or API. It does not impact any of the built-in tiles or reports of the Device Health solution. The **AbnormalShutdownCount** field of the **DHOSReliability** data table represents abnormal shutdowns other than crashes, such as sudden power loss or holding down the power button. + +We have identified an incompatibility between AbnormalShutdownCount and the Limited Enhanced diagnostic data level on Windows 10, versions 1709, 1803, and 1809. Such devices do not send the abnormal shutdown signal to Microsoft. You should not rely on AbnormalShutdownCount in your custom queries unless you use any one of the following workarounds: + + +- Upgrade devices to Windows 10, version 1903 when available. Participants in the Windows Insider program can preview this change using Windows Insider builds. +- Change the diagnostic data setting from devices running Windows 10, versions 1709, 1803, and 1809 normal Enhanced level instead of Limited Enhanced. +- Use alternative data from devices to track abnormal shutdowns. For example, you can forward abnormal shutdown events from the Windows Event Log to your Log Analytics workspace by using the Log Analytics agent. Suggested events to forward include: + - Log: System, ID: 41, Source: Kernel-Power + - Log System, ID: 6008, Source: EventLog + + + +### Disable Upgrade Readiness + +If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: + +1. Unsubscribe from the Upgrade Readiness solution in Azure Portal. In Azure Portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. + + ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png) + +2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**: + + **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* + + **Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). + +3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. +4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". + +### Exporting large data sets + +Azure Log Analytics is optimized for advanced analytics of large data sets and can efficiently generate summaries and analytics for them. The query language is not optimized (or intended) for returning large raw data sets and has built-in limits to protect against overuse. There are times when it might be necessary to get more data than this, but that should be done sparingly since this is not the intended way to use Azure Log Analytics. The following code snippet shows how to retrieve data from UAApp one “page” at a time: + +``` +let snapshot = toscalar(UAApp | summarize max(TimeGenerated)); +let pageSize = 100000; +let pageNumber = 0; + +UAApp +| where TimeGenerated == snapshot and IsRollup==true and RollupLevel=="Granular" and Importance == "Low install count" +| order by AppName, AppVendor, AppVersion desc +| serialize +| where row_number(0) >= (pageSize * pageNumber) +| take pageSize +``` + + + +## Other common questions + +### What are the requirements and costs for Windows Analytics solutions? + +| Windows Analytics solution| Windows license requirements | Windows version requirements | Minimum diagnostic data requirements | +|----------------------|-----------------------------------|------------------------------|------------------------------| +| Upgrade Readiness | No additional requirements | Windows 7 with Service Pack 1, Windows 8.1, Windows 10 | Basic level in most cases; Enhanced level to support Windows 10 app usage data and IE site discovery | +| Update Compliance | No additional requirements | Windows 10 | Basic level | +| Device Health | **Any** of the following licenses:
          - Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance
          - Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)
          - Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
          - Windows VDA E3 or E5 per-device or per-user subscription
          - Windows Server 2016 or later | Windows 10 | - For Windows 10 version 1709 or later: Enhanced (Limited)
          - For earlier versions: Enhanced + +>[!NOTE] +> Regarding licensing requirements for Device Health, you do not need per-seat licensing, but only enough licenses to cover your total device usage. For example, if you have 100 E3 licenses, you can monitor 100 devices with Device Health. + +Beyond the cost of Windows operating system licenses, there is no additional cost for using Windows Analytics. Within Azure Log Analytics, Windows Analytics is "zero-rated;" this means it is excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you have chosen. To be more specific, Azure Log Analytics is available in different pricing tiers as described in [Pricing - Log Analytics](https://azure.microsoft.com/pricing/details/log-analytics/). +- If you are using the free tier, which has a cap on the amount of data collected per day, the Windows Analytics data will not count towards this cap. You will be able to collect all the Windows Analytics data from your devices and still have the full cap available for collecting additional data from other sources. +- If you are using a paid tier that charges per GB of data collected, the Windows Analytics data will not be charged. You will be able to collect all the Windows Analytics data from your devices and not incur any costs. + +Note that different Azure Log Analytics plans have different data retention periods, and the Windows Analytics solutions inherit the workspace's data retention policy. So, for example, if your workspace is on the free plan then Windows Analytics will retain the last week's worth of "daily snapshots" that are collected in the workspace. + + +### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade? +System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”. + +Currently, you can choose the criteria you wish to use: +- To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). +- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. + +### How does Upgrade Readiness collect the inventory of devices and applications? +For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index d39c251ca1..77c86f443d 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -1,71 +1,71 @@ ---- -title: Windows Analytics in the Azure Portal -ms.reviewer: -manager: laurawi -description: Use the Azure Portal to add and configure Windows Analytics solutions -keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Analytics in the Azure Portal - -Windows Analytics uses Azure Log Analytics workspaces (formerly known as Operations Management Suite or OMS), a collection of cloud-based services for monitoring and automating your on-premises and cloud environments. - -**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences, which this topic will explain. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). - -## Navigation and permissions in the Azure portal - -Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics workspaces*. Once it appears, you can select the star to add it to your favorites for easy access in the future. - -[![Azure portal all services page with Log Analytics found and selected as favorite](images/azure-portal-LAfav1.png)](images/azure-portal-LAfav1.png) - -### Permissions - -It's important to understand the difference between Azure Active Directory and an Azure subscription: - -**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (Azure AD) is a separate service which sits by itself and is used by all of Azure and also Office 365. - -An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices. - - ->[!IMPORTANT] ->Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group. - -To check the Log Analytics workspaces you can access, select **Log Analytics workspaces**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to: - -[![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) - -If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). - -When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. - -[![Log Analytics workspace page showing workspace summary](images/azure-portal-LA-wkspcsumm_sterile.png)](images/azure-portal-LA-wkspcsumm_sterile.png) - -## Adding Windows Analytics solutions - -In the Azure portal, the simplest way to add Windows Analytics solutions (Upgrade Readiness, Update Compliance, and Device Health) is to select **+ Create a resource** and then type the solution name in the search box. In this example, the search is for "Device Health": - -[![Add WA solutions with "create a resource"](images/azure-portal-create-resource-boxes.png)](images/azure-portal-create-resource-boxes.png) - -Select the solution from the list that is returned by the search, and then select **Create** to add the solution. - -## Navigating to Windows Analytics solutions settings - -To adjust settings for a Windows Analytics solution, first navigate to the **Solutions** tab for your workspace, and then select the solution to configure. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**: - -[![Select WA solution to adjust settings](images/temp-azure-portal-soltn-setting.png)](images/temp-azure-portal-soltn-setting.png) - -From there, select the settings page to adjust specific settings: - -[![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) - ->[!NOTE] ->To access these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. +--- +title: Windows Analytics in the Azure Portal +ms.reviewer: +manager: laurawi +description: Use the Azure Portal to add and configure Windows Analytics solutions +keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Analytics in the Azure Portal + +Windows Analytics uses Azure Log Analytics workspaces (formerly known as Operations Management Suite or OMS), a collection of cloud-based services for monitoring and automating your on-premises and cloud environments. + +**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences, which this topic will explain. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + +## Navigation and permissions in the Azure portal + +Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics workspaces*. Once it appears, you can select the star to add it to your favorites for easy access in the future. + +[![Azure portal all services page with Log Analytics found and selected as favorite](images/azure-portal-LAfav1.png)](images/azure-portal-LAfav1.png) + +### Permissions + +It's important to understand the difference between Azure Active Directory and an Azure subscription: + +**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (Azure AD) is a separate service which sits by itself and is used by all of Azure and also Office 365. + +An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices. + + +>[!IMPORTANT] +>Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group. + +To check the Log Analytics workspaces you can access, select **Log Analytics workspaces**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to: + +[![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) + +If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). + +When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. + +[![Log Analytics workspace page showing workspace summary](images/azure-portal-LA-wkspcsumm_sterile.png)](images/azure-portal-LA-wkspcsumm_sterile.png) + +## Adding Windows Analytics solutions + +In the Azure portal, the simplest way to add Windows Analytics solutions (Upgrade Readiness, Update Compliance, and Device Health) is to select **+ Create a resource** and then type the solution name in the search box. In this example, the search is for "Device Health": + +[![Add WA solutions with "create a resource"](images/azure-portal-create-resource-boxes.png)](images/azure-portal-create-resource-boxes.png) + +Select the solution from the list that is returned by the search, and then select **Create** to add the solution. + +## Navigating to Windows Analytics solutions settings + +To adjust settings for a Windows Analytics solution, first navigate to the **Solutions** tab for your workspace, and then select the solution to configure. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**: + +[![Select WA solution to adjust settings](images/temp-azure-portal-soltn-setting.png)](images/temp-azure-portal-soltn-setting.png) + +From there, select the settings page to adjust specific settings: + +[![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) + +>[!NOTE] +>To access these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 35a8196735..0a0a06c7eb 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -78,7 +78,7 @@ To enable data sharing, configure your proxy server to whitelist the following e >[!NOTE] >Microsoft has a strong commitment to providing the tools and resources that put you in control of your privacy. As a result, Microsoft doesn't collect the following data from devices located in European countries (EEA and Switzerland): >- Windows diagnostic data from Windows 8.1 devices ->- App usage data for Windows 7 devices +>- App usage data and [Internet Explorer site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) features for Windows 7 devices diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md index 22d20bf71a..833f2db650 100644 --- a/windows/deployment/update/windows-analytics-overview.md +++ b/windows/deployment/update/windows-analytics-overview.md @@ -1,59 +1,59 @@ ---- -title: Windows Analytics -ms.reviewer: -manager: laurawi -description: Introduction and overview of Windows Analytics -keywords: Device Health, Upgrade Readiness, Update Compliance, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.localizationpriority: medium -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Analytics overview - -Windows Analytics is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: - -## Device Health - -[Device Health](device-health-get-started.md) provides the following: - -- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced -- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes -- Notification of Windows Information Protection misconfigurations that send prompts to end users - - -## Update Compliance - -[Update Compliance](update-compliance-get-started.md) shows you the state of your devices with respect to the Windows updates so that you can ensure that they are on the most current updates as appropriate. In addition, Update Compliance provides the following: - -- Dedicated drill-downs for devices that might need attention -- An inventory of devices, including the version of Windows they are running and their update status -- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices -- An overview of Windows Update for Business deferral configurations (Windows 10, version 1607 and later) -- Powerful built-in log analytics to create useful custom queries -- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure - -## Upgrade Readiness - -[Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md) offers a set of tools to plan and manage the upgrade process end to end, allowing you to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Upgrade Readiness not only supports upgrade management from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in the Windows as a service model. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer-level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data-driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including System Center Configuration Manager - -To get started with any of these solutions, visit the links for instructions to add it to Azure Portal. - ->[!NOTE] -> For details about licensing requirements and costs associated with using Windows Analytics solutions, see [What are the requirements and costs for Windows Analytics solutions?](windows-analytics-FAQ-troubleshooting.md#what-are-the-requirements-and-costs-for-windows-analytics-solutions). +--- +title: Windows Analytics +ms.reviewer: +manager: laurawi +description: Introduction and overview of Windows Analytics +keywords: Device Health, Upgrade Readiness, Update Compliance, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Analytics overview + +Windows Analytics is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: + +## Device Health + +[Device Health](device-health-get-started.md) provides the following: + +- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced +- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes +- Notification of Windows Information Protection misconfigurations that send prompts to end users + + +## Update Compliance + +[Update Compliance](update-compliance-get-started.md) shows you the state of your devices with respect to the Windows updates so that you can ensure that they are on the most current updates as appropriate. In addition, Update Compliance provides the following: + +- Dedicated drill-downs for devices that might need attention +- An inventory of devices, including the version of Windows they are running and their update status +- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices +- An overview of Windows Update for Business deferral configurations (Windows 10, version 1607 and later) +- Powerful built-in log analytics to create useful custom queries +- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure + +## Upgrade Readiness + +[Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md) offers a set of tools to plan and manage the upgrade process end to end, allowing you to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Upgrade Readiness not only supports upgrade management from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in the Windows as a service model. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer-level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data-driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools, including System Center Configuration Manager + +To get started with any of these solutions, visit the links for instructions to add it to Azure Portal. + +>[!NOTE] +> For details about licensing requirements and costs associated with using Windows Analytics solutions, see [What are the requirements and costs for Windows Analytics solutions?](windows-analytics-FAQ-troubleshooting.md#what-are-the-requirements-and-costs-for-windows-analytics-solutions). diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index 0252876b56..8e7a8558db 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -1,61 +1,61 @@ ---- -title: Windows Analytics and privacy -ms.reviewer: -manager: laurawi -description: How Windows Analytics uses data -keywords: windows analytics, oms, privacy, data, diagnostic, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.localizationpriority: high -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Analytics and privacy - -Windows Analytics is fully committed to privacy, centering on these tenets: - -- **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details). -- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics -- **Security:** Your data is protected with strong security and encryption -- **Trust:** Windows Analytics supports the Microsoft Online Service Terms - -The following illustration shows how diagnostic data flows from individual devices through the Diagnostic Data Service, Azure Log Analytics storage, and to your Log Analytics workspace: - -[![Diagram illustrating flow of diagnostic data from devices](images/WA-data-flow-v1.png)](images/WA-data-flow-v1.png) - -The data flow sequence is as follows: - -1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US. -2. An IT administrator creates an Azure Log Analytics workspace. The administrator chooses the location, copies the Commercial ID (which identifies that workspace), and then pushes Commercial ID to devices they want to monitor. This is the mechanism that specifies which devices appear in which workspaces. -3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management service. -4. These snapshots are copied to transient storage which is used only by Windows Analytics (also hosted in US data centers) where they are segregated by Commercial ID. -5. The snapshots are then copied to the appropriate Azure Log Analytics workspace. -6. If the IT administrator is using the Upgrade Readiness solution, user input from the IT administrator (specifically, the target operating system release and the importance and upgrade readiness per app) is stored in the Windows Analytics Azure Storage. (Upgrade Readiness is the only Windows Analytics solution that takes such user input.) - - -See these topics for additional background information about related privacy issues: - -- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) -- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) -- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) -- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809) -- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803) -- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) -- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields) -- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) -- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) -- [Learn about security and privacy at Microsoft datacenters](https://www.microsoft.com/datacenters) -- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) -- [Trust Center](https://www.microsoft.com/trustcenter) - -### Can Windows Analytics be used without a direct client connection to the Microsoft Data Management Service? -No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity. - -### Can I choose the data center location? -Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US). +--- +title: Windows Analytics and privacy +ms.reviewer: +manager: laurawi +description: How Windows Analytics uses data +keywords: windows analytics, oms, privacy, data, diagnostic, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.localizationpriority: high +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Analytics and privacy + +Windows Analytics is fully committed to privacy, centering on these tenets: + +- **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details). +- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics +- **Security:** Your data is protected with strong security and encryption +- **Trust:** Windows Analytics supports the Microsoft Online Service Terms + +The following illustration shows how diagnostic data flows from individual devices through the Diagnostic Data Service, Azure Log Analytics storage, and to your Log Analytics workspace: + +[![Diagram illustrating flow of diagnostic data from devices](images/WA-data-flow-v1.png)](images/WA-data-flow-v1.png) + +The data flow sequence is as follows: + +1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US. +2. An IT administrator creates an Azure Log Analytics workspace. The administrator chooses the location, copies the Commercial ID (which identifies that workspace), and then pushes Commercial ID to devices they want to monitor. This is the mechanism that specifies which devices appear in which workspaces. +3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management service. +4. These snapshots are copied to transient storage which is used only by Windows Analytics (also hosted in US data centers) where they are segregated by Commercial ID. +5. The snapshots are then copied to the appropriate Azure Log Analytics workspace. +6. If the IT administrator is using the Upgrade Readiness solution, user input from the IT administrator (specifically, the target operating system release and the importance and upgrade readiness per app) is stored in the Windows Analytics Azure Storage. (Upgrade Readiness is the only Windows Analytics solution that takes such user input.) + + +See these topics for additional background information about related privacy issues: + +- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) +- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) +- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) +- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809) +- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803) +- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields) +- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) +- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) +- [Learn about security and privacy at Microsoft datacenters](https://www.microsoft.com/datacenters) +- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) +- [Trust Center](https://www.microsoft.com/trustcenter) + +### Can Windows Analytics be used without a direct client connection to the Microsoft Data Management Service? +No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity. + +### Can I choose the data center location? +Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US). diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 6254ed3b81..ab43140802 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -1,131 +1,131 @@ ---- -title: Windows as a service -ms.prod: windows-10 -layout: LandingPage -ms.topic: landing-page -ms.manager: elizapo -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 01/24/2019 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.collection: M365-modern-desktop ---- -# Windows as a service - -Find the tools and resources you need to help deploy and support Windows as a service in your organization. - -## Latest news, videos, & podcasts - -Find the latest and greatest news on Windows 10 deployment and servicing. - -**Discovering the Windows 10 Update history pages** -> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] - -Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the Windows release health dashboard for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. - -The latest news: - - -[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). - -## IT pro champs corner -Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. - - - -**NEW** Tactical considerations for creating Windows deployment rings - -**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization - -Deployment rings: The hidden [strategic] gem of Windows as a service - -Classifying Windows updates in common deployment tools - -Express updates for Windows Server 2016 re-enabled for November 2018 update - - -2019 SHA-2 Code Signing Support requirement for Windows and WSUS - -Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices - -## Discover - -Learn more about Windows as a service and its value to your organization. - - - -Overview of Windows as a service - -Quick guide to Windows as a service - -Windows Analytics overview - -What's new in Windows 10 deployment - -How Microsoft IT deploys Windows 10 - -## Plan - -Prepare to implement Windows as a service effectively using the right tools, products, and strategies. - - - -Simplified updates - -Windows 10 end user readiness - -Ready for Windows - -Manage Windows upgrades with Upgrade Readiness - -Preparing your organization for a seamless Windows 10 deployment - -## Deploy - -Secure your organization's deployment investment. - - - -Update Windows 10 in the enterprise - -Deploying as an in-place upgrade - -Configure Windows Update for Business - -Express update delivery - -Windows 10 deployment considerations - - -## Microsoft Ignite 2018 - - -Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. - -[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) - -[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) - -[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) - -[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) - -[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) - -[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) - -[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) - -[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) - -[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) +--- +title: Windows as a service +ms.prod: windows-10 +layout: LandingPage +ms.topic: landing-page +ms.manager: elizapo +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.date: 01/24/2019 +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.collection: M365-modern-desktop +--- +# Windows as a service + +Find the tools and resources you need to help deploy and support Windows as a service in your organization. + +## Latest news, videos, & podcasts + +Find the latest and greatest news on Windows 10 deployment and servicing. + +**Discovering the Windows 10 Update history pages** +> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] + +Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the Windows release health dashboard for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. + +The latest news: + + +[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). + +## IT pro champs corner +Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. + + + +**NEW** Tactical considerations for creating Windows deployment rings + +**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization + +Deployment rings: The hidden [strategic] gem of Windows as a service + +Classifying Windows updates in common deployment tools + +Express updates for Windows Server 2016 re-enabled for November 2018 update + + +2019 SHA-2 Code Signing Support requirement for Windows and WSUS + +Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices + +## Discover + +Learn more about Windows as a service and its value to your organization. + + + +Overview of Windows as a service + +Quick guide to Windows as a service + +Windows Analytics overview + +What's new in Windows 10 deployment + +How Microsoft IT deploys Windows 10 + +## Plan + +Prepare to implement Windows as a service effectively using the right tools, products, and strategies. + + + +Simplified updates + +Windows 10 end user readiness + +Ready for Windows + +Manage Windows upgrades with Upgrade Readiness + +Preparing your organization for a seamless Windows 10 deployment + +## Deploy + +Secure your organization's deployment investment. + + + +Update Windows 10 in the enterprise + +Deploying as an in-place upgrade + +Configure Windows Update for Business + +Express update delivery + +Windows 10 deployment considerations + + +## Microsoft Ignite 2018 + + +Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. + +[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) + +[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) + +[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) + +[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) + +[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) + +[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) + +[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) + +[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) + +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index 476a82bf7b..52969656a5 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -1,365 +1,365 @@ ---- -title: Windows Update error code list by component -description: Reference information for Windows Update error codes -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update error codes by component - ->Applies to: Windows 10 - - -This section lists the error codes for Microsoft Windows Update. - -## Automatic Update Errors - -| Error code | Message | Description | -|------------|-------------------------------|--------------------------------------------------------------------------------------------------------| -| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | -| 0x8024A000 | WU_E_AU_NOSERVICE | Automatic Updates was unable to service incoming requests.  | -| 0x8024A002 | WU_E_AU_NONLEGACYSERVER | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | -| 0x8024A003 | WU_E_AU_LEGACYCLIENTDISABLED |  The old version of the Automatic Updates client was disabled. | -| 0x8024A004 | WU_E_AU_PAUSED | Automatic Updates was unable to process incoming requests because it was paused. | -| 0x8024A005 | WU_E_AU_NO_REGISTERED_SERVICE |  No unmanaged service is registered with AU. | -| 0x8024AFFF | WU_E_AU_UNEXPECTED |  An Automatic Updates error not covered by another WU_E_AU \* code. | - -## Windows Update UI errors - -| Error code | Message | Description | -|------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| -| 0x80243001 | WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION | The results of download and installation could not be read from the registry due to an unrecognized data format version. | -| 0x80243002 | WU_E_INSTALLATION_RESULTS_INVALID_DATA | The results of download and installation could not be read from the registry due to an invalid data format. | -| 0x80243003 | WU_E_INSTALLATION_RESULTS_NOT_FOUND | The results of download and installation are not available; the operation may have failed to start. | -| 0x80243004 |  WU_E_TRAYICON_FAILURE |  A failure occurred when trying to create an icon in the taskbar notification area. | -| 0x80243FFD |  WU_E_NON_UI_MODE |  Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | -| 0x80243FFE |  WU_E_WUCLTUI_UNSUPPORTED_VERSION |  Unsupported version of WU client UI exported functions.  | -| 0x80243FFF |  WU_E_AUCLIENT_UNEXPECTED |  There was a user interface error not covered by another WU_E_AUCLIENT_\* error code.  | - -## Inventory errors - -| Error code | Message | Description | -|------------|-------------------------------------------|-------------------------------------------------------------------------------| -| 0x80249001 |  WU_E_INVENTORY_PARSEFAILED |  Parsing of the rule file failed.  | -| 0x80249002 |  WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED |  Failed to get the requested inventory type from the server.  | -| 0x80249003 |  WU_E_INVENTORY_RESULT_UPLOAD_FAILED |  Failed to upload inventory result to the server.  | -| 0x80249004 |  WU_E_INVENTORY_UNEXPECTED |  There was an inventory error not covered by another error code. | -| 0x80249005 |  WU_E_INVENTORY_WMI_ERROR |  A WMI error occurred when enumerating the instances for a particular class.  | - -## Expression evaluator errors - -| Error code | Message | Description | -|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------| -| 0x8024E001 |  WU_E_EE_UNKNOWN_EXPRESSION |  An expression evaluator operation could not be completed because an expression was unrecognized. | -| 0x8024E002 |  WU_E_EE_INVALID_EXPRESSION |  An expression evaluator operation could not be completed because an expression was invalid.  | -| 0x8024E003 |  WU_E_EE_MISSING_METADATA |  An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes.  | -| 0x8024E004 |  WU_E_EE_INVALID_VERSION |  An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.  | -|  0x8024E005 |  WU_E_EE_NOT_INITIALIZED |  The expression evaluator could not be initialized. | -|  0x8024E006 |  WU_E_EE_INVALID_ATTRIBUTEDATA |  An expression evaluator operation could not be completed because there was an invalid attribute. | -|  0x8024E007 |  WU_E_EE_CLUSTER_ERROR |  An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.  | -|  0x8024EFFF |  WU_E_EE_UNEXPECTED |  There was an expression evaluator error not covered by another WU_E_EE_\* error code.  | - -## Reporter errors - -| Error code | Message | Description | -|-------------|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| -|  0x80247001 |  WU_E_OL_INVALID_SCANFILE |  An operation could not be completed because the scan package was invalid. | -| 0x80247002 |  WU_E_OL_NEWCLIENT_REQUIRED |  An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | -|  0x80247FFF |  WU_E_OL_UNEXPECTED |  Search using the scan package failed.  | -|  0x8024F001 |  WU_E_REPORTER_EVENTCACHECORRUPT |  The event cache file was defective.  | -|  0x8024F002 |  WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED |  The XML in the event namespace descriptor could not be parsed. | -|  0x8024F003 |  WU_E_INVALID_EVENT |  The XML in the event namespace descriptor could not be parsed. | -|  0x8024F004 |  WU_E_SERVER_BUSY |  The server rejected an event because the server was too busy. | -|  0x8024FFFF |  WU_E_REPORTER_UNEXPECTED |  There was a reporter error not covered by another error code.  | - -## Redirector errors -The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. - -|Error code|Message|Description | -|-|-|-| -| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  | -| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | -| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  | -| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  | - -## Protocol Talker errors -The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. - - -| Error code | Message | Description | -|-------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| -|  0x80244000 |  WU_E_PT_SOAPCLIENT_BASE |  WU_E_PT_SOAPCLIENT_\* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library. | -| 0x80244001 |  WU_E_PT_SOAPCLIENT_INITIALIZE |  Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | -|  0x80244002 |  WU_E_PT_SOAPCLIENT_OUTOFMEMORY |  Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory.  | -|  0x80244003 |  WU_E_PT_SOAPCLIENT_GENERATE |  Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request. | -|  0x80244004 |  WU_E_PT_SOAPCLIENT_CONNECT |  Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server.  | -|  0x80244005 |  WU_E_PT_SOAPCLIENT_SEND |  Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_\* error codes. | -|  0x80244006 |  WU_E_PT_SOAPCLIENT_SERVER |  Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error.  | -|  0x80244007 |  WU_E_PT_SOAPCLIENT_SOAPFAULT |  Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | -|  0x80244008 |  WU_E_PT_SOAPCLIENT_PARSEFAULT |  Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault. | -|  0x80244009 |  WU_E_PT_SOAPCLIENT_READ |  Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server. | -|  0x8024400A |  WU_E_PT_SOAPCLIENT_PARSE |  Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server.  | - -## Other Protocol Talker errors -The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. - - -| Error code | Message | Description | -|-------------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|  0x8024400B |  WU_E_PT_SOAP_VERSION |  Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope. | -|  0x8024400C |  WU_E_PT_SOAP_MUST_UNDERSTAND |  Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | -|  0x8024400D |  WU_E_PT_SOAP_CLIENT |  Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending.  | -|  0x8024400E |  WU_E_PT_SOAP_SERVER |  Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later.  | -|  0x8024400F |  WU_E_PT_WMI_ERROR |  There was an unspecified Windows Management Instrumentation (WMI) error. | -|  0x80244010 |  WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS |  The number of round trips to the server exceeded the maximum limit.  | -|  0x80244011 |  WU_E_PT_SUS_SERVER_NOT_SET |  WUServer policy value is missing in the registry.  | -|  0x80244012 |  WU_E_PT_DOUBLE_INITIALIZATION |  Initialization failed because the object was already initialized.  | -|  0x80244013 |  WU_E_PT_INVALID_COMPUTER_NAME |  The computer name could not be determined.  | -|  0x80244015 |  WU_E_PT_REFRESH_CACHE_REQUIRED |  The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | -|  0x80244016 |  WU_E_PT_HTTP_STATUS_BAD_REQUEST |  Same as HTTP status 400 - the server could not process the request due to invalid syntax.  | -|  0x80244017 |  WU_E_PT_HTTP_STATUS_DENIED |  Same as HTTP status 401 - the requested resource requires user authentication.  | -|  0x80244018 |  WU_E_PT_HTTP_STATUS_FORBIDDEN |  Same as HTTP status 403 - server understood the request but declined to fulfill it. | -|  0x80244019 |  WU_E_PT_HTTP_STATUS_NOT_FOUND |  Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier).  | -|  0x8024401A |  WU_E_PT_HTTP_STATUS_BAD_METHOD |  Same as HTTP status 405 - the HTTP method is not allowed.  | -|  0x8024401B |  WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ |  Same as HTTP status 407 - proxy authentication is required.  | -|  0x8024401C |  WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT |  Same as HTTP status 408 - the server timed out waiting for the request.  | -|  0x8024401D |  WU_E_PT_HTTP_STATUS_CONFLICT |  Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource.  | -|  0x8024401E |  WU_E_PT_HTTP_STATUS_GONE |  Same as HTTP status 410 - requested resource is no longer available at the server. | -|  0x8024401F |  WU_E_PT_HTTP_STATUS_SERVER_ERROR |  Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.  | -|  0x80244020 |  WU_E_PT_HTTP_STATUS_NOT_SUPPORTED |  Same as HTTP status 500 - server does not support the functionality required to fulfill the request.  | -|  0x80244021 |  WU_E_PT_HTTP_STATUS_BAD_GATEWAY | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | -|  0x80244022 |  WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL |  Same as HTTP status 503 - the service is temporarily overloaded.  | -|  0x80244023 |  WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT |  Same as HTTP status 503 - the request was timed out waiting for a gateway.  | -|  0x80244024 |  WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP |  Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request.  | -|  0x80244025 |  WU_E_PT_FILE_LOCATIONS_CHANGED |  Operation failed due to a changed file location; refresh internal state and resend. | -|  0x80244026 |  WU_E_PT_REGISTRATION_NOT_SUPPORTED |  Operation failed because Windows Update Agent does not support registration with a non-WSUS server.  | -|  0x80244027 |  WU_E_PT_NO_AUTH_PLUGINS_REQUESTED |  The server returned an empty authentication information list.  | -|  0x80244028 |  WU_E_PT_NO_AUTH_COOKIES_CREATED |  Windows Update Agent was unable to create any valid authentication cookies.  | -|  0x80244029 |  WU_E_PT_INVALID_CONFIG_PROP |  A configuration property value was wrong.  | -|  0x8024402A |  WU_E_PT_CONFIG_PROP_MISSING |  A configuration property value was missing.  | -|  0x8024402B |  WU_E_PT_HTTP_STATUS_NOT_MAPPED |  The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_\* error codes.  | -|  0x8024402C |  WU_E_PT_WINHTTP_NAME_NOT_RESOLVED |  Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved.  | -|  0x8024402F |  WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS |  External cab file processing completed with some errors. | -|  0x80244030 |  WU_E_PT_ECP_INIT_FAILED |  The external cab processor initialization did not complete.  | -|  0x80244031 |  WU_E_PT_ECP_INVALID_FILE_FORMAT |  The format of a metadata file was invalid.  | -|  0x80244032 |  WU_E_PT_ECP_INVALID_METADATA |  External cab processor found invalid metadata.  | -|  0x80244033 |  WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST |  The file digest could not be extracted from an external cab file.  | -|  0x80244034 |  WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE |  An external cab file could not be decompressed.  | -|  0x80244035 |  WU_E_PT_ECP_FILE_LOCATION_ERROR |  External cab processor was unable to get file locations.  | -|  0x80244FFF |  WU_E_PT_UNEXPECTED |  A communication error not covered by another WU_E_PT_\* error code.  | -|  0x8024502D |  WU_E_PT_SAME_REDIR_ID |  Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.  | -|  0x8024502E |  WU_E_PT_NO_MANAGED_RECOVER |  A redirector recovery action did not complete because the server is managed.  | - -## Download Manager errors - -| Error code | Message | Description | -|-------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80246001 |  WU_E_DM_URLNOTAVAILABLE |  A download manager operation could not be completed because the requested file does not have a URL.  | -|  0x80246002 |  WU_E_DM_INCORRECTFILEHASH |  A download manager operation could not be completed because the file digest was not recognized.  | -|  0x80246003 |  WU_E_DM_UNKNOWNALGORITHM |  A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.  | -|  0x80246004 |  WU_E_DM_NEEDDOWNLOADREQUEST |  An operation could not be completed because a download request is required from the download handler.  | -|  0x80246005 |  WU_E_DM_NONETWORK |  A download manager operation could not be completed because the network connection was unavailable.  | -|  0x80246006 |  WU_E_DM_WRONGBITSVERSION |  A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | -|  0x80246007 |  WU_E_DM_NOTDOWNLOADED |  The update has not been downloaded.  | -|  0x80246008 |  WU_E_DM_FAILTOCONNECTTOBITS |  A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | -|  0x80246009 | WU_E_DM_BITSTRANSFERERROR |  A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | -|  0x8024600A |  WU_E_DM_DOWNLOADLOCATIONCHANGED |  A download must be restarted because the location of the source of the download has changed. | -|  0x8024600B |  WU_E_DM_CONTENTCHANGED |  A download must be restarted because the update content changed in a new revision.  | -|  0x80246FFF |  WU_E_DM_UNEXPECTED |  There was a download manager error not covered by another WU_E_DM_\* error code.  | - -## Update Handler errors - -| Error code | Message | Description | -|-------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80242000 |  WU_E_UH_REMOTEUNAVAILABLE | 9 A request for a remote update handler could not be completed because no remote process is available.  | -|  0x80242001 |  WU_E_UH_LOCALONLY |  A request for a remote update handler could not be completed because the handler is local only.  | -|  0x80242002 |  WU_E_UH_UNKNOWNHANDLER |  A request for an update handler could not be completed because the handler could not be recognized.  | -|  0x80242003 |  WU_E_UH_REMOTEALREADYACTIVE |  A remote update handler could not be created because one already exists.  | -|  0x80242004 |  WU_E_UH_DOESNOTSUPPORTACTION |  A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | -|  0x80242005 |  WU_E_UH_WRONGHANDLER |  An operation did not complete because the wrong handler was specified.  | -|  0x80242006 |  WU_E_UH_INVALIDMETADATA |  A handler operation could not be completed because the update contains invalid metadata.  | -|  0x80242007 |  WU_E_UH_INSTALLERHUNG |  An operation could not be completed because the installer exceeded the time limit.  | -|  0x80242008 |  WU_E_UH_OPERATIONCANCELLED |  An operation being done by the update handler was cancelled.  | -|  0x80242009 |  WU_E_UH_BADHANDLERXML |  An operation could not be completed because the handler-specific metadata is invalid.  | -| 0x8024200A |  WU_E_UH_CANREQUIREINPUT |  A request to the handler to install an update could not be completed because the update requires user input.  | -|  0x8024200B |  WU_E_UH_INSTALLERFAILURE |  The installer failed to install (uninstall) one or more updates.  | -|  0x8024200C |  WU_E_UH_FALLBACKTOSELFCONTAINED |  The update handler should download self-contained content rather than delta-compressed content for the update.  | -|  0x8024200D |  WU_E_UH_NEEDANOTHERDOWNLOAD |  The update handler did not install the update because it needs to be downloaded again.  | -|  0x8024200E |  WU_E_UH_NOTIFYFAILURE |  The update handler failed to send notification of the status of the install (uninstall) operation.  | -|  0x8024200F | WU_E_UH_INCONSISTENT_FILE_NAMES |  The file names contained in the update metadata and in the update package are inconsistent.  | -|  0x80242010 |  WU_E_UH_FALLBACKERROR |  The update handler failed to fall back to the self-contained content.  | -|  0x80242011 |  WU_E_UH_TOOMANYDOWNLOADREQUESTS |  The update handler has exceeded the maximum number of download requests.  | -|  0x80242012 |  WU_E_UH_UNEXPECTEDCBSRESPONSE |  The update handler has received an unexpected response from CBS.  | -|  0x80242013 |  WU_E_UH_BADCBSPACKAGEID |  The update metadata contains an invalid CBS package identifier.  | -|  0x80242014 |  WU_E_UH_POSTREBOOTSTILLPENDING |  The post-reboot operation for the update is still in progress.  | -|  0x80242015 |  WU_E_UH_POSTREBOOTRESULTUNKNOWN |  The result of the post-reboot operation for the update could not be determined.  | -|  0x80242016 |  WU_E_UH_POSTREBOOTUNEXPECTEDSTATE |  The state of the update after its post-reboot operation has completed is unexpected.  | -|  0x80242017 |  WU_E_UH_NEW_SERVICING_STACK_REQUIRED |  The OS servicing stack must be updated before this update is downloaded or installed.  | -|  0x80242FFF |  WU_E_UH_UNEXPECTED |  An update handler error not covered by another WU_E_UH_\* code.  | - -## Data Store errors - -| Error code | Message | Description | -|-------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80248000 |  WU_E_DS_SHUTDOWN |  An operation failed because Windows Update Agent is shutting down.  | -|  0x80248001 |  WU_E_DS_INUSE |  An operation failed because the data store was in use. | -|  0x80248002 |  WU_E_DS_INVALID |  The current and expected states of the data store do not match. | -|  0x80248003 |  WU_E_DS_TABLEMISSING |  The data store is missing a table.  | -|  0x80248004 |  WU_E_DS_TABLEINCORRECT |  The data store contains a table with unexpected columns.  | -|  0x80248005 |  WU_E_DS_INVALIDTABLENAME |  A table could not be opened because the table is not in the data store.  | -|  0x80248006 |  WU_E_DS_BADVERSION |  The current and expected versions of the data store do not match.  | -|  0x80248007 |  WU_E_DS_NODATA |  The information requested is not in the data store.  | -|  0x80248008 |  WU_E_DS_MISSINGDATA |  The data store is missing required information or has a NULL in a table column that requires a non-null value.  | -|  0x80248009 |  WU_E_DS_MISSINGREF |  The data store is missing required information or has a reference to missing license terms file localized property or linked row. | -|  0x8024800A |  WU_E_DS_UNKNOWNHANDLER |  The update was not processed because its update handler could not be recognized.  | -|  0x8024800B |  WU_E_DS_CANTDELETE |  The update was not deleted because it is still referenced by one or more services.  | -|  0x8024800C |  WU_E_DS_LOCKTIMEOUTEXPIRED |  The data store section could not be locked within the allotted time.  | -|  0x8024800D |  WU_E_DS_NOCATEGORIES |  The category was not added because it contains no parent categories and is not a top-level category itself.  | -|  0x8024800E |  WU_E_DS_ROWEXISTS |  The row was not added because an existing row has the same primary key.  | -|  0x8024800F |  WU_E_DS_STOREFILELOCKED |  The data store could not be initialized because it was locked by another process.  | -|  0x80248010 |  WU_E_DS_CANNOTREGISTER |  The data store is not allowed to be registered with COM in the current process.  | -|  0x80248011 | WU_E_DS_UNABLETOSTART |  Could not create a data store object in another process.  | -|  0x80248013 |  WU_E_DS_DUPLICATEUPDATEID | The server sent the same update to the client with two different revision IDs.  | -|  0x80248014 | WU_E_DS_UNKNOWNSERVICE |  An operation did not complete because the service is not in the data store.  | -| 0x80248015 | WU_E_DS_SERVICEEXPIRED | An operation did not complete because the registration of the service has expired.  | -| 0x80248016 |  WU_E_DS_DECLINENOTALLOWED |  A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  | -| 0x80248017 |  WU_E_DS_TABLESESSIONMISMATCH |  A table was not closed because it is not associated with the session.  | -| 0x80248018 |  WU_E_DS_SESSIONLOCKMISMATCH |  A table was not closed because it is not associated with the session.  | -| 0x80248019 |  WU_E_DS_NEEDWINDOWSSERVICE |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  | -| 0x8024801A |  WU_E_DS_INVALIDOPERATION |  A request was declined because the operation is not allowed.  | -| 0x8024801B |  WU_E_DS_SCHEMAMISMATCH |  The schema of the current data store and the schema of a table in a backup XML document do not match.  | -| 0x8024801C |  WU_E_DS_RESETREQUIRED |  The data store requires a session reset; release the session and retry with a new session.  | -| 0x8024801D |  WU_E_DS_IMPERSONATED |  A data store operation did not complete because it was requested with an impersonated identity.  | -| 0x80248FFF |  WU_E_DS_UNEXPECTED |  A data store error not covered by another WU_E_DS_\* code.  | - -## Driver Util errors -The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. - -|Error code|Message|Description -|-|-|-| -| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  -| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  -| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  -| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  -| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  -| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  -| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  -| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  - -## Windows Update error codes - -|Error code|Message|Description -|-|-|-| -| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  -| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  -| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  -| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  -| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  -| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  -| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  -| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  -| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  -| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  -| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  -| 0x8024000C | WU_E_NOOP| No operation was required.  -| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  -| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  -| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  -| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  -| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  -| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  -| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  -| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  -| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  -| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  -| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  -| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  -| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  -| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  -| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  -| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  -| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  -| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  -| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  -| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  -| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  -| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  -| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  -| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  -| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  -| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  -| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  -| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  -| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  -| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  -| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  -| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  -| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  -| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  -| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  -| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  -| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  -| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  -| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  -| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  -| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  -| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  -| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  -| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  -| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  -| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  -| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  - -## Windows Update success codes - -|Error code|Message|Description -|-|-|-| -| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  -| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  -| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  -| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  -| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  -| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  -| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  -| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  - -## Windows Installer minor errors -The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. - -|Error code|Message|Description -|-|-|-| -| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  -| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  -| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  -| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  -| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  - -## Windows Update Agent update and setup errors - -|Error code|Message|Description -|-|-|-| -| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  -| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  -| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  -| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  -| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  -| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  -| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  -| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  -| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  -| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  -| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  -| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  -| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  -| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  -| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  -| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  +--- +title: Windows Update error code list by component +description: Reference information for Windows Update error codes +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update error codes by component + +>Applies to: Windows 10 + + +This section lists the error codes for Microsoft Windows Update. + +## Automatic Update Errors + +| Error code | Message | Description | +|------------|-------------------------------|--------------------------------------------------------------------------------------------------------| +| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | +| 0x8024A000 | WU_E_AU_NOSERVICE | Automatic Updates was unable to service incoming requests.  | +| 0x8024A002 | WU_E_AU_NONLEGACYSERVER | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | +| 0x8024A003 | WU_E_AU_LEGACYCLIENTDISABLED |  The old version of the Automatic Updates client was disabled. | +| 0x8024A004 | WU_E_AU_PAUSED | Automatic Updates was unable to process incoming requests because it was paused. | +| 0x8024A005 | WU_E_AU_NO_REGISTERED_SERVICE |  No unmanaged service is registered with AU. | +| 0x8024AFFF | WU_E_AU_UNEXPECTED |  An Automatic Updates error not covered by another WU_E_AU \* code. | + +## Windows Update UI errors + +| Error code | Message | Description | +|------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| +| 0x80243001 | WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION | The results of download and installation could not be read from the registry due to an unrecognized data format version. | +| 0x80243002 | WU_E_INSTALLATION_RESULTS_INVALID_DATA | The results of download and installation could not be read from the registry due to an invalid data format. | +| 0x80243003 | WU_E_INSTALLATION_RESULTS_NOT_FOUND | The results of download and installation are not available; the operation may have failed to start. | +| 0x80243004 |  WU_E_TRAYICON_FAILURE |  A failure occurred when trying to create an icon in the taskbar notification area. | +| 0x80243FFD |  WU_E_NON_UI_MODE |  Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | +| 0x80243FFE |  WU_E_WUCLTUI_UNSUPPORTED_VERSION |  Unsupported version of WU client UI exported functions.  | +| 0x80243FFF |  WU_E_AUCLIENT_UNEXPECTED |  There was a user interface error not covered by another WU_E_AUCLIENT_\* error code.  | + +## Inventory errors + +| Error code | Message | Description | +|------------|-------------------------------------------|-------------------------------------------------------------------------------| +| 0x80249001 |  WU_E_INVENTORY_PARSEFAILED |  Parsing of the rule file failed.  | +| 0x80249002 |  WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED |  Failed to get the requested inventory type from the server.  | +| 0x80249003 |  WU_E_INVENTORY_RESULT_UPLOAD_FAILED |  Failed to upload inventory result to the server.  | +| 0x80249004 |  WU_E_INVENTORY_UNEXPECTED |  There was an inventory error not covered by another error code. | +| 0x80249005 |  WU_E_INVENTORY_WMI_ERROR |  A WMI error occurred when enumerating the instances for a particular class.  | + +## Expression evaluator errors + +| Error code | Message | Description | +|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------| +| 0x8024E001 |  WU_E_EE_UNKNOWN_EXPRESSION |  An expression evaluator operation could not be completed because an expression was unrecognized. | +| 0x8024E002 |  WU_E_EE_INVALID_EXPRESSION |  An expression evaluator operation could not be completed because an expression was invalid.  | +| 0x8024E003 |  WU_E_EE_MISSING_METADATA |  An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes.  | +| 0x8024E004 |  WU_E_EE_INVALID_VERSION |  An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.  | +|  0x8024E005 |  WU_E_EE_NOT_INITIALIZED |  The expression evaluator could not be initialized. | +|  0x8024E006 |  WU_E_EE_INVALID_ATTRIBUTEDATA |  An expression evaluator operation could not be completed because there was an invalid attribute. | +|  0x8024E007 |  WU_E_EE_CLUSTER_ERROR |  An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.  | +|  0x8024EFFF |  WU_E_EE_UNEXPECTED |  There was an expression evaluator error not covered by another WU_E_EE_\* error code.  | + +## Reporter errors + +| Error code | Message | Description | +|-------------|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| +|  0x80247001 |  WU_E_OL_INVALID_SCANFILE |  An operation could not be completed because the scan package was invalid. | +| 0x80247002 |  WU_E_OL_NEWCLIENT_REQUIRED |  An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | +|  0x80247FFF |  WU_E_OL_UNEXPECTED |  Search using the scan package failed.  | +|  0x8024F001 |  WU_E_REPORTER_EVENTCACHECORRUPT |  The event cache file was defective.  | +|  0x8024F002 |  WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED |  The XML in the event namespace descriptor could not be parsed. | +|  0x8024F003 |  WU_E_INVALID_EVENT |  The XML in the event namespace descriptor could not be parsed. | +|  0x8024F004 |  WU_E_SERVER_BUSY |  The server rejected an event because the server was too busy. | +|  0x8024FFFF |  WU_E_REPORTER_UNEXPECTED |  There was a reporter error not covered by another error code.  | + +## Redirector errors +The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. + +|Error code|Message|Description | +|-|-|-| +| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  | +| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | +| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  | +| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  | + +## Protocol Talker errors +The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. + + +| Error code | Message | Description | +|-------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| +|  0x80244000 |  WU_E_PT_SOAPCLIENT_BASE |  WU_E_PT_SOAPCLIENT_\* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library. | +| 0x80244001 |  WU_E_PT_SOAPCLIENT_INITIALIZE |  Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | +|  0x80244002 |  WU_E_PT_SOAPCLIENT_OUTOFMEMORY |  Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory.  | +|  0x80244003 |  WU_E_PT_SOAPCLIENT_GENERATE |  Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request. | +|  0x80244004 |  WU_E_PT_SOAPCLIENT_CONNECT |  Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server.  | +|  0x80244005 |  WU_E_PT_SOAPCLIENT_SEND |  Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_\* error codes. | +|  0x80244006 |  WU_E_PT_SOAPCLIENT_SERVER |  Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error.  | +|  0x80244007 |  WU_E_PT_SOAPCLIENT_SOAPFAULT |  Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | +|  0x80244008 |  WU_E_PT_SOAPCLIENT_PARSEFAULT |  Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault. | +|  0x80244009 |  WU_E_PT_SOAPCLIENT_READ |  Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server. | +|  0x8024400A |  WU_E_PT_SOAPCLIENT_PARSE |  Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server.  | + +## Other Protocol Talker errors +The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. + + +| Error code | Message | Description | +|-------------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|  0x8024400B |  WU_E_PT_SOAP_VERSION |  Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope. | +|  0x8024400C |  WU_E_PT_SOAP_MUST_UNDERSTAND |  Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | +|  0x8024400D |  WU_E_PT_SOAP_CLIENT |  Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending.  | +|  0x8024400E |  WU_E_PT_SOAP_SERVER |  Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later.  | +|  0x8024400F |  WU_E_PT_WMI_ERROR |  There was an unspecified Windows Management Instrumentation (WMI) error. | +|  0x80244010 |  WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS |  The number of round trips to the server exceeded the maximum limit.  | +|  0x80244011 |  WU_E_PT_SUS_SERVER_NOT_SET |  WUServer policy value is missing in the registry.  | +|  0x80244012 |  WU_E_PT_DOUBLE_INITIALIZATION |  Initialization failed because the object was already initialized.  | +|  0x80244013 |  WU_E_PT_INVALID_COMPUTER_NAME |  The computer name could not be determined.  | +|  0x80244015 |  WU_E_PT_REFRESH_CACHE_REQUIRED |  The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | +|  0x80244016 |  WU_E_PT_HTTP_STATUS_BAD_REQUEST |  Same as HTTP status 400 - the server could not process the request due to invalid syntax.  | +|  0x80244017 |  WU_E_PT_HTTP_STATUS_DENIED |  Same as HTTP status 401 - the requested resource requires user authentication.  | +|  0x80244018 |  WU_E_PT_HTTP_STATUS_FORBIDDEN |  Same as HTTP status 403 - server understood the request but declined to fulfill it. | +|  0x80244019 |  WU_E_PT_HTTP_STATUS_NOT_FOUND |  Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier).  | +|  0x8024401A |  WU_E_PT_HTTP_STATUS_BAD_METHOD |  Same as HTTP status 405 - the HTTP method is not allowed.  | +|  0x8024401B |  WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ |  Same as HTTP status 407 - proxy authentication is required.  | +|  0x8024401C |  WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT |  Same as HTTP status 408 - the server timed out waiting for the request.  | +|  0x8024401D |  WU_E_PT_HTTP_STATUS_CONFLICT |  Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource.  | +|  0x8024401E |  WU_E_PT_HTTP_STATUS_GONE |  Same as HTTP status 410 - requested resource is no longer available at the server. | +|  0x8024401F |  WU_E_PT_HTTP_STATUS_SERVER_ERROR |  Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.  | +|  0x80244020 |  WU_E_PT_HTTP_STATUS_NOT_SUPPORTED |  Same as HTTP status 500 - server does not support the functionality required to fulfill the request.  | +|  0x80244021 |  WU_E_PT_HTTP_STATUS_BAD_GATEWAY | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | +|  0x80244022 |  WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL |  Same as HTTP status 503 - the service is temporarily overloaded.  | +|  0x80244023 |  WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT |  Same as HTTP status 503 - the request was timed out waiting for a gateway.  | +|  0x80244024 |  WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP |  Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request.  | +|  0x80244025 |  WU_E_PT_FILE_LOCATIONS_CHANGED |  Operation failed due to a changed file location; refresh internal state and resend. | +|  0x80244026 |  WU_E_PT_REGISTRATION_NOT_SUPPORTED |  Operation failed because Windows Update Agent does not support registration with a non-WSUS server.  | +|  0x80244027 |  WU_E_PT_NO_AUTH_PLUGINS_REQUESTED |  The server returned an empty authentication information list.  | +|  0x80244028 |  WU_E_PT_NO_AUTH_COOKIES_CREATED |  Windows Update Agent was unable to create any valid authentication cookies.  | +|  0x80244029 |  WU_E_PT_INVALID_CONFIG_PROP |  A configuration property value was wrong.  | +|  0x8024402A |  WU_E_PT_CONFIG_PROP_MISSING |  A configuration property value was missing.  | +|  0x8024402B |  WU_E_PT_HTTP_STATUS_NOT_MAPPED |  The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_\* error codes.  | +|  0x8024402C |  WU_E_PT_WINHTTP_NAME_NOT_RESOLVED |  Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved.  | +|  0x8024402F |  WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS |  External cab file processing completed with some errors. | +|  0x80244030 |  WU_E_PT_ECP_INIT_FAILED |  The external cab processor initialization did not complete.  | +|  0x80244031 |  WU_E_PT_ECP_INVALID_FILE_FORMAT |  The format of a metadata file was invalid.  | +|  0x80244032 |  WU_E_PT_ECP_INVALID_METADATA |  External cab processor found invalid metadata.  | +|  0x80244033 |  WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST |  The file digest could not be extracted from an external cab file.  | +|  0x80244034 |  WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE |  An external cab file could not be decompressed.  | +|  0x80244035 |  WU_E_PT_ECP_FILE_LOCATION_ERROR |  External cab processor was unable to get file locations.  | +|  0x80244FFF |  WU_E_PT_UNEXPECTED |  A communication error not covered by another WU_E_PT_\* error code.  | +|  0x8024502D |  WU_E_PT_SAME_REDIR_ID |  Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.  | +|  0x8024502E |  WU_E_PT_NO_MANAGED_RECOVER |  A redirector recovery action did not complete because the server is managed.  | + +## Download Manager errors + +| Error code | Message | Description | +|-------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80246001 |  WU_E_DM_URLNOTAVAILABLE |  A download manager operation could not be completed because the requested file does not have a URL.  | +|  0x80246002 |  WU_E_DM_INCORRECTFILEHASH |  A download manager operation could not be completed because the file digest was not recognized.  | +|  0x80246003 |  WU_E_DM_UNKNOWNALGORITHM |  A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.  | +|  0x80246004 |  WU_E_DM_NEEDDOWNLOADREQUEST |  An operation could not be completed because a download request is required from the download handler.  | +|  0x80246005 |  WU_E_DM_NONETWORK |  A download manager operation could not be completed because the network connection was unavailable.  | +|  0x80246006 |  WU_E_DM_WRONGBITSVERSION |  A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | +|  0x80246007 |  WU_E_DM_NOTDOWNLOADED |  The update has not been downloaded.  | +|  0x80246008 |  WU_E_DM_FAILTOCONNECTTOBITS |  A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | +|  0x80246009 | WU_E_DM_BITSTRANSFERERROR |  A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | +|  0x8024600A |  WU_E_DM_DOWNLOADLOCATIONCHANGED |  A download must be restarted because the location of the source of the download has changed. | +|  0x8024600B |  WU_E_DM_CONTENTCHANGED |  A download must be restarted because the update content changed in a new revision.  | +|  0x80246FFF |  WU_E_DM_UNEXPECTED |  There was a download manager error not covered by another WU_E_DM_\* error code.  | + +## Update Handler errors + +| Error code | Message | Description | +|-------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80242000 |  WU_E_UH_REMOTEUNAVAILABLE | 9 A request for a remote update handler could not be completed because no remote process is available.  | +|  0x80242001 |  WU_E_UH_LOCALONLY |  A request for a remote update handler could not be completed because the handler is local only.  | +|  0x80242002 |  WU_E_UH_UNKNOWNHANDLER |  A request for an update handler could not be completed because the handler could not be recognized.  | +|  0x80242003 |  WU_E_UH_REMOTEALREADYACTIVE |  A remote update handler could not be created because one already exists.  | +|  0x80242004 |  WU_E_UH_DOESNOTSUPPORTACTION |  A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | +|  0x80242005 |  WU_E_UH_WRONGHANDLER |  An operation did not complete because the wrong handler was specified.  | +|  0x80242006 |  WU_E_UH_INVALIDMETADATA |  A handler operation could not be completed because the update contains invalid metadata.  | +|  0x80242007 |  WU_E_UH_INSTALLERHUNG |  An operation could not be completed because the installer exceeded the time limit.  | +|  0x80242008 |  WU_E_UH_OPERATIONCANCELLED |  An operation being done by the update handler was cancelled.  | +|  0x80242009 |  WU_E_UH_BADHANDLERXML |  An operation could not be completed because the handler-specific metadata is invalid.  | +| 0x8024200A |  WU_E_UH_CANREQUIREINPUT |  A request to the handler to install an update could not be completed because the update requires user input.  | +|  0x8024200B |  WU_E_UH_INSTALLERFAILURE |  The installer failed to install (uninstall) one or more updates.  | +|  0x8024200C |  WU_E_UH_FALLBACKTOSELFCONTAINED |  The update handler should download self-contained content rather than delta-compressed content for the update.  | +|  0x8024200D |  WU_E_UH_NEEDANOTHERDOWNLOAD |  The update handler did not install the update because it needs to be downloaded again.  | +|  0x8024200E |  WU_E_UH_NOTIFYFAILURE |  The update handler failed to send notification of the status of the install (uninstall) operation.  | +|  0x8024200F | WU_E_UH_INCONSISTENT_FILE_NAMES |  The file names contained in the update metadata and in the update package are inconsistent.  | +|  0x80242010 |  WU_E_UH_FALLBACKERROR |  The update handler failed to fall back to the self-contained content.  | +|  0x80242011 |  WU_E_UH_TOOMANYDOWNLOADREQUESTS |  The update handler has exceeded the maximum number of download requests.  | +|  0x80242012 |  WU_E_UH_UNEXPECTEDCBSRESPONSE |  The update handler has received an unexpected response from CBS.  | +|  0x80242013 |  WU_E_UH_BADCBSPACKAGEID |  The update metadata contains an invalid CBS package identifier.  | +|  0x80242014 |  WU_E_UH_POSTREBOOTSTILLPENDING |  The post-reboot operation for the update is still in progress.  | +|  0x80242015 |  WU_E_UH_POSTREBOOTRESULTUNKNOWN |  The result of the post-reboot operation for the update could not be determined.  | +|  0x80242016 |  WU_E_UH_POSTREBOOTUNEXPECTEDSTATE |  The state of the update after its post-reboot operation has completed is unexpected.  | +|  0x80242017 |  WU_E_UH_NEW_SERVICING_STACK_REQUIRED |  The OS servicing stack must be updated before this update is downloaded or installed.  | +|  0x80242FFF |  WU_E_UH_UNEXPECTED |  An update handler error not covered by another WU_E_UH_\* code.  | + +## Data Store errors + +| Error code | Message | Description | +|-------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80248000 |  WU_E_DS_SHUTDOWN |  An operation failed because Windows Update Agent is shutting down.  | +|  0x80248001 |  WU_E_DS_INUSE |  An operation failed because the data store was in use. | +|  0x80248002 |  WU_E_DS_INVALID |  The current and expected states of the data store do not match. | +|  0x80248003 |  WU_E_DS_TABLEMISSING |  The data store is missing a table.  | +|  0x80248004 |  WU_E_DS_TABLEINCORRECT |  The data store contains a table with unexpected columns.  | +|  0x80248005 |  WU_E_DS_INVALIDTABLENAME |  A table could not be opened because the table is not in the data store.  | +|  0x80248006 |  WU_E_DS_BADVERSION |  The current and expected versions of the data store do not match.  | +|  0x80248007 |  WU_E_DS_NODATA |  The information requested is not in the data store.  | +|  0x80248008 |  WU_E_DS_MISSINGDATA |  The data store is missing required information or has a NULL in a table column that requires a non-null value.  | +|  0x80248009 |  WU_E_DS_MISSINGREF |  The data store is missing required information or has a reference to missing license terms file localized property or linked row. | +|  0x8024800A |  WU_E_DS_UNKNOWNHANDLER |  The update was not processed because its update handler could not be recognized.  | +|  0x8024800B |  WU_E_DS_CANTDELETE |  The update was not deleted because it is still referenced by one or more services.  | +|  0x8024800C |  WU_E_DS_LOCKTIMEOUTEXPIRED |  The data store section could not be locked within the allotted time.  | +|  0x8024800D |  WU_E_DS_NOCATEGORIES |  The category was not added because it contains no parent categories and is not a top-level category itself.  | +|  0x8024800E |  WU_E_DS_ROWEXISTS |  The row was not added because an existing row has the same primary key.  | +|  0x8024800F |  WU_E_DS_STOREFILELOCKED |  The data store could not be initialized because it was locked by another process.  | +|  0x80248010 |  WU_E_DS_CANNOTREGISTER |  The data store is not allowed to be registered with COM in the current process.  | +|  0x80248011 | WU_E_DS_UNABLETOSTART |  Could not create a data store object in another process.  | +|  0x80248013 |  WU_E_DS_DUPLICATEUPDATEID | The server sent the same update to the client with two different revision IDs.  | +|  0x80248014 | WU_E_DS_UNKNOWNSERVICE |  An operation did not complete because the service is not in the data store.  | +| 0x80248015 | WU_E_DS_SERVICEEXPIRED | An operation did not complete because the registration of the service has expired.  | +| 0x80248016 |  WU_E_DS_DECLINENOTALLOWED |  A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  | +| 0x80248017 |  WU_E_DS_TABLESESSIONMISMATCH |  A table was not closed because it is not associated with the session.  | +| 0x80248018 |  WU_E_DS_SESSIONLOCKMISMATCH |  A table was not closed because it is not associated with the session.  | +| 0x80248019 |  WU_E_DS_NEEDWINDOWSSERVICE |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  | +| 0x8024801A |  WU_E_DS_INVALIDOPERATION |  A request was declined because the operation is not allowed.  | +| 0x8024801B |  WU_E_DS_SCHEMAMISMATCH |  The schema of the current data store and the schema of a table in a backup XML document do not match.  | +| 0x8024801C |  WU_E_DS_RESETREQUIRED |  The data store requires a session reset; release the session and retry with a new session.  | +| 0x8024801D |  WU_E_DS_IMPERSONATED |  A data store operation did not complete because it was requested with an impersonated identity.  | +| 0x80248FFF |  WU_E_DS_UNEXPECTED |  A data store error not covered by another WU_E_DS_\* code.  | + +## Driver Util errors +The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. + +|Error code|Message|Description +|-|-|-| +| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  +| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  +| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  +| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  +| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  +| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  +| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  +| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  + +## Windows Update error codes + +|Error code|Message|Description +|-|-|-| +| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  +| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  +| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  +| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  +| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  +| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  +| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  +| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  +| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  +| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  +| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  +| 0x8024000C | WU_E_NOOP| No operation was required.  +| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  +| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  +| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  +| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  +| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  +| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  +| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  +| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  +| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  +| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  +| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  +| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  +| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  +| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  +| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  +| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  +| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  +| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  +| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  +| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  +| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  +| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  +| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  +| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  +| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  +| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  +| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  +| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  +| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  +| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  +| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  +| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  +| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  +| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  +| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  +| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  +| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  +| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  +| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  +| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  +| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  +| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  +| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  +| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  +| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  +| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  +| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  + +## Windows Update success codes + +|Error code|Message|Description +|-|-|-| +| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  +| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  +| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  +| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  +| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  +| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  +| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  +| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  + +## Windows Installer minor errors +The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. + +|Error code|Message|Description +|-|-|-| +| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  +| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  +| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  +| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  +| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  + +## Windows Update Agent update and setup errors + +|Error code|Message|Description +|-|-|-| +| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  +| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  +| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  +| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  +| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  +| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  +| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  +| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  +| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  +| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  +| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  +| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  +| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  +| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  +| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  +| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 7d473f04c2..b39238347d 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -1,40 +1,40 @@ ---- -title: Windows Update common errors and mitigation -description: Learn about some common issues you might experience with Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update common errors and mitigation - ->Applies to: Windows 10 - -The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. - - -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
          The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
          Rename the following folders to \*.BAK:
          - %systemroot%\system32\catroot2

          To do this, type the following commands at a command prompt. Press ENTER after you type each command.
          - Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
          - Ren %systemroot%\SoftwareDistribution\Download \*.bak
          Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

          If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
          http://.update.microsoft.com
          https://          .update.microsoft.com


          Additionally , you can take a network trace and see what is timing out. \ | -| 0x80072EFD
          0x80072EFE 
          0x80D02002 | TIME OUT ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
          Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

          Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

          Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | - +--- +title: Windows Update common errors and mitigation +description: Learn about some common issues you might experience with Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update common errors and mitigation + +>Applies to: Windows 10 + +The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. + + +| Error Code | Message | Description | Mitigation | +|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
          The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
          Rename the following folders to \*.BAK:
          - %systemroot%\system32\catroot2

          To do this, type the following commands at a command prompt. Press ENTER after you type each command.
          - Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
          - Ren %systemroot%\SoftwareDistribution\Download \*.bak
          Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

          If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
          http://.update.microsoft.com
          https://          .update.microsoft.com


          Additionally , you can take a network trace and see what is timing out. \ | +| 0x80072EFD
          0x80072EFE 
          0x80D02002 | TIME OUT ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
          Take a network monitor trace to understand better. \ | +| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | +| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

          Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

          Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index 233ad50d7b..7eec34d793 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -1,147 +1,147 @@ ---- -title: Windows Update log files -description: Learn about the Windows Update log files -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update log files - ->Applies to: Windows 10 - -The following table describes the log files created by Windows Update. - - -|Log file|Location|Description|When to Use | -|-|-|-|-| -|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| -|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
          When Updates are downloaded but installation is not triggered.
          When Updates are installed but reboot is not triggered. | -|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | -|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| - -## Generating WindowsUpdate.log -To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). - ->[!NOTE] ->When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. - -### Windows Update log components -The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: - -- AGENT- Windows Update agent -- AU - Automatic Updates is performing this task -- AUCLNT- Interaction between AU and the logged-on user -- CDM- Device Manager -- CMPRESS- Compression agent -- COMAPI- Windows Update API -- DRIVER- Device driver information -- DTASTOR- Handles database transactions -- EEHNDLER- Expression handler that's used to evaluate update applicability -- HANDLER- Manages the update installers -- MISC- General service information -- OFFLSNC- Detects available updates without network connection -- PARSER- Parses expression information -- PT- Synchronizes updates information to the local datastore -- REPORT- Collects reporting information -- SERVICE- Startup/shutdown of the Automatic Updates service -- SETUP- Installs new versions of the Windows Update client when it is available -- SHUTDWN- Install at shutdown feature -- WUREDIR- The Windows Update redirector files -- WUWEB- The Windows Update ActiveX control -- ProtocolTalker - Client-server sync -- DownloadManager - Creates and monitors payload downloads -- Handler, Setup - Installer handlers (CBS, and so on) -- EEHandler - Evaluating update applicability rules -- DataStore - Caching update data locally -- IdleTimer - Tracking active calls, stopping a service - ->[!NOTE] ->Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. - -### Windows Update log structure -The Windows update log structure is separated into four main identities: - -- Time Stamps -- Process ID and Thread ID -- Component Name -- Update Identifiers - - Update ID and Revision Number - - Revision ID - - Local ID - - Inconsistent terminology - -The WindowsUpdate.log structure is discussed in the following sections. - -#### Time stamps -The time stamp indicates the time at which the logging occurs. -- Messages are usually in chronological order, but there may be exceptions. -- A pause during a sync can indicate a network problem, even if the scan succeeds. -- A long pause near the end of a scan can indicate a supersedence chain issue. - ![Windows Update time stamps](images/update-time-log.png) - - -#### Process ID and thread ID -The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. -- The first four hex digits are the process ID. -- The next four hex digits are the thread ID. -- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. - ![Windows Update process and thread IDs](images/update-process-id.png) - - -#### Component name -Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: - -- ProtocolTalker - Client-server sync -- DownloadManager - Creates and monitors payload downloads -- Handler, Setup - Installer handlers (CBS, etc.) -- EEHandler - Evaluating update applicability rules -- DataStore - Caching update data locally -- IdleTimer - Tracking active calls, stopping service - -![Windows Update component name](images/update-component-name.png) - - -#### Update identifiers - -##### Update ID and revision number -There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. -- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time -- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service -- Revision numbers are reused from one update to another (not a unique identifier). -- The update ID and revision number are often shown together as "{GUID}.revision." - ![Windows Update update identifiers](images/update-update-id.png) - - -##### Revision ID -- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. -- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. -- Revision IDs are unique on a given update source, but not across multiple sources. -- The same update revision may have completely different revision IDs on WU and WSUS. -- The same revision ID may represent different updates on WU and WSUS. - -##### Local ID -- Local ID is a serial number issued when an update is received from a service by a given WU client -- Usually seen in debug logs, especially involving the local cache for update info (Datastore) -- Different client PCs will assign different Local IDs to the same update -- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file - -##### Inconsistent terminology -- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. -- Recognize IDs by form and context: - - - GUIDs are update IDs - - Small integers that appear alongside an update ID are revision numbers - - Large integers are typically revision IDs - - Small integers (especially in Datastore) can be local IDs - ![Windows Update inconsisten terminology](images/update-inconsistent.png) - -## Windows Setup log files analysis using SetupDiag tool -SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag). +--- +title: Windows Update log files +description: Learn about the Windows Update log files +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update log files + +>Applies to: Windows 10 + +The following table describes the log files created by Windows Update. + + +|Log file|Location|Description|When to Use | +|-|-|-|-| +|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| +|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
          When Updates are downloaded but installation is not triggered.
          When Updates are installed but reboot is not triggered. | +|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | +|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| + +## Generating WindowsUpdate.log +To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). + +>[!NOTE] +>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. + +### Windows Update log components +The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: + +- AGENT- Windows Update agent +- AU - Automatic Updates is performing this task +- AUCLNT- Interaction between AU and the logged-on user +- CDM- Device Manager +- CMPRESS- Compression agent +- COMAPI- Windows Update API +- DRIVER- Device driver information +- DTASTOR- Handles database transactions +- EEHNDLER- Expression handler that's used to evaluate update applicability +- HANDLER- Manages the update installers +- MISC- General service information +- OFFLSNC- Detects available updates without network connection +- PARSER- Parses expression information +- PT- Synchronizes updates information to the local datastore +- REPORT- Collects reporting information +- SERVICE- Startup/shutdown of the Automatic Updates service +- SETUP- Installs new versions of the Windows Update client when it is available +- SHUTDWN- Install at shutdown feature +- WUREDIR- The Windows Update redirector files +- WUWEB- The Windows Update ActiveX control +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, and so on) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping a service + +>[!NOTE] +>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. + +### Windows Update log structure +The Windows update log structure is separated into four main identities: + +- Time Stamps +- Process ID and Thread ID +- Component Name +- Update Identifiers + - Update ID and Revision Number + - Revision ID + - Local ID + - Inconsistent terminology + +The WindowsUpdate.log structure is discussed in the following sections. + +#### Time stamps +The time stamp indicates the time at which the logging occurs. +- Messages are usually in chronological order, but there may be exceptions. +- A pause during a sync can indicate a network problem, even if the scan succeeds. +- A long pause near the end of a scan can indicate a supersedence chain issue. + ![Windows Update time stamps](images/update-time-log.png) + + +#### Process ID and thread ID +The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. +- The first four hex digits are the process ID. +- The next four hex digits are the thread ID. +- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. + ![Windows Update process and thread IDs](images/update-process-id.png) + + +#### Component name +Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: + +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, etc.) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping service + +![Windows Update component name](images/update-component-name.png) + + +#### Update identifiers + +##### Update ID and revision number +There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. +- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time +- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service +- Revision numbers are reused from one update to another (not a unique identifier). +- The update ID and revision number are often shown together as "{GUID}.revision." + ![Windows Update update identifiers](images/update-update-id.png) + + +##### Revision ID +- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. +- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. +- Revision IDs are unique on a given update source, but not across multiple sources. +- The same update revision may have completely different revision IDs on WU and WSUS. +- The same revision ID may represent different updates on WU and WSUS. + +##### Local ID +- Local ID is a serial number issued when an update is received from a service by a given WU client +- Usually seen in debug logs, especially involving the local cache for update info (Datastore) +- Different client PCs will assign different Local IDs to the same update +- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file + +##### Inconsistent terminology +- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. +- Recognize IDs by form and context: + + - GUIDs are update IDs + - Small integers that appear alongside an update ID are revision numbers + - Large integers are typically revision IDs + - Small integers (especially in Datastore) can be local IDs + ![Windows Update inconsisten terminology](images/update-inconsistent.png) + +## Windows Setup log files analysis using SetupDiag tool +SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag). diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index c88535580b..3eda438f80 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -1,57 +1,57 @@ ---- -title: Get started with Windows Update -description: Learn how Windows Update works, including architecture and troubleshooting -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Get started with Windows Update - ->Applies to: Windows 10 - -With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. - -Ues the following information to get started with Windows Update: - -- Understand the UUP architecture -- Understand [how Windows Update works](how-windows-update-works.md) -- Find [Windows Update log files](windows-update-logs.md) -- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) -- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) -- Review [other resources](windows-update-resources.md) to help you use Windows Update - -## Unified Update Platform (UUP) architecture -To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. - -![Windows Update terminology](images/update-terminology.png) - -- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. -- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. - - Update types- - - OS Feature updates - - OS Security updates - - Device drivers - - Defender definition updates - - >[!NOTE] - > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. - > - >Store apps aren't installed by USO, today they are separate. - -- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. -- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. -- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. - -Additional components include the following- - -- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. -- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. +--- +title: Get started with Windows Update +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Get started with Windows Update + +>Applies to: Windows 10 + +With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. + +Ues the following information to get started with Windows Update: + +- Understand the UUP architecture +- Understand [how Windows Update works](how-windows-update-works.md) +- Find [Windows Update log files](windows-update-logs.md) +- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) +- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) +- Review [other resources](windows-update-resources.md) to help you use Windows Update + +## Unified Update Platform (UUP) architecture +To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. + +![Windows Update terminology](images/update-terminology.png) + +- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. +- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. + + Update types- + - OS Feature updates + - OS Security updates + - Device drivers + - Defender definition updates + + >[!NOTE] + > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. + > + >Store apps aren't installed by USO, today they are separate. + +- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. +- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. +- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. + +Additional components include the following- + +- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. +- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index b403e77a48..c98b9d29d0 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -1,126 +1,126 @@ ---- -title: Windows Update - Additional resources -description: Additional resources for Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update - additional resources - ->Applies to: Windows 10 - -The following resources provide additional information about using Windows Update. - -## WSUS Troubleshooting - -[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/) - -[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/) - -[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/) - -[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/) - - -## How do I reset Windows Update components? - -[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. - - -[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update. - - -## Reset Windows Update components manually -1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER: - ``` - cmd - ``` -2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ``` - net stop bits - net stop wuauserv - ``` -3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: - ``` - Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" - ``` -4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. - 1. Rename the following folders to *.BAK: - - %systemroot%\SoftwareDistribution\DataStore - - %systemroot%\SoftwareDistribution\Download - - %systemroot%\system32\catroot2 - - To do this, type the following commands at a command prompt. Press ENTER after you type each command. - - Ren %systemroot%\SoftwareDistribution\DataStore *.bak - - Ren %systemroot%\SoftwareDistribution\Download *.bak - - Ren %systemroot%\system32\catroot2 *.bak - 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) - - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) -5. Type the following command at a command prompt, and then press ENTER: - ``` - cd /d %windir%\system32 - ``` -6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - - regsvr32.exe atl.dll - - regsvr32.exe urlmon.dll - - regsvr32.exe mshtml.dll - - regsvr32.exe shdocvw.dll - - regsvr32.exe browseui.dll - - regsvr32.exe jscript.dll - - regsvr32.exe vbscript.dll - - regsvr32.exe scrrun.dll - - regsvr32.exe msxml.dll - - regsvr32.exe msxml3.dll - - regsvr32.exe msxml6.dll - - regsvr32.exe actxprxy.dll - - regsvr32.exe softpub.dll - - regsvr32.exe wintrust.dll - - regsvr32.exe dssenh.dll - - regsvr32.exe rsaenh.dll - - regsvr32.exe gpkcsp.dll - - regsvr32.exe sccbase.dll - - regsvr32.exe slbcsp.dll - - regsvr32.exe cryptdlg.dll - - regsvr32.exe oleaut32.dll - - regsvr32.exe ole32.dll - - regsvr32.exe shell32.dll - - regsvr32.exe initpki.dll - - regsvr32.exe wuapi.dll - - regsvr32.exe wuaueng.dll - - regsvr32.exe wuaueng1.dll - - regsvr32.exe wucltui.dll - - regsvr32.exe wups.dll - - regsvr32.exe wups2.dll - - regsvr32.exe wuweb.dll - - regsvr32.exe qmgr.dll - - regsvr32.exe qmgrprxy.dll - - regsvr32.exe wucltux.dll - - regsvr32.exe muweb.dll - - regsvr32.exe wuwebv.dll -7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: - ``` - netsh winsock reset - ``` -8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: - ``` - proxycfg.exe -d - ``` -9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ``` - net start bits - - net start wuauserv - ``` -10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: - ``` - bitsadmin.exe /reset /allusers - ``` +--- +title: Windows Update - Additional resources +description: Additional resources for Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update - additional resources + +>Applies to: Windows 10 + +The following resources provide additional information about using Windows Update. + +## WSUS Troubleshooting + +[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/) + +[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/) + +[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/) + +[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/) + + +## How do I reset Windows Update components? + +[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. + + +[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update. + + +## Reset Windows Update components manually +1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER: + ``` + cmd + ``` +2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + ``` + net stop bits + net stop wuauserv + ``` +3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: + ``` + Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + ``` +4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. + 1. Rename the following folders to *.BAK: + - %systemroot%\SoftwareDistribution\DataStore + - %systemroot%\SoftwareDistribution\Download + - %systemroot%\system32\catroot2 + + To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - Ren %systemroot%\SoftwareDistribution\DataStore *.bak + - Ren %systemroot%\SoftwareDistribution\Download *.bak + - Ren %systemroot%\system32\catroot2 *.bak + 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) + - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) +5. Type the following command at a command prompt, and then press ENTER: + ``` + cd /d %windir%\system32 + ``` +6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - regsvr32.exe atl.dll + - regsvr32.exe urlmon.dll + - regsvr32.exe mshtml.dll + - regsvr32.exe shdocvw.dll + - regsvr32.exe browseui.dll + - regsvr32.exe jscript.dll + - regsvr32.exe vbscript.dll + - regsvr32.exe scrrun.dll + - regsvr32.exe msxml.dll + - regsvr32.exe msxml3.dll + - regsvr32.exe msxml6.dll + - regsvr32.exe actxprxy.dll + - regsvr32.exe softpub.dll + - regsvr32.exe wintrust.dll + - regsvr32.exe dssenh.dll + - regsvr32.exe rsaenh.dll + - regsvr32.exe gpkcsp.dll + - regsvr32.exe sccbase.dll + - regsvr32.exe slbcsp.dll + - regsvr32.exe cryptdlg.dll + - regsvr32.exe oleaut32.dll + - regsvr32.exe ole32.dll + - regsvr32.exe shell32.dll + - regsvr32.exe initpki.dll + - regsvr32.exe wuapi.dll + - regsvr32.exe wuaueng.dll + - regsvr32.exe wuaueng1.dll + - regsvr32.exe wucltui.dll + - regsvr32.exe wups.dll + - regsvr32.exe wups2.dll + - regsvr32.exe wuweb.dll + - regsvr32.exe qmgr.dll + - regsvr32.exe qmgrprxy.dll + - regsvr32.exe wucltux.dll + - regsvr32.exe muweb.dll + - regsvr32.exe wuwebv.dll +7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: + ``` + netsh winsock reset + ``` +8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: + ``` + proxycfg.exe -d + ``` +9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + ``` + net start bits + + net start wuauserv + ``` +10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: + ``` + bitsadmin.exe /reset /allusers + ``` diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 2b51f8351f..ac0087fb59 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -1,217 +1,217 @@ ---- -title: Windows Update troubleshooting -description: Learn how to troubleshoot Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update troubleshooting - ->Applies to: Windows 10 - -If you run into problems when using Windows Update, start with the following steps: - -1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. -2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. -3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: - - - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) - - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) - - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) - - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) - - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) - - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) - - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) - -Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. - -You might encounter the following scenarios when using Windows Update. - -## Why am I offered an older update/upgrade? -The update that is offered to a device depends on several factors. Some of the most common attributes include the following: - -- OS Build -- OS Branch -- OS Locale -- OS Architecture -- Device update management configuration - -If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. - -## My machine is frozen at scan. Why? -The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: -1. Close the Settings app and reopen it. -2. Launch Services.msc and check if the following services are running: - - Update State Orchestrator - - Windows Update - -## Feature updates are not being offered while other updates are -On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. - -Checking the WindowsUpdate.log reveals the following error: -``` -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User} -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353 -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx"" -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs. -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN. -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001 -YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377] -YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426 -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25 -``` - -The 0x80070426 error code translates to: -``` -ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. -``` - -Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. - -In order to solve this issue, we need to reset the MSA service to the default StartType of manual. - -## Issues related to HTTP/Proxy -Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. - -To fix this issue, configure a proxy in WinHTTP by using the following netsh command: - -``` -netsh winhttp set proxy ProxyServerName:PortNumber -``` - ->[!NOTE] -> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie - -If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. - -You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: - -*.download.windowsupdate.com -*.dl.delivery.mp.microsoft.com -*.emdl.ws.microsoft.com - -If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). - - -## The update is not applicable to your computer -The most common reasons for this error are described in the following table: - -|Cause|Explanation|Resolution| -|-----|-----------|----------| -|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | -|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| -|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
          Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | -|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
          Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
          get-hotfix KB3173424,KB2919355,KB2919442
          If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. - -## Issues related to firewall configuration -Error that may be seen in the WU logs: -``` -DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. -``` -Or -``` -[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 -``` -Or -``` -DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A -``` - -Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). - -## Issues arising from configuration of conflicting policies -Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. - -See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. - - -## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: -1. Start Windows PowerShell as an administrator -2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". -3. Run \$MUSM.Services. - -Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. - -|Output|Interpretation| -|-|-| -|- Name: Microsoft Update
          -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
          - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | -|- Name: DCat Flighting Prod
          - OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
          - Indicates that the client is configured to receive feature updates from Windows Update. | -|- Name: Windows Store (DCat Prod)
          - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
          - Indicates that the client will not receive or is not configured to receive these updates.| -|- Name: Windows Server Update Service
          - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
          - The client is configured to receive updates from WSUS. | -|- Name: Windows Update
          - OffersWindowsUpdates: True|- The source is Windows Update.
          - The client is configured to receive updates from Windows Update Online.| - -## You have a bad setup in the environment -If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: - -``` -HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] -"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. -``` - -From the WU logs: -``` -2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] -2018-08-06 09:33:31:085 480 1118 Agent ********* -2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates -2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No -2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" -2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service -2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} -2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities -2018-08-06 09:33:32:554 480 1118 Agent ********* -2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] -``` - -In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. - -Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. - -``` -2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] -2018-08-06 10:58:45:992 480 5d8 Agent ********* -2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No -2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" - -2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 -2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities -2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates -2018-08-06 10:58:47:383 480 5d8 Agent ********* -2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] -``` - -## High bandwidth usage on Windows 10 by Windows Update -Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. - -The following group policies can help mitigate this: - -- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) -- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") -- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) - -Other components that reach out to the internet: - -- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) -- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) -- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) +--- +title: Windows Update troubleshooting +description: Learn how to troubleshoot Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update troubleshooting + +>Applies to: Windows 10 + +If you run into problems when using Windows Update, start with the following steps: + +1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. +2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. +3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: + + - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) + - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) + - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) + - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) + - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) + - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) + - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) + - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) + +Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. + +You might encounter the following scenarios when using Windows Update. + +## Why am I offered an older update/upgrade? +The update that is offered to a device depends on several factors. Some of the most common attributes include the following: + +- OS Build +- OS Branch +- OS Locale +- OS Architecture +- Device update management configuration + +If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. + +## My machine is frozen at scan. Why? +The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: +1. Close the Settings app and reopen it. +2. Launch Services.msc and check if the following services are running: + - Update State Orchestrator + - Windows Update + +## Feature updates are not being offered while other updates are +On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. + +Checking the WindowsUpdate.log reveals the following error: +``` +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User} +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353 +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx"" +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001 +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377] +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25 +``` + +The 0x80070426 error code translates to: +``` +ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. +``` + +Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. + +In order to solve this issue, we need to reset the MSA service to the default StartType of manual. + +## Issues related to HTTP/Proxy +Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. + +To fix this issue, configure a proxy in WinHTTP by using the following netsh command: + +``` +netsh winhttp set proxy ProxyServerName:PortNumber +``` + +>[!NOTE] +> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie + +If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. + +You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: + +*.download.windowsupdate.com +*.dl.delivery.mp.microsoft.com +*.emdl.ws.microsoft.com + +If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). + + +## The update is not applicable to your computer +The most common reasons for this error are described in the following table: + +|Cause|Explanation|Resolution| +|-----|-----------|----------| +|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | +|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| +|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
          Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | +|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
          Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
          get-hotfix KB3173424,KB2919355,KB2919442
          If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. + +## Issues related to firewall configuration +Error that may be seen in the WU logs: +``` +DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. +``` +Or +``` +[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 +``` +Or +``` +DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A +``` + +Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). + +## Issues arising from configuration of conflicting policies +Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. + +See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. + + +## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +1. Start Windows PowerShell as an administrator +2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". +3. Run \$MUSM.Services. + +Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. + +|Output|Interpretation| +|-|-| +|- Name: Microsoft Update
          -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
          - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | +|- Name: DCat Flighting Prod
          - OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
          - Indicates that the client is configured to receive feature updates from Windows Update. | +|- Name: Windows Store (DCat Prod)
          - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
          - Indicates that the client will not receive or is not configured to receive these updates.| +|- Name: Windows Server Update Service
          - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
          - The client is configured to receive updates from WSUS. | +|- Name: Windows Update
          - OffersWindowsUpdates: True|- The source is Windows Update.
          - The client is configured to receive updates from Windows Update Online.| + +## You have a bad setup in the environment +If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: + +``` +HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] +"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. +``` + +From the WU logs: +``` +2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +2018-08-06 09:33:31:085 480 1118 Agent ********* +2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates +2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No +2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" +2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service +2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} +2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities +2018-08-06 09:33:32:554 480 1118 Agent ********* +2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +``` + +In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. + +Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. + +``` +2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +2018-08-06 10:58:45:992 480 5d8 Agent ********* +2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No +2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" + +2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 +2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities +2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates +2018-08-06 10:58:47:383 480 5d8 Agent ********* +2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +``` + +## High bandwidth usage on Windows 10 by Windows Update +Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. + +The following group policies can help mitigate this: + +- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) +- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") +- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) + +Other components that reach out to the internet: + +- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) +- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) +- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md index e2d14bf393..9bdabe44ba 100644 --- a/windows/deployment/update/wufb-autoupdate.md +++ b/windows/deployment/update/wufb-autoupdate.md @@ -1,37 +1,37 @@ ---- -title: Setting up Automatic Update in Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Set up Automatic Update in Windows Update for Business with group policies - ->Applies to: Windows 10 - -Use the Automatic Update group policies to manage the interaction between Windows Update and clients. - -Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. - -|Policy|Description | -|-|-| -|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| -|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| -|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| -|Do not connect to any Windows Update Internet locations
          Required for Dual Scan|Prevents access to Windows Update.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

          **Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

          **Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| -|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
          **Check for updates on the following interval (hours)**: 22| -|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | +--- +title: Setting up Automatic Update in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Set up Automatic Update in Windows Update for Business with group policies + +>Applies to: Windows 10 + +Use the Automatic Update group policies to manage the interaction between Windows Update and clients. + +Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. + +|Policy|Description | +|-|-| +|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| +|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| +|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| +|Do not connect to any Windows Update Internet locations
          Required for Dual Scan|Prevents access to Windows Update.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

          **Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

          **Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| +|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
          **Check for updates on the following interval (hours)**: 22| +|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md index 24c01317ea..e1e9419e08 100644 --- a/windows/deployment/update/wufb-basics.md +++ b/windows/deployment/update/wufb-basics.md @@ -1,29 +1,29 @@ ---- -title: Configure the Basic group policy for Windows Update for Business -description: Learn how to get started using the Basic GPO in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Configure the Basic group policy for Windows Update for Business - -For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. - -|Policy name|Description | -|-|-| -|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| -|Configure Commercial ID|This policy allows you to join the device to an entity.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
          **Option**: 1-Basic| -|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
          **Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| +--- +title: Configure the Basic group policy for Windows Update for Business +description: Learn how to get started using the Basic GPO in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Configure the Basic group policy for Windows Update for Business + +For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. + +|Policy name|Description | +|-|-| +|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| +|Configure Commercial ID|This policy allows you to join the device to an entity.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
          **Option**: 1-Basic| +|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
          **Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index e464692f3f..bb088093c1 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -1,100 +1,100 @@ ---- -title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10) -description: Learn how to enforce compliance deadlines using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Enforcing compliance deadlines for updates - ->Applies to: Windows 10 - -Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce patch compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer revisions. We offer two compliance flows that you can choose from: - -- [Deadline only](#deadline-only) -- [Deadline with user engagement](#deadline-with-user-engagement) - -## Deadline Only - -This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. - -### End User Experience - -Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to reboot the device. - ->[!NOTE] ->Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update). - -### Policy overview - -|Policy|Description | -|-|-| -|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending reboot state. It specifies a deadline, in days, to enforce compliance (such as imminent install).| -|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled install. The user can dismiss a reminder, but not the warning.| - -### Suggested Configuration - -|Policy|Location|3 Day Compliance|5 Day Compliance|7 Day Compliance | -|-|-|-|-|-| -|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 2|State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 3|State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 4 - -### Controlling notification experience for deadline - -|Policy| Location|Suggested Configuration | -|-|-|-| -|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled
          **Reminder** (hours): 2
          **Warning** (minutes): 60 | - -### Notification experience for deadline - -Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) - -Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) - -## Deadline with user engagement - -This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active. - -### End user experience - -Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time. - -### Policy overview - -|Policy| Description | -|-|-| -|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending reboot. Transition days, first starts out in Auto-Restart where the device will find an idle moment to reboot the device. After 2 days engaged restart will commence and the user will be able to choose a time| -|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to reboot. They will have the option to confirm or dismiss the notification| - -### Suggested configuration - -|Policy| Location| 3 Day Compliance| 5 Day Compliance| 7 Day Compliance | -|-|-|-|-|-| -|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 3|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 4|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 5| - -### Controlling notification experience for engaged deadline - -|Policy| Location |Suggested Configuration -|-|-|-| -|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled
          **Method**: 2- User| - -### Notification experience for engaged deadlines -Notification users get for quality update engaged deadline: -![The notification users get for an impending engaged quality update deadline](images/wufb-quality-engaged-notification.png) - -Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) - -Notification users get for a feature update engaged deadline: -![The notification users get for an impending feature update engaged deadline](images/wufb-feature-update-engaged-notification.png) - -Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png) +--- +title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10) +description: Learn how to enforce compliance deadlines using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Enforcing compliance deadlines for updates + +>Applies to: Windows 10 + +Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce patch compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer revisions. We offer two compliance flows that you can choose from: + +- [Deadline only](#deadline-only) +- [Deadline with user engagement](#deadline-with-user-engagement) + +## Deadline Only + +This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. + +### End User Experience + +Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to reboot the device. + +>[!NOTE] +>Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update). + +### Policy overview + +|Policy|Description | +|-|-| +|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending reboot state. It specifies a deadline, in days, to enforce compliance (such as imminent install).| +|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled install. The user can dismiss a reminder, but not the warning.| + +### Suggested Configuration + +|Policy|Location|3 Day Compliance|5 Day Compliance|7 Day Compliance | +|-|-|-|-|-| +|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 2|State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 3|State: Enabled
          **Specify the number of days before pending restart will automatically be executed outside of active hours**: 4 + +### Controlling notification experience for deadline + +|Policy| Location|Suggested Configuration | +|-|-|-| +|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled
          **Reminder** (hours): 2
          **Warning** (minutes): 60 | + +### Notification experience for deadline + +Notification users get for a quality update deadline: +![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) + +Notification users get for a feature update deadline: +![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) + +## Deadline with user engagement + +This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active. + +### End user experience + +Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time. + +### Policy overview + +|Policy| Description | +|-|-| +|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending reboot. Transition days, first starts out in Auto-Restart where the device will find an idle moment to reboot the device. After 2 days engaged restart will commence and the user will be able to choose a time| +|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to reboot. They will have the option to confirm or dismiss the notification| + +### Suggested configuration + +|Policy| Location| 3 Day Compliance| 5 Day Compliance| 7 Day Compliance | +|-|-|-|-|-| +|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 3|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 4|State: Enabled
          **Transition** (Days): 2
          **Snooze** (Days): 2
          **Deadline** (Days): 5| + +### Controlling notification experience for engaged deadline + +|Policy| Location |Suggested Configuration +|-|-|-| +|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled
          **Method**: 2- User| + +### Notification experience for engaged deadlines +Notification users get for quality update engaged deadline: +![The notification users get for an impending engaged quality update deadline](images/wufb-quality-engaged-notification.png) + +Notification users get for a quality update deadline: +![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) + +Notification users get for a feature update engaged deadline: +![The notification users get for an impending feature update engaged deadline](images/wufb-feature-update-engaged-notification.png) + +Notification users get for a feature update deadline: +![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png) diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md index d45d3a878d..a43179a6a8 100644 --- a/windows/deployment/update/wufb-managedrivers.md +++ b/windows/deployment/update/wufb-managedrivers.md @@ -1,68 +1,68 @@ ---- -title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business -description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/21/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Managing drivers, dual-managed environments, and Delivery Optimization with group policies - ->Applies to: Windows 10 - -Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. - -## Managing drivers -Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. - -### Policy overview - -|Policy| Description | -|-|-| -|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | - -## Dual-managed environment - -You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. - -|Policy| Description | -|-|-| -|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
          **Set the Intranet Update service for detecting updates**:
          **Set the Intranet statistics server**:
          **Set the alternate download server**: | - -## Download Optimization - Managing your bandwidth - -[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. - -|Policy| Description | -|-|-| -|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| -|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
          Choose a size that meets your environment's constraints.| -|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | -|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| - -### Suggested configuration - -|Policy| Location| Suggested configuration | -|-|-|-| -|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
          **Download Mode**: Group (2)| -|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
          **Minimum Peer caching content file size (in MB)**: 10 MB| -|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
          **Minimum battery level (Percentage)**: 60| -|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
          **Max Cache Age (in seconds)**: 604800 ~ 7 days| +--- +title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business +description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/21/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Managing drivers, dual-managed environments, and Delivery Optimization with group policies + +>Applies to: Windows 10 + +Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. + +## Managing drivers +Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. + +### Policy overview + +|Policy| Description | +|-|-| +|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | + +## Dual-managed environment + +You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. + +|Policy| Description | +|-|-| +|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
          **Set the Intranet Update service for detecting updates**:
          **Set the Intranet statistics server**:
          **Set the alternate download server**: | + +## Download Optimization - Managing your bandwidth + +[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. + +|Policy| Description | +|-|-| +|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| +|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
          Choose a size that meets your environment's constraints.| +|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | +|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| + +### Suggested configuration + +|Policy| Location| Suggested configuration | +|-|-|-| +|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
          **Download Mode**: Group (2)| +|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
          **Minimum Peer caching content file size (in MB)**: 10 MB| +|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
          **Minimum battery level (Percentage)**: 60| +|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
          **Max Cache Age (in seconds)**: 604800 ~ 7 days| diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md index 329656a29e..6ba3572c05 100644 --- a/windows/deployment/update/wufb-manageupdate.md +++ b/windows/deployment/update/wufb-manageupdate.md @@ -1,59 +1,59 @@ ---- -title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Manage feature and quality updates with group policies - ->Applies to: Windows 10 - -Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). - -The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. - -## Policy overview - -|Policy name| Description | -|-|-| -|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | -|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | -|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| - -## Suggested configuration for a non-wave deployment - -If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: - -|Policy| Location|Suggested configuration | -|-|-|-| -|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
          **Defer receiving it for this many days**: 0
          **Pause Quality Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a quality update until the time passes| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: SAC
          **Defer receiving for this many days**: 0-365
          **Pause Feature Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a feature update until the time passes| -|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| - -## Suggested configuration for a wave deployment -![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) - -## Early validation and testing -Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: WIP Fast or WIP slow
          **Defer receiving for this many days**: 0
          **Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| -|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
          **Defer receiving it for this many days**: 0
          **Pause Quality Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a quality update until the time passes| - -## Wave deployment for feature updates - -If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: SAC
          **Defer receiving for this many days**: 0, 30, 60, 90, 120
          **Pause Feature Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a feature update until the time passes +--- +title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Manage feature and quality updates with group policies + +>Applies to: Windows 10 + +Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). + +The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. + +## Policy overview + +|Policy name| Description | +|-|-| +|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | +|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | +|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| + +## Suggested configuration for a non-wave deployment + +If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: + +|Policy| Location|Suggested configuration | +|-|-|-| +|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
          **Defer receiving it for this many days**: 0
          **Pause Quality Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a quality update until the time passes| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: SAC
          **Defer receiving for this many days**: 0-365
          **Pause Feature Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a feature update until the time passes| +|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| + +## Suggested configuration for a wave deployment +![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) + +## Early validation and testing +Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: WIP Fast or WIP slow
          **Defer receiving for this many days**: 0
          **Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| +|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
          **Defer receiving it for this many days**: 0
          **Pause Quality Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a quality update until the time passes| + +## Wave deployment for feature updates + +If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
          **Select Windows Readiness Level**: SAC
          **Defer receiving for this many days**: 0, 30, 60, 90, 120
          **Pause Feature Updates**: Blank
          *Note: use this functionality to prevent the device from receiving a feature update until the time passes diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md index fac68e1a9c..98d62be2fa 100644 --- a/windows/deployment/update/wufb-onboard.md +++ b/windows/deployment/update/wufb-onboard.md @@ -1,47 +1,47 @@ ---- -title: Onboarding to Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greg-lindsay -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Onboarding to Windows Update for Business in Windows 10 - ->Applies to: Windows 10 - -Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. Windows Update for Business can control the following: - -- Interaction between the client and Windows Update service -- End user notification for pending updates -- Compliance deadlines for feature or quality updates -- Configure wave deployment for feature or quality updates bandwidth optimization - -We also provide additional functionality to manage your environment when risk or issues arise such as applications being blocked: - -- Uninstall latest feature or quality update -- Pause for a duration of time - -Use the following information to set up your environment using Windows Update for Business policies: - -- [Supported SKUs](#supported-editions) -- [Windows Update for Business basics](wufb-basics.md) -- [Setting up automatic update](wufb-autoupdate.md) -- [Managing feature and quality updates](wufb-manageupdate.md) -- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) -- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) - -## Supported editions - -Windows Update for Business is supported on the following editions of Windows 10: - -- Windows 10 Education -- Windows 10 Enterprise -- Windows 10 Pro -- Windows 10 S (for Windows 10, version 1709 and earlier) +--- +title: Onboarding to Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.audience: itpro author: greg-lindsay +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Onboarding to Windows Update for Business in Windows 10 + +>Applies to: Windows 10 + +Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. Windows Update for Business can control the following: + +- Interaction between the client and Windows Update service +- End user notification for pending updates +- Compliance deadlines for feature or quality updates +- Configure wave deployment for feature or quality updates bandwidth optimization + +We also provide additional functionality to manage your environment when risk or issues arise such as applications being blocked: + +- Uninstall latest feature or quality update +- Pause for a duration of time + +Use the following information to set up your environment using Windows Update for Business policies: + +- [Supported SKUs](#supported-editions) +- [Windows Update for Business basics](wufb-basics.md) +- [Setting up automatic update](wufb-autoupdate.md) +- [Managing feature and quality updates](wufb-manageupdate.md) +- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) +- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) + +## Supported editions + +Windows Update for Business is supported on the following editions of Windows 10: + +- Windows 10 Education +- Windows 10 Enterprise +- Windows 10 Pro +- Windows 10 S (for Windows 10, version 1709 and earlier) diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 2344d36ef8..0216aec2c1 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -1,171 +1,171 @@ ---- -title: Log files - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Log files - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 400 level topic (advanced).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. - -Note: Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files. - -The following table describes some log files and how to use them for troubleshooting purposes:
          - -
          - - - - - - - - - - - - - - - - -
          Log filePhase: LocationDescriptionWhen to use
          setupact.logDown-Level:
          $Windows.~BT\Sources\Panther          		Contains information about setup actions during the downlevel phase. All down-level failures and starting point for rollback investigations.
          This is the most important log for diagnosing setup issues.
          OOBE:
          $Windows.~BT\Sources\Panther\UnattendGC          		Contains information about actions during the OOBE phase.Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
          Rollback:
          $Windows.~BT\Sources\Rollback          		Contains information about actions during rollback.Investigating generic rollbacks - 0xC1900101.
          Pre-initialization (prior to downlevel):
          Windows          		Contains information about initializing setup.If setup fails to launch.
          Post-upgrade (after OOBE):
          Windows\Panther          		Contains information about setup actions during the installation.Investigate post-upgrade related issues.
          setuperr.logSame as setupact.logContains information about setup errors during the installation.Review all errors encountered during the installation phase.
          miglog.xmlPost-upgrade (after OOBE):
          Windows\Panther          		Contains information about what was migrated during the installation.Identify post upgrade data migration issues.
          BlueBox.logDown-Level:
          Windows\Logs\Mosetup          		Contains information communication between setup.exe and Windows Update.Use during WSUS and WU down-level failures or for 0xC1900107.
          Supplemental rollback logs:
          -Setupmem.dmp
          -setupapi.dev.log
          -Event logs (*.evtx)          		$Windows.~BT\Sources\RollbackAdditional logs collected during rollback. -Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.
          -Setupapi: Device install issues - 0x30018
          -Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
          - -## Log entry structure - -A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements: - -
            -
          1. The date and time - 2016-09-08 09:20:05. -
          2. The log level - Info, Warning, Error, Fatal Error. -
          3. The logging component - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS. -
              -
            • The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors. -
            -
          4. The message - Operation completed successfully. -
          - -See the following example: - -| Date/Time | Log level | Component | Message | -|------|------------|------------|------------| -|2016-09-08 09:23:50,| Warning | MIG | Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.| - - -## Analyze log files - ->The following instructions are meant for IT professionals. Also see the [Upgrade error codes](upgrade-error-codes.md) section in this guide to familiarize yourself with [result codes](upgrade-error-codes.md#result-codes) and [extend codes](upgrade-error-codes.md#extend-codes). - -
          To analyze Windows Setup log files: - -
            -
          1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process. -
          2. Based on the extend code portion of the error code, determine the type and location of a log files to investigate. -
          3. Open the log file in a text editor, such as notepad. -
          4. Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. -
          5. To find the last occurrence of the result code: -
              -
            1. Scroll to the bottom of the file and click after the last character. -
            2. Click Edit. -
            3. Click Find. -
            4. Type the result code. -
            5. Under Direction select Up. -
            6. Click Find Next. -
            -
          6. When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code. -
          7. Search for the following important text strings: -
              -
            • Shell application requested abort -
            • Abandoning apply due to error for object -
            -
          8. Decode Win32 errors that appear in this section. -
          9. Write down the timestamp for the observed errors in this section. -
          10. Search other log files for additional information matching these timestamps or errors. -
          - -For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file: - ->Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN." - -
          setuperr.log content: - -
          -27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
-27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
-27:08, Error                  Gather failed. Last error: 0x00000000
-27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
-27:09, Error           SP     CMigrateFramework: Gather framework failed. Status: 44
-27:09, Error           SP     Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
-27:09, Error           SP     Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
-27:09, Error           SP     CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
-
          - -The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below): - -
          -27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
-
          - -The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable. - -Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure: - -
          setupact.log content: - -
          -27:00, Info                   Gather started at 10/5/2016 23:27:00
-27:00, Info [0x080489] MIG    Setting system object filter context (System)
-27:00, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
-27:00, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
-27:00, Info            SP     ExecuteProgress: Elapsed events:1 of 4, Percent: 12
-27:00, Info [0x0802c6] MIG    Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
-27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
-27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
-27:08, Info            SP     ExecuteProgress: Elapsed events:2 of 4, Percent: 25
-27:08, Info            SP     ExecuteProgress: Elapsed events:3 of 4, Percent: 37
-27:08, Info [0x080489] MIG    Setting system object filter context (System)
-27:08, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
-27:08, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
-27:08, Info            MIG    COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
-27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
-27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
-27:08, Error                  Gather failed. Last error: 0x00000000
-27:08, Info                   Gather ended at 10/5/2016 23:27:08 with result 44
-27:08, Info                   Leaving MigGather method
-27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
-
          - - -
          This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Log files - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Log files + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 400 level topic (advanced).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. + +Note: Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files. + +The following table describes some log files and how to use them for troubleshooting purposes:
          + +
          + + + + + + + + + + + + + + + + +
          Log filePhase: LocationDescriptionWhen to use
          setupact.logDown-Level:
          $Windows.~BT\Sources\Panther          		Contains information about setup actions during the downlevel phase. All down-level failures and starting point for rollback investigations.
          This is the most important log for diagnosing setup issues.
          OOBE:
          $Windows.~BT\Sources\Panther\UnattendGC          		Contains information about actions during the OOBE phase.Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
          Rollback:
          $Windows.~BT\Sources\Rollback          		Contains information about actions during rollback.Investigating generic rollbacks - 0xC1900101.
          Pre-initialization (prior to downlevel):
          Windows          		Contains information about initializing setup.If setup fails to launch.
          Post-upgrade (after OOBE):
          Windows\Panther          		Contains information about setup actions during the installation.Investigate post-upgrade related issues.
          setuperr.logSame as setupact.logContains information about setup errors during the installation.Review all errors encountered during the installation phase.
          miglog.xmlPost-upgrade (after OOBE):
          Windows\Panther          		Contains information about what was migrated during the installation.Identify post upgrade data migration issues.
          BlueBox.logDown-Level:
          Windows\Logs\Mosetup          		Contains information communication between setup.exe and Windows Update.Use during WSUS and WU down-level failures or for 0xC1900107.
          Supplemental rollback logs:
          +Setupmem.dmp
          +setupapi.dev.log
          +Event logs (*.evtx)          		$Windows.~BT\Sources\RollbackAdditional logs collected during rollback. +Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.
          +Setupapi: Device install issues - 0x30018
          +Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
          + +## Log entry structure + +A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements: + +
            +
          1. The date and time - 2016-09-08 09:20:05. +
          2. The log level - Info, Warning, Error, Fatal Error. +
          3. The logging component - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS. +
              +
            • The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors. +
            +
          4. The message - Operation completed successfully. +
          + +See the following example: + +| Date/Time | Log level | Component | Message | +|------|------------|------------|------------| +|2016-09-08 09:23:50,| Warning | MIG | Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.| + + +## Analyze log files + +>The following instructions are meant for IT professionals. Also see the [Upgrade error codes](upgrade-error-codes.md) section in this guide to familiarize yourself with [result codes](upgrade-error-codes.md#result-codes) and [extend codes](upgrade-error-codes.md#extend-codes). + +
          To analyze Windows Setup log files: + +
            +
          1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process. +
          2. Based on the extend code portion of the error code, determine the type and location of a log files to investigate. +
          3. Open the log file in a text editor, such as notepad. +
          4. Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. +
          5. To find the last occurrence of the result code: +
              +
            1. Scroll to the bottom of the file and click after the last character. +
            2. Click Edit. +
            3. Click Find. +
            4. Type the result code. +
            5. Under Direction select Up. +
            6. Click Find Next. +
            +
          6. When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code. +
          7. Search for the following important text strings: +
              +
            • Shell application requested abort +
            • Abandoning apply due to error for object +
            +
          8. Decode Win32 errors that appear in this section. +
          9. Write down the timestamp for the observed errors in this section. +
          10. Search other log files for additional information matching these timestamps or errors. +
          + +For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file: + +>Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN." + +
          setuperr.log content: + +
          +27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+27:09, Error           SP     CMigrateFramework: Gather framework failed. Status: 44
+27:09, Error           SP     Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
+
          + +The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below): + +
          +27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+
          + +The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable. + +Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure: + +
          setupact.log content: + +
          +27:00, Info                   Gather started at 10/5/2016 23:27:00
+27:00, Info [0x080489] MIG    Setting system object filter context (System)
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:00, Info            SP     ExecuteProgress: Elapsed events:1 of 4, Percent: 12
+27:00, Info [0x0802c6] MIG    Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Info            SP     ExecuteProgress: Elapsed events:2 of 4, Percent: 25
+27:08, Info            SP     ExecuteProgress: Elapsed events:3 of 4, Percent: 37
+27:08, Info [0x080489] MIG    Setting system object filter context (System)
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:08, Info            MIG    COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Info                   Gather ended at 10/5/2016 23:27:08 with result 44
+27:08, Info                   Leaving MigGather method
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+
          + + +
          This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md index 1fb24f2e4e..078074ba23 100644 --- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md +++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md @@ -1,47 +1,47 @@ ---- -title: Manage Windows upgrades with Upgrade Readiness (Windows 10) -description: Provides an overview of the process of managing Windows upgrades with Upgrade Readiness. -ms.prod: w10 -author: greg-lindsay -ms.date: 04/25/2017 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.topic: article ---- - -# Manage Windows upgrades with Upgrade Readiness - -Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) model. - -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including System Center Configuration Manager - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: - -- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) -- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) -- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) - -## **Related topics** - -[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
          -[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
          -[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
          -[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
          -[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md) +--- +title: Manage Windows upgrades with Upgrade Readiness (Windows 10) +description: Provides an overview of the process of managing Windows upgrades with Upgrade Readiness. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.topic: article +--- + +# Manage Windows upgrades with Upgrade Readiness + +Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) model. + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools, including System Center Configuration Manager + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: + +- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) +- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) + +## **Related topics** + +[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
          +[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
          +[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
          +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
          +[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md) diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index f258bb2378..305917b360 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -1,239 +1,239 @@ ---- -title: Quick fixes - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Quick fixes - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 100 level topic (basic).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10). - -The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times. - ->You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can now just download and then double-click the tool to run it. By default when you click Save, the tool is saved in your **Downloads** folder. Double-click the tool in the folder and wait until it finishes running (it might take a few minutes), then double-click the **SetupDiagResults.log** file and open it using Notepad to see the results of the analysis. - -## List of fixes - -
            -
          1. Remove nonessential external hardware, such as docks and USB devices. More information.
            2. -
          2. Check the system drive for errors and attempt repairs. More information.
            3. -
          3. Run the Windows Update troubleshooter. More information.
            4. -
          4. Attempt to restore and repair system files. More information.
            5. -
          5. Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
            6. -
          6. Temporarily uninstall non-Microsoft antivirus software. - More information.
            7. - -
          7. Uninstall all nonessential software. More information.
            8. -
          8. Update firmware and drivers. More information
            9. -
          9. Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. More information.
            10. -
          10. Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. More information.
            11. -
          - -## Step by step instructions - -### Remove external hardware - -If the computer is portable and it is currently in a docking station, [undock the computer](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754084(v=ws.11)). - -Unplug nonessential external hardware devices from the computer, such as: -- Headphones -- Joysticks -- Printers -- Plotters -- Projectors -- Scanners -- Speakers -- USB flash drives -- Portable hard drives -- Portable CD/DVD/Blu-ray drives -- Microphones -- Media card readers -- Cameras/Webcams -- Smart phones -- Secondary monitors, keyboards, mice - -For more information about disconnecting external devices, see [Safely remove hardware in Windows 10](https://support.microsoft.com/help/4051300/windows-10-safely-remove-hardware) - -### Repair the system drive - -The system drive is the drive that contains the [system partition](https://docs.microsoft.com/windows-hardware/manufacture/desktop/hard-drives-and-partitions#span-idpartitionsspanspan-idpartitionsspanspan-idpartitionsspanpartitions). This is usually the **C:** drive. - -To check and repair errors on the system drive: - -1. Click **Start**. -2. Type **command**. -3. Right-click **Command Prompt** and then left-click **Run as administrator**. -4. If you are prompted by UAC, click **Yes**. -5. Type **chkdsk /F** and press ENTER. -6. When you are prompted to schedule a check the next time the system restarts, type **Y**. -7. See the following example - - ``` - C:\WINDOWS\system32>chkdsk /F - The type of the file system is NTFS. - Cannot lock current drive. - - Chkdsk cannot run because the volume is in use by another - process. Would you like to schedule this volume to be - checked the next time the system restarts? (Y/N) Y - - This volume will be checked the next time the system restarts. - ``` - -8. Restart the computer. The computer will pause before loading Windows and perform a repair of your hard drive. - -### Windows Update Troubleshooter - -The Windows Update troubleshooter tool will automatically analyze and fix problems with Windows Update, such as a corrupted download. It will also tell you if there is a pending reboot that is preventing Windows from updating. - -For Windows 7 and 8.1, the tool is [here](https://aka.ms/diag_wu). - -For Windows 10, the tool is [here](https://aka.ms/wudiag). - -To run the tool, click the appropriate link above. Your web browser will prompt you to save or open the file. Select **open** and the tool will automatically start. The tool will walk you through analyzing and fixing some common problems. - -You can also download the Windows Update Troubleshooter by starting the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/), typing **update Windows**, selecting the version of Windows you are running, and then answering **Yes** when asked "Do you need help troubleshooting Windows Update?" - -If any errors are displayed in the Windows Update Troubleshooter, use the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) to ask about these errors. The Virtual Agent will perform a search and provide a list of helpful links. - -### Repair system files - -This fix is also described in detail at [answers.microsoft.com](https://answers.microsoft.com/en-us/windows/forum/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93). - -To check and repair system files: - -1. Click **Start**. -2. Type **command**. -3. Right-click **Command Prompt** and then left-click **Run as administrator**. -4. If you are prompted by UAC, click **Yes**. -5. Type **sfc /scannow** and press ENTER. See the following example: - - ``` - C:\>sfc /scannow - - Beginning system scan. This process will take some time. - - Beginning verification phase of system scan. - Verification 100% complete. - - Windows Resource Protection did not find any integrity violations. - ``` -6. If you are running Windows 8.1 or later, type **DISM.exe /Online /Cleanup-image /Restorehealth** and press ENTER (the DISM command options are not available for Windows 7). See the following example: - - ``` - C:\>DISM.exe /Online /Cleanup-image /Restorehealth - - Deployment Image Servicing and Management tool - Version: 10.0.16299.15 - - Image Version: 10.0.16299.309 - - [==========================100.0%==========================] The restore operation completed successfully. - The operation completed successfully. - - ``` - >It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image). - - -### Update Windows - -You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer. - -The Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) can walk you through the process of making sure that Windows is updated. - -Start the [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) and then type "update windows." - -Answer questions that the agent asks, and follow instructions to ensure that Windows is up to date. You can also run the [Windows Update Troubleshooter](#windows-update-troubleshooter) described above. - -Click **Start**, click power options, and then restart the computer. - -### Uninstall non-Microsoft antivirus software - -Use Windows Defender for protection during the upgrade. - -Verify compatibility information, and if desired re-install antivirus applications after the upgrade. If you plan to re-install the application after upgrading, be sure that you have the installation media and all required activation information before removing the program. - -To remove the application, go to **Control Panel\Programs\Programs and Features** and click the antivirus application, then click Uninstall. Choose **Yes** when you are asked to confirm program removal. - -For more information, see [Windows 7 - How to properly uninstall programs](https://support.microsoft.com/help/2601726) or [Repair or remove programs in Windows 10](https://support.microsoft.com/help/4028054/windows-repair-or-remove-programs-in-windows-10). - -### Uninstall non-essential software - -Outdated applications can cause problems with a Windows upgrade. Removing old or non-essential applications from the computer can therefore help. - -If you plan to reinstall the application later, be sure that you have the installation media and all required activation information before removing it. - -To remove programs, use the same steps as are provided [above](#uninstall-non-microsoft-antivirus-software) for uninstalling non-Microsoft antivirus software, but instead of removing the antivirus application repeat the steps for all your non-essential, unused, or out-of-date software. - -### Update firmware and drivers - -Updating firmware (such as the BIOS) and installing hardware drivers is a somewhat advanced task. Do not attempt to update BIOS if you aren't familiar with BIOS settings or are not sure how to restore the previous BIOS version if there are problems. Most BIOS updates are provided as a "flash" update. Your manufacturer might provide a tool to perform the update, or you might be required to enter the BIOS and update it manually. Be sure to save your working BIOS settings, since some updates can reset your configuration and make the computer fail to boot if (for example) a RAID configuration is changed. - -Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). - -To obtain the proper firmware drivers, search for the most updated driver version provided by your computer manufacturer. Install these updates and reboot the computer after installation. Request assistance from the manufacturer if you have any questions. - -### Ensure that "Download and install updates" is selected - -When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example: - -![Get important updates](../images/update.jpg) - -### Verify disk space - -You can see a list of requirements for Windows 10 at [Windows 10 Specifications & System Requirements](https://www.microsoft.com/windows/windows-10-specifications). One of the requirements is that enough hard drive space be available for the installation to take place. At least 16 GB of free space must be available on the system drive to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. - -To view how much hard drive space is available on your computer, open [File Explorer](https://support.microsoft.com/help/4026617/windows-windows-explorer-has-a-new-name). In Windows 7, this was called Windows Explorer. - -In File Explorer, click on **Computer** or **This PC** on the left, then look under **Hard Disk Drives** or under **Devices and drives**. If there are multiple drives listed, the system drive is the drive that includes a Microsoft Windows logo above the drive icon. - -The amount of space available on the system drive will be displayed under the drive. See the following example: - -![System drive](../images/drive.png) - -In the previous example, there is 703 GB of available free space on the system drive (C:). - -To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example: - -![Disk cleanup](../images/cleanup.png) - -For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space). - -When you run Disk Cleanup and enable the option to Clean up system files, you can remove previous Windows installations which can free a large amount of space. You should only do this if you do not plan to restore the old OS version. - -### Open an elevated command prompt - ->It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool. - -To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7). - -Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23). - -If this is too complicated for you, then use File Explorer to create a new folder under C: with a short name such as "new" then copy or move the programs you want to run (like SetupDiag) to this folder using File Explorer. When you open an elevated command prompt, change to this directory by typing "cd c:\new" and now you can run the programs in that folder. - -If you downloaded the SetupDiag.exe program to your computer, then copied it to the folder C:\new, and you opened an elevated command prompt then typed cd c:\new to change to this directory, you can just type setupdiag and press ENTER to run the program. This program will analyze the files on your computer to see why a Windows Upgrade failed and if the reason was a common one, it will report this reason. It will not fix the problem for you but knowing why the upgrade failed enables you to take steps to fix the problem. - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Quick fixes - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Quick fixes + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 100 level topic (basic).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + +The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10). + +The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times. + +>You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can now just download and then double-click the tool to run it. By default when you click Save, the tool is saved in your **Downloads** folder. Double-click the tool in the folder and wait until it finishes running (it might take a few minutes), then double-click the **SetupDiagResults.log** file and open it using Notepad to see the results of the analysis. + +## List of fixes + +
            +
          1. Remove nonessential external hardware, such as docks and USB devices. More information.
            2. +
          2. Check the system drive for errors and attempt repairs. More information.
            3. +
          3. Run the Windows Update troubleshooter. More information.
            4. +
          4. Attempt to restore and repair system files. More information.
            5. +
          5. Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
            6. +
          6. Temporarily uninstall non-Microsoft antivirus software. + More information.
            7. + +
          7. Uninstall all nonessential software. More information.
            8. +
          8. Update firmware and drivers. More information
            9. +
          9. Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. More information.
            10. +
          10. Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. More information.
            11. +
          + +## Step by step instructions + +### Remove external hardware + +If the computer is portable and it is currently in a docking station, [undock the computer](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754084(v=ws.11)). + +Unplug nonessential external hardware devices from the computer, such as: +- Headphones +- Joysticks +- Printers +- Plotters +- Projectors +- Scanners +- Speakers +- USB flash drives +- Portable hard drives +- Portable CD/DVD/Blu-ray drives +- Microphones +- Media card readers +- Cameras/Webcams +- Smart phones +- Secondary monitors, keyboards, mice + +For more information about disconnecting external devices, see [Safely remove hardware in Windows 10](https://support.microsoft.com/help/4051300/windows-10-safely-remove-hardware) + +### Repair the system drive + +The system drive is the drive that contains the [system partition](https://docs.microsoft.com/windows-hardware/manufacture/desktop/hard-drives-and-partitions#span-idpartitionsspanspan-idpartitionsspanspan-idpartitionsspanpartitions). This is usually the **C:** drive. + +To check and repair errors on the system drive: + +1. Click **Start**. +2. Type **command**. +3. Right-click **Command Prompt** and then left-click **Run as administrator**. +4. If you are prompted by UAC, click **Yes**. +5. Type **chkdsk /F** and press ENTER. +6. When you are prompted to schedule a check the next time the system restarts, type **Y**. +7. See the following example + + ``` + C:\WINDOWS\system32>chkdsk /F + The type of the file system is NTFS. + Cannot lock current drive. + + Chkdsk cannot run because the volume is in use by another + process. Would you like to schedule this volume to be + checked the next time the system restarts? (Y/N) Y + + This volume will be checked the next time the system restarts. + ``` + +8. Restart the computer. The computer will pause before loading Windows and perform a repair of your hard drive. + +### Windows Update Troubleshooter + +The Windows Update troubleshooter tool will automatically analyze and fix problems with Windows Update, such as a corrupted download. It will also tell you if there is a pending reboot that is preventing Windows from updating. + +For Windows 7 and 8.1, the tool is [here](https://aka.ms/diag_wu). + +For Windows 10, the tool is [here](https://aka.ms/wudiag). + +To run the tool, click the appropriate link above. Your web browser will prompt you to save or open the file. Select **open** and the tool will automatically start. The tool will walk you through analyzing and fixing some common problems. + +You can also download the Windows Update Troubleshooter by starting the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/), typing **update Windows**, selecting the version of Windows you are running, and then answering **Yes** when asked "Do you need help troubleshooting Windows Update?" + +If any errors are displayed in the Windows Update Troubleshooter, use the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) to ask about these errors. The Virtual Agent will perform a search and provide a list of helpful links. + +### Repair system files + +This fix is also described in detail at [answers.microsoft.com](https://answers.microsoft.com/en-us/windows/forum/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93). + +To check and repair system files: + +1. Click **Start**. +2. Type **command**. +3. Right-click **Command Prompt** and then left-click **Run as administrator**. +4. If you are prompted by UAC, click **Yes**. +5. Type **sfc /scannow** and press ENTER. See the following example: + + ``` + C:\>sfc /scannow + + Beginning system scan. This process will take some time. + + Beginning verification phase of system scan. + Verification 100% complete. + + Windows Resource Protection did not find any integrity violations. + ``` +6. If you are running Windows 8.1 or later, type **DISM.exe /Online /Cleanup-image /Restorehealth** and press ENTER (the DISM command options are not available for Windows 7). See the following example: + + ``` + C:\>DISM.exe /Online /Cleanup-image /Restorehealth + + Deployment Image Servicing and Management tool + Version: 10.0.16299.15 + + Image Version: 10.0.16299.309 + + [==========================100.0%==========================] The restore operation completed successfully. + The operation completed successfully. + + ``` + >It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image). + + +### Update Windows + +You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer. + +The Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) can walk you through the process of making sure that Windows is updated. + +Start the [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) and then type "update windows." + +Answer questions that the agent asks, and follow instructions to ensure that Windows is up to date. You can also run the [Windows Update Troubleshooter](#windows-update-troubleshooter) described above. + +Click **Start**, click power options, and then restart the computer. + +### Uninstall non-Microsoft antivirus software + +Use Windows Defender for protection during the upgrade. + +Verify compatibility information, and if desired re-install antivirus applications after the upgrade. If you plan to re-install the application after upgrading, be sure that you have the installation media and all required activation information before removing the program. + +To remove the application, go to **Control Panel\Programs\Programs and Features** and click the antivirus application, then click Uninstall. Choose **Yes** when you are asked to confirm program removal. + +For more information, see [Windows 7 - How to properly uninstall programs](https://support.microsoft.com/help/2601726) or [Repair or remove programs in Windows 10](https://support.microsoft.com/help/4028054/windows-repair-or-remove-programs-in-windows-10). + +### Uninstall non-essential software + +Outdated applications can cause problems with a Windows upgrade. Removing old or non-essential applications from the computer can therefore help. + +If you plan to reinstall the application later, be sure that you have the installation media and all required activation information before removing it. + +To remove programs, use the same steps as are provided [above](#uninstall-non-microsoft-antivirus-software) for uninstalling non-Microsoft antivirus software, but instead of removing the antivirus application repeat the steps for all your non-essential, unused, or out-of-date software. + +### Update firmware and drivers + +Updating firmware (such as the BIOS) and installing hardware drivers is a somewhat advanced task. Do not attempt to update BIOS if you aren't familiar with BIOS settings or are not sure how to restore the previous BIOS version if there are problems. Most BIOS updates are provided as a "flash" update. Your manufacturer might provide a tool to perform the update, or you might be required to enter the BIOS and update it manually. Be sure to save your working BIOS settings, since some updates can reset your configuration and make the computer fail to boot if (for example) a RAID configuration is changed. + +Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). + +To obtain the proper firmware drivers, search for the most updated driver version provided by your computer manufacturer. Install these updates and reboot the computer after installation. Request assistance from the manufacturer if you have any questions. + +### Ensure that "Download and install updates" is selected + +When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example: + +![Get important updates](../images/update.jpg) + +### Verify disk space + +You can see a list of requirements for Windows 10 at [Windows 10 Specifications & System Requirements](https://www.microsoft.com/windows/windows-10-specifications). One of the requirements is that enough hard drive space be available for the installation to take place. At least 16 GB of free space must be available on the system drive to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. + +To view how much hard drive space is available on your computer, open [File Explorer](https://support.microsoft.com/help/4026617/windows-windows-explorer-has-a-new-name). In Windows 7, this was called Windows Explorer. + +In File Explorer, click on **Computer** or **This PC** on the left, then look under **Hard Disk Drives** or under **Devices and drives**. If there are multiple drives listed, the system drive is the drive that includes a Microsoft Windows logo above the drive icon. + +The amount of space available on the system drive will be displayed under the drive. See the following example: + +![System drive](../images/drive.png) + +In the previous example, there is 703 GB of available free space on the system drive (C:). + +To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example: + +![Disk cleanup](../images/cleanup.png) + +For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space). + +When you run Disk Cleanup and enable the option to Clean up system files, you can remove previous Windows installations which can free a large amount of space. You should only do this if you do not plan to restore the old OS version. + +### Open an elevated command prompt + +>It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool. + +To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7). + +Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23). + +If this is too complicated for you, then use File Explorer to create a new folder under C: with a short name such as "new" then copy or move the programs you want to run (like SetupDiag) to this folder using File Explorer. When you open an elevated command prompt, change to this directory by typing "cd c:\new" and now you can run the programs in that folder. + +If you downloaded the SetupDiag.exe program to your computer, then copied it to the folder C:\new, and you opened an elevated command prompt then typed cd c:\new to change to this directory, you can just type setupdiag and press ENTER to run the program. This program will analyze the files on your computer to see why a Windows Upgrade failed and if the reason was a common one, it will report this reason. It will not fix the problem for you but knowing why the upgrade failed enables you to take steps to fix the problem. + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 2d922591a5..34e22a7ab7 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -1,771 +1,771 @@ ---- -title: Resolution procedures - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Resolution procedures - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 200 level topic (moderate).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -## 0xC1900101 - -A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
          - -- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, -- Event logs: $Windows.~bt\Sources\Rollback\*.evtx -- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log - -The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. - -
          See the following general troubleshooting procedures associated with a result code of 0xC1900101: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          - - -
          Code -
          0xC1900101 - 0x20004 -
          - -
          -
          Cause -
          Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation -
          This is generally caused by out-of-date drivers. -
          -          		 - - -
          Mitigation -
          Uninstall antivirus applications. -
          Remove all unused SATA devices. -
          Remove all unused devices and drivers. -
          Update drivers and BIOS. -
          -
          - - -
          Code -
          0xC1900101 - 0x2000c -
          - -
          -
          Cause -
          Windows Setup encountered an unspecified error during Wim apply in the WinPE phase. -
          This is generally caused by out-of-date drivers. -
          -          		 - - -
          Mitigation -
          Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. -
          Contact your hardware vendor to obtain updated device drivers. -
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. -
          -
          - - -
          Code -
          0xC1900101 - 0x20017 - -
          - -
          -
          Cause -
          A driver has caused an illegal operation. -
          Windows was not able to migrate the driver, resulting in a rollback of the operating system. -
          This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. -
          -          		 - - -
          Mitigation -
          -Ensure that all that drivers are updated.
          -Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers. -
          For more information, see Understanding Failures and Log Files. -
          Update or uninstall the problem drivers. -
          -
          - - -
          Code -
          0xC1900101 - 0x30018 -
          - -
          -
          Cause -
          A device driver has stopped responding to setup.exe during the upgrade process. -
          -          		 - - -
          Mitigation -
          -Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. -
          Contact your hardware vendor to obtain updated device drivers. -
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. -
          -
          - - -
          Code -
          0xC1900101 - 0x3000D -
          - -
          -
          Cause -
          Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation. -
          This can occur due to a problem with a display driver. - -
          -          		 - - -
          Mitigation -
          -Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. -
          Update or uninstall the display driver. -
          -
          - - -
          Code -
          0xC1900101 - 0x4000D -
          - -
          -
          Cause -
          A rollback occurred due to a driver configuration issue. -
          Installation failed during the second boot phase while attempting the MIGRATE_DATA operation. - -
          This can occur due to incompatible drivers. - -
          -          		 - - -
          Mitigation -
          -
          Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. -
          Review the rollback log and determine the stop code. -
          The rollback log is located in the C:$Windows.~BT\Sources\Panther folder. An example analysis is shown below. This example is not representative of all cases: -
          Info SP Crash 0x0000007E detected -
          Info SP Module name : -
          Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005 -
          Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A -
          Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728 -
          Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40 -
          Info SP Cannot recover the system. -
          Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows. - - -
          Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
          - -1. Make sure you have enough disk space.
          -2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
          -3. Try changing video adapters.
          -4. Check with your hardware vendor for any BIOS updates.
          -5. Disable BIOS memory options such as caching or shadowing. -

          -
          -
          - - -
          Code -
          0xC1900101 - 0x40017 -
          - -
          -
          Cause -
          Windows 10 upgrade failed after the second reboot. -
          This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. -
          -          		 - - -
          Mitigation -
          Clean boot into Windows, and then attempt the upgrade to Windows 10.
          - -For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135). - -

          Ensure you select the option to "Download and install updates (recommended)." -
          -
          - -

          0x800xxxxx

          - -
          Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly. - -
          See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
          - -
          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          - - -
          Code -
          - -80040005 - 0x20007 - -
          - -
          -
          Cause -
          - -An unspecified error occurred with a driver during the SafeOS phase. - -
          -          		 - - -
          Mitigation -
          - -This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. - -
          -
          - - -
          Code -
          - -0x80073BC3 - 0x20009
          -0x8007002 - 0x20009
          -0x80073B92 - 0x20009 - -
          - -
          -
          Cause -
          - -The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria. - -
          -          		 - - -
          Mitigation -
          - -These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition. - -
          -
          - - -
          Code -
          - -800704B8 - 0x3001A - -
          - -
          -
          Cause -
          - -An extended error has occurred during the first boot phase. - -
          -          		 - - -
          Mitigation -
          - -Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/kb/929135). - -
          -
          - - -
          Code -
          - -8007042B - 0x4000D - -
          - -
          -
          Cause -
          - -The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. -
          This issue can occur due to file system, application, or driver issues. - -
          -          		 - - -
          Mitigation -
          - -[Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object. - -
          -
          - - -
          Code -
          - -8007001F - 0x3000D - -
          - -
          -
          Cause -
          - -The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. - -
          -          		 - - -
          Mitigation -
          - -[Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration. - -This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. - -Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory. - -To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files. - -
          -
          - - -
          Code -
          - -8007001F - 0x4000D - -
          - -
          -
          Cause -
          - -General failure, a device attached to the system is not functioning. - -
          -          		 - - -
          Mitigation -
          - -[Analyze log files](log-files.md#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device. - -
          -
          - - -
          Code -
          - -8007042B - 0x4001E - -
          - -
          -
          Cause -
          - -The installation failed during the second boot phase while attempting the PRE_OOBE operation. - -
          -          		 - - -
          Mitigation -
          - -This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. - -
          -
          - - -## Other result codes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Error code -Cause -Mitigation -
          0xC1800118WSUS has downloaded content that it cannot use due to a missing decryption key.See Steps to resolve error 0xC1800118 for information.
          0xC1900200Setup.exe has detected that the machine does not meet the minimum system requirements.Ensure the system you are trying to upgrade meets the minimum system requirements.
          See Windows 10 specifications for information.
          0x80090011A device driver error occurred during user data migration.Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. -
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
          0xC7700112Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.This issue is resolved in the latest version of Upgrade Assistant. -
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
          0x80190001An unexpected error was encountered while attempting to download files required for upgrade.To resolve this issue, download and run the media creation tool. See Download windows 10. -
          0x80246007The update was not downloaded successfully.Attempt other methods of upgrading the operating system.
          -Download and run the media creation tool. See Download windows 10. -
          Attempt to upgrade using .ISO or USB.
          -Note: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the Volume Licensing Service Center. -
          0x80244018Your machine is connected through a proxy server.Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings). -
          0xC1900201The system did not pass the minimum requirements to install the update.Contact the hardware vendor to get the latest updates.
          0x80240017The upgrade is unavailable for this edition of Windows.Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.
          0x80070020The existing process cannot access the file because it is being used by another process.Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see How to perform a clean boot in Windows.
          0x80070522The user doesn’t have required privilege or credentials to upgrade.Ensure that you have signed in as a local administrator or have local administrator privileges.
          0xC1900107A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade. -Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see Disk cleanup in Windows 10.
          0xC1900209The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See Windows 10 Pre-Upgrade Validation using SETUP.EXE for more information. - -
          You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools. -
          0x8007002 This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760) - -
          The error 80072efe means that the connection with the server was terminated abnormally. - -
          To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN. -
          0x80240FFF Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following: - -
            -
          1. Disable the Upgrades classification.
            2. -
          2. Install hotfix 3095113.
            3. -
          3. Delete previously synched updates.
            4. -
          4. Enable the Upgrades classification.
            5. -
          5. Perform a full synch.
            6. -
          -
          For detailed information on how to run these steps check out How to delete upgrades in WSUS.

          -
          0x8007007EOccurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager. Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix. - -
            -
          1. Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following: -
              -
            1. Open Administrative Tools from the Control Panel.
              2. -
            2. Double-click Services.
              3. -
            3. Find the Windows Update service, right-click it, and then click Stop. If prompted, enter your credentials.
              4. -
            -
            2. -
          2. Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.
            3. -
          3. Restart the Windows Update service.
            4. -
          -
          - -## Other error codes - - - - - - - - - - - - - - - -
          Error CodesCauseMitigation
          0x80070003- 0x20007 -This is a failure during SafeOS phase driver installation. - -Verify device drivers on the computer, and analyze log files to determine the problem driver. -
          0x8007025D - 0x2000C -This error occurs if the ISO file's metadata is corrupt."Re-download the ISO/Media and re-attempt the upgrade. - -Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10). - -
          0x80070490 - 0x20007An incompatible device driver is present. - -Verify device drivers on the computer, and analyze log files to determine the problem driver. - -
          0xC1900101 - 0x2000c -An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption. -Run checkdisk to repair the file system. For more information, see the quick fixes section in this guide. -
          Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.
          0xC1900200 - 0x20008 - -The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10. - -See Windows 10 Specifications and verify the computer meets minimum requirements. - -
          Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).
          0x80070004 - 0x3000D -This is a problem with data migration during the first boot phase. There are multiple possible causes. - -Analyze log files to determine the issue.
          0xC1900101 - 0x4001E -Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation. -This is a generic error that occurs during the OOBE phase of setup. See the 0xC1900101 section of this guide and review general troubleshooting procedures described in that section.
          0x80070005 - 0x4000D -The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data. -Analyze log files to determine the data point that is reporting access denied.
          0x80070004 - 0x50012 -Windows Setup failed to open a file. -Analyze log files to determine the data point that is reporting access problems.
          0xC190020e -
          0x80070070 - 0x50011 -
          0x80070070 - 0x50012 -
          0x80070070 - 0x60000 -          		These errors indicate the computer does not have enough free space available to install the upgrade. -To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to free up drive space before proceeding with the upgrade. - -
          Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby. -
          - -## Modern setup errors - -Also see the following sequential list of modern setup (mosetup) error codes with a brief description of the cause. - -| Result code | Message | Description | -| --- | --- | --- | -| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. | -| 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. | -| 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. | -| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. | -| 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. | -| 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | -| 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | -| 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. | -| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. | -| 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. | -| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. | -| 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. | -| 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. | -| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. | -| 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. | -| 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. | -| 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. | -| 0XC1900112 | MOSETUP_E_TARGET_DRIVE_NOT_FOUND | Could not find a target drive letter. | -| 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. | -| 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. | -| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. | -| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. | -| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. | -| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. | -| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. | -| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. | -| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. | -| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. | -| 0XC1900127 | MOSETUP_E_UNINSTALL_ALLOWED_ABORT | The user has chosen to abort Setup to keep Uninstall option active. | -| 0XC1900128 | MOSETUP_E_MISSING_TASK | The install cannot continue because a required task is missing. | -| 0XC1900129 | MOSETUP_E_UPDATEMEDIA_REQUESTED | A more up-to-date version of setup will be launched to continue installation -| 0XC190012f | MOSETUP_E_FINALIZE_ALREADY_REQUESTED | The install cannot continue because a finalize operation was already requested. | -| 0XC1900130 | MOSETUP_E_INSTALL_HASH_MISSING | The install cannot continue because the instance hash was not found. | -| 0XC1900131 | MOSETUP_E_INSTALL_HASH_MISMATCH | The install cannot continue because the instance hash does not match. | -| 0XC19001df | MOSETUP_E_DISK_FULL | The install cannot continue because the system is out of disk space. | -| 0XC19001e0 | MOSETUP_E_GATHER_OS_STATE_FAILED | The GatherOsState executable has failed to execute. | -| 0XC19001e1 | MOSETUP_E_PROCESS_SUSPENDED | The installation process was suspended. | -| 0XC19001e2 | MOSETUP_E_PREINSTALL_SCRIPT_FAILED | A preinstall script failed to execute or returned an error. | -| 0XC19001e3 | MOSETUP_E_PRECOMMIT_SCRIPT_FAILED | A precommit script failed to execute or returned an error. | -| 0XC19001e4 | MOSETUP_E_FAILURE_SCRIPT_FAILED | A failure script failed to execute or returned an error. | -| 0XC19001e5 | MOSETUP_E_SCRIPT_TIMEOUT | A script exceeded the timeout limit. | -| 0XC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The system does not pass the minimum requirements to install the update. | -| 0XC1900201 | MOSETUP_E_COMPAT_SYSREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to install the update. | -| 0XC1900202 | MOSETUP_E_COMPAT_DOWNLOADREQ_BLOCK | The system does not pass the minimum requirements to download the update. | -| 0XC1900203 | MOSETUP_E_COMPAT_DOWNLOADREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to download the update. | -| 0XC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The system does not pass the requirements for desired migration choice. | -| 0XC1900205 | MOSETUP_E_COMPAT_MIGCHOICE_CANCEL | The user has chosen to cancel because the system does not pass the requirements for desired migration choice. | -| 0XC1900206 | MOSETUP_E_COMPAT_DEVICEREQ_BLOCK | The system does not pass the device scan to install the update. | -| 0XC1900207 | MOSETUP_E_COMPAT_DEVICEREQ_CANCEL | The user has chosen to cancel because the system does not pass the device scan to install the update. | -| 0XC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | The system does not pass the compat scan to install the update. | -| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. | -| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. | -| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. | -| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. | -| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. | -| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. | -| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. | -| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has used the setup.exe command line to do scanonly, not to install the OS. | -| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. | -| 0XC1900212 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_MULTIARCH_BLOCK | The system does not pass the disk space requirements to download and unpack multi-architecture media. | -| 0XC1900213 | MOSETUP_E_NO_OFFER_FOUND | There was no offer found that matches the required criteria. | -| 0XC1900214 | MOSETUP_E_UNSUPPORTED_VERSION | This version of the tool is not supported. | -| 0XC1900215 | MOSETUP_E_NO_MATCHING_INSTALL_IMAGE | Could not find an install image for this system. | -| 0XC1900216 | MOSETUP_E_ROLLBACK_PENDING | Found pending OS rollback operation. | -| 0XC1900220 | MOSETUP_E_COMPAT_REPORT_NOT_DISPLAYED | The compatibility report cannot be displayed due to a missing system component. | -| 0XC1900400 | MOSETUP_E_UA_VERSION_MISMATCH | An unexpected version of Update Agent client was encountered. | -| 0XC1900401 | MOSETUP_E_UA_NO_PACKAGES_TO_DOWNLOAD | No packages to be downloaded. | -| 0XC1900402 | MOSETUP_E_UA_UPDATE_CANNOT_BE_MERGED | No packages to be downloaded. | -| 0XC1900403 | MOSETUP_E_UA_CORRUPT_PAYLOAD_FILES | Payload files were corrupt. | -| 0XC1900404 | MOSETUP_E_UA_BOX_NOT_FOUND | The installation executable was not found. | -| 0XC1900405 | MOSETUP_E_UA_BOX_CRASHED | The installation process terminated unexpectedly. | - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Resolution procedures - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Resolution procedures + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 200 level topic (moderate).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +## 0xC1900101 + +A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
          + +- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, +- Event logs: $Windows.~bt\Sources\Rollback\*.evtx +- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log + +The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. + +
          See the following general troubleshooting procedures associated with a result code of 0xC1900101: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          + + +
          Code +
          0xC1900101 - 0x20004 +
          + +
          +
          Cause +
          Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation +
          This is generally caused by out-of-date drivers. +
          +          		 + + +
          Mitigation +
          Uninstall antivirus applications. +
          Remove all unused SATA devices. +
          Remove all unused devices and drivers. +
          Update drivers and BIOS. +
          +
          + + +
          Code +
          0xC1900101 - 0x2000c +
          + +
          +
          Cause +
          Windows Setup encountered an unspecified error during Wim apply in the WinPE phase. +
          This is generally caused by out-of-date drivers. +
          +          		 + + +
          Mitigation +
          Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. +
          Contact your hardware vendor to obtain updated device drivers. +
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
          +
          + + +
          Code +
          0xC1900101 - 0x20017 + +
          + +
          +
          Cause +
          A driver has caused an illegal operation. +
          Windows was not able to migrate the driver, resulting in a rollback of the operating system. +
          This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. +
          +          		 + + +
          Mitigation +
          +Ensure that all that drivers are updated.
          +Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers. +
          For more information, see Understanding Failures and Log Files. +
          Update or uninstall the problem drivers. +
          +
          + + +
          Code +
          0xC1900101 - 0x30018 +
          + +
          +
          Cause +
          A device driver has stopped responding to setup.exe during the upgrade process. +
          +          		 + + +
          Mitigation +
          +Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. +
          Contact your hardware vendor to obtain updated device drivers. +
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
          +
          + + +
          Code +
          0xC1900101 - 0x3000D +
          + +
          +
          Cause +
          Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation. +
          This can occur due to a problem with a display driver. + +
          +          		 + + +
          Mitigation +
          +Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display. +
          Update or uninstall the display driver. +
          +
          + + +
          Code +
          0xC1900101 - 0x4000D +
          + +
          +
          Cause +
          A rollback occurred due to a driver configuration issue. +
          Installation failed during the second boot phase while attempting the MIGRATE_DATA operation. + +
          This can occur due to incompatible drivers. + +
          +          		 + + +
          Mitigation +
          +
          Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. +
          Review the rollback log and determine the stop code. +
          The rollback log is located in the C:$Windows.~BT\Sources\Panther folder. An example analysis is shown below. This example is not representative of all cases: +
          Info SP Crash 0x0000007E detected +
          Info SP Module name : +
          Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005 +
          Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A +
          Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728 +
          Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40 +
          Info SP Cannot recover the system. +
          Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows. + + +
          Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
          + +1. Make sure you have enough disk space.
          +2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
          +3. Try changing video adapters.
          +4. Check with your hardware vendor for any BIOS updates.
          +5. Disable BIOS memory options such as caching or shadowing. +

          +
          +
          + + +
          Code +
          0xC1900101 - 0x40017 +
          + +
          +
          Cause +
          Windows 10 upgrade failed after the second reboot. +
          This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. +
          +          		 + + +
          Mitigation +
          Clean boot into Windows, and then attempt the upgrade to Windows 10.
          + +For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135). + +

          Ensure you select the option to "Download and install updates (recommended)." +
          +
          + +

          0x800xxxxx

          + +
          Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly. + +
          See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
          + +
          + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          + + +
          Code +
          + +80040005 - 0x20007 + +
          + +
          +
          Cause +
          + +An unspecified error occurred with a driver during the SafeOS phase. + +
          +          		 + + +
          Mitigation +
          + +This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. + +
          +
          + + +
          Code +
          + +0x80073BC3 - 0x20009
          +0x8007002 - 0x20009
          +0x80073B92 - 0x20009 + +
          + +
          +
          Cause +
          + +The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria. + +
          +          		 + + +
          Mitigation +
          + +These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition. + +
          +
          + + +
          Code +
          + +800704B8 - 0x3001A + +
          + +
          +
          Cause +
          + +An extended error has occurred during the first boot phase. + +
          +          		 + + +
          Mitigation +
          + +Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/kb/929135). + +
          +
          + + +
          Code +
          + +8007042B - 0x4000D + +
          + +
          +
          Cause +
          + +The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. +
          This issue can occur due to file system, application, or driver issues. + +
          +          		 + + +
          Mitigation +
          + +[Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object. + +
          +
          + + +
          Code +
          + +8007001F - 0x3000D + +
          + +
          +
          Cause +
          + +The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. + +
          +          		 + + +
          Mitigation +
          + +[Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration. + +This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. + +Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory. + +To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files. + +
          +
          + + +
          Code +
          + +8007001F - 0x4000D + +
          + +
          +
          Cause +
          + +General failure, a device attached to the system is not functioning. + +
          +          		 + + +
          Mitigation +
          + +[Analyze log files](log-files.md#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device. + +
          +
          + + +
          Code +
          + +8007042B - 0x4001E + +
          + +
          +
          Cause +
          + +The installation failed during the second boot phase while attempting the PRE_OOBE operation. + +
          +          		 + + +
          Mitigation +
          + +This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution. + +
          +
          + + +## Other result codes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Error code +Cause +Mitigation +
          0xC1800118WSUS has downloaded content that it cannot use due to a missing decryption key.See Steps to resolve error 0xC1800118 for information.
          0xC1900200Setup.exe has detected that the machine does not meet the minimum system requirements.Ensure the system you are trying to upgrade meets the minimum system requirements.
          See Windows 10 specifications for information.
          0x80090011A device driver error occurred during user data migration.Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. +
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
          0xC7700112Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.This issue is resolved in the latest version of Upgrade Assistant. +
          Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
          0x80190001An unexpected error was encountered while attempting to download files required for upgrade.To resolve this issue, download and run the media creation tool. See Download windows 10. +
          0x80246007The update was not downloaded successfully.Attempt other methods of upgrading the operating system.
          +Download and run the media creation tool. See Download windows 10. +
          Attempt to upgrade using .ISO or USB.
          +Note: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the Volume Licensing Service Center. +
          0x80244018Your machine is connected through a proxy server.Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings). +
          0xC1900201The system did not pass the minimum requirements to install the update.Contact the hardware vendor to get the latest updates.
          0x80240017The upgrade is unavailable for this edition of Windows.Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.
          0x80070020The existing process cannot access the file because it is being used by another process.Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see How to perform a clean boot in Windows.
          0x80070522The user doesn’t have required privilege or credentials to upgrade.Ensure that you have signed in as a local administrator or have local administrator privileges.
          0xC1900107A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade. +Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see Disk cleanup in Windows 10.
          0xC1900209The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See Windows 10 Pre-Upgrade Validation using SETUP.EXE for more information. + +
          You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools. +
          0x8007002 This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760) + +
          The error 80072efe means that the connection with the server was terminated abnormally. + +
          To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN. +
          0x80240FFF Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following: + +
            +
          1. Disable the Upgrades classification.
            2. +
          2. Install hotfix 3095113.
            3. +
          3. Delete previously synched updates.
            4. +
          4. Enable the Upgrades classification.
            5. +
          5. Perform a full synch.
            6. +
          +
          For detailed information on how to run these steps check out How to delete upgrades in WSUS.

          +
          0x8007007EOccurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager. Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix. + +
            +
          1. Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following: +
              +
            1. Open Administrative Tools from the Control Panel.
              2. +
            2. Double-click Services.
              3. +
            3. Find the Windows Update service, right-click it, and then click Stop. If prompted, enter your credentials.
              4. +
            +
            2. +
          2. Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.
            3. +
          3. Restart the Windows Update service.
            4. +
          +
          + +## Other error codes + + + + + + + + + + + + + + + +
          Error CodesCauseMitigation
          0x80070003- 0x20007 +This is a failure during SafeOS phase driver installation. + +Verify device drivers on the computer, and analyze log files to determine the problem driver. +
          0x8007025D - 0x2000C +This error occurs if the ISO file's metadata is corrupt."Re-download the ISO/Media and re-attempt the upgrade. + +Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10). + +
          0x80070490 - 0x20007An incompatible device driver is present. + +Verify device drivers on the computer, and analyze log files to determine the problem driver. + +
          0xC1900101 - 0x2000c +An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption. +Run checkdisk to repair the file system. For more information, see the quick fixes section in this guide. +
          Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.
          0xC1900200 - 0x20008 + +The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10. + +See Windows 10 Specifications and verify the computer meets minimum requirements. + +
          Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).
          0x80070004 - 0x3000D +This is a problem with data migration during the first boot phase. There are multiple possible causes. + +Analyze log files to determine the issue.
          0xC1900101 - 0x4001E +Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation. +This is a generic error that occurs during the OOBE phase of setup. See the 0xC1900101 section of this guide and review general troubleshooting procedures described in that section.
          0x80070005 - 0x4000D +The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data. +Analyze log files to determine the data point that is reporting access denied.
          0x80070004 - 0x50012 +Windows Setup failed to open a file. +Analyze log files to determine the data point that is reporting access problems.
          0xC190020e +
          0x80070070 - 0x50011 +
          0x80070070 - 0x50012 +
          0x80070070 - 0x60000 +          		These errors indicate the computer does not have enough free space available to install the upgrade. +To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to free up drive space before proceeding with the upgrade. + +
          Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby. +
          + +## Modern setup errors + +Also see the following sequential list of modern setup (mosetup) error codes with a brief description of the cause. + +| Result code | Message | Description | +| --- | --- | --- | +| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. | +| 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. | +| 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. | +| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. | +| 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. | +| 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | +| 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | +| 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. | +| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. | +| 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. | +| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. | +| 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. | +| 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. | +| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. | +| 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. | +| 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. | +| 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. | +| 0XC1900112 | MOSETUP_E_TARGET_DRIVE_NOT_FOUND | Could not find a target drive letter. | +| 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. | +| 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. | +| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. | +| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. | +| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. | +| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. | +| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. | +| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. | +| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. | +| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. | +| 0XC1900127 | MOSETUP_E_UNINSTALL_ALLOWED_ABORT | The user has chosen to abort Setup to keep Uninstall option active. | +| 0XC1900128 | MOSETUP_E_MISSING_TASK | The install cannot continue because a required task is missing. | +| 0XC1900129 | MOSETUP_E_UPDATEMEDIA_REQUESTED | A more up-to-date version of setup will be launched to continue installation +| 0XC190012f | MOSETUP_E_FINALIZE_ALREADY_REQUESTED | The install cannot continue because a finalize operation was already requested. | +| 0XC1900130 | MOSETUP_E_INSTALL_HASH_MISSING | The install cannot continue because the instance hash was not found. | +| 0XC1900131 | MOSETUP_E_INSTALL_HASH_MISMATCH | The install cannot continue because the instance hash does not match. | +| 0XC19001df | MOSETUP_E_DISK_FULL | The install cannot continue because the system is out of disk space. | +| 0XC19001e0 | MOSETUP_E_GATHER_OS_STATE_FAILED | The GatherOsState executable has failed to execute. | +| 0XC19001e1 | MOSETUP_E_PROCESS_SUSPENDED | The installation process was suspended. | +| 0XC19001e2 | MOSETUP_E_PREINSTALL_SCRIPT_FAILED | A preinstall script failed to execute or returned an error. | +| 0XC19001e3 | MOSETUP_E_PRECOMMIT_SCRIPT_FAILED | A precommit script failed to execute or returned an error. | +| 0XC19001e4 | MOSETUP_E_FAILURE_SCRIPT_FAILED | A failure script failed to execute or returned an error. | +| 0XC19001e5 | MOSETUP_E_SCRIPT_TIMEOUT | A script exceeded the timeout limit. | +| 0XC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The system does not pass the minimum requirements to install the update. | +| 0XC1900201 | MOSETUP_E_COMPAT_SYSREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to install the update. | +| 0XC1900202 | MOSETUP_E_COMPAT_DOWNLOADREQ_BLOCK | The system does not pass the minimum requirements to download the update. | +| 0XC1900203 | MOSETUP_E_COMPAT_DOWNLOADREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to download the update. | +| 0XC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The system does not pass the requirements for desired migration choice. | +| 0XC1900205 | MOSETUP_E_COMPAT_MIGCHOICE_CANCEL | The user has chosen to cancel because the system does not pass the requirements for desired migration choice. | +| 0XC1900206 | MOSETUP_E_COMPAT_DEVICEREQ_BLOCK | The system does not pass the device scan to install the update. | +| 0XC1900207 | MOSETUP_E_COMPAT_DEVICEREQ_CANCEL | The user has chosen to cancel because the system does not pass the device scan to install the update. | +| 0XC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | The system does not pass the compat scan to install the update. | +| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. | +| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. | +| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. | +| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. | +| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. | +| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. | +| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. | +| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has used the setup.exe command line to do scanonly, not to install the OS. | +| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. | +| 0XC1900212 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_MULTIARCH_BLOCK | The system does not pass the disk space requirements to download and unpack multi-architecture media. | +| 0XC1900213 | MOSETUP_E_NO_OFFER_FOUND | There was no offer found that matches the required criteria. | +| 0XC1900214 | MOSETUP_E_UNSUPPORTED_VERSION | This version of the tool is not supported. | +| 0XC1900215 | MOSETUP_E_NO_MATCHING_INSTALL_IMAGE | Could not find an install image for this system. | +| 0XC1900216 | MOSETUP_E_ROLLBACK_PENDING | Found pending OS rollback operation. | +| 0XC1900220 | MOSETUP_E_COMPAT_REPORT_NOT_DISPLAYED | The compatibility report cannot be displayed due to a missing system component. | +| 0XC1900400 | MOSETUP_E_UA_VERSION_MISMATCH | An unexpected version of Update Agent client was encountered. | +| 0XC1900401 | MOSETUP_E_UA_NO_PACKAGES_TO_DOWNLOAD | No packages to be downloaded. | +| 0XC1900402 | MOSETUP_E_UA_UPDATE_CANNOT_BE_MERGED | No packages to be downloaded. | +| 0XC1900403 | MOSETUP_E_UA_CORRUPT_PAYLOAD_FILES | Payload files were corrupt. | +| 0XC1900404 | MOSETUP_E_UA_BOX_NOT_FOUND | The installation executable was not found. | +| 0XC1900405 | MOSETUP_E_UA_BOX_CRASHED | The installation process terminated unexpectedly. | + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index e869cfa80e..af24d3c075 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -1,64 +1,64 @@ ---- -title: Resolve Windows 10 upgrade errors - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Resolve Windows 10 upgrade errors : Technical information for IT Pros - -**Applies to** -- Windows 10 - ->[!IMPORTANT] ->This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). - -This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. - -The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. - -The following four levels are assigned: - -Level 100: Basic
          -Level 200: Moderate
          -Level 300: Moderate advanced
          -Level 400: Advanced
          - -## In this guide - -See the following topics in this article: - -- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
          -- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure. -- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
          -- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade. -- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained. - - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes. - - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes. -- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting. - - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described. - - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example. -- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes. - - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code. - - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800. - - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. - - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. -- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis. - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) -
          +--- +title: Resolve Windows 10 upgrade errors - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Resolve Windows 10 upgrade errors : Technical information for IT Pros + +**Applies to** +- Windows 10 + +>[!IMPORTANT] +>This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). + +This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. + +The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. + +The following four levels are assigned: + +Level 100: Basic
          +Level 200: Moderate
          +Level 300: Moderate advanced
          +Level 400: Advanced
          + +## In this guide + +See the following topics in this article: + +- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
          +- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure. +- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
          +- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade. +- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained. + - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes. + - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes. +- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting. + - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described. + - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example. +- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes. + - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code. + - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800. + - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. + - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. +- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis. + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +
          diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index e6407618c1..cd3aaab920 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -9,6 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.localizationpriority: medium ms.topic: article @@ -334,7 +335,7 @@ Each rule name and its associated unique rule identifier are listed with a descr - For an example, see [Sample registry key](#sample-registry-key). 05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center. - - This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset). + - This release adds the ability to find and diagnose reset and recovery failures (Push Button Reset). 12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center. - This release includes major improvements in rule processing performance: ~3x faster rule processing performance! diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 1eebd06873..6f6bde4fba 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -1,76 +1,76 @@ ---- -title: Submit Windows 10 upgrade errors using Feedback Hub -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Submit Windows 10 upgrade errors for diagnosis using feedback hub -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Submit Windows 10 upgrade errors using Feedback Hub - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 100 level topic (basic).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -## In this topic - -This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub. - -## About the Feedback Hub - -The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/en-us/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). - -The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically. - -## Submit feedback - -To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md)  - -The Feedback Hub will open. - -- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**. -- Under **Give us more detail**, provide additional information about the failed upgrade, such as: - - When did the failure occur? - - Were there any reboots? - - How many times did the system reboot? - - How did the upgrade fail? - - Were any error codes visible? - - Did the computer fail to a blue screen? - - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back? -- Additional details - - What type of security software is installed? - - Is the computer up to date with latest drivers and firmware? - - Are there any external devices connected? -- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**. - -You can attach a screenshot or file if desired. This is optional, but can be extremely helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs). - -Click **Submit** to send your feedback. - -See the following example: - -![feedback example](../images/feedback.png) - -After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. - -## Link to your feedback - -After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. - -![share](../images/share.jpg) - -## Related topics - -[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) - +--- +title: Submit Windows 10 upgrade errors using Feedback Hub +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Submit Windows 10 upgrade errors for diagnosis using feedback hub +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Submit Windows 10 upgrade errors using Feedback Hub + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 100 level topic (basic).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + +## In this topic + +This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub. + +## About the Feedback Hub + +The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/en-us/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). + +The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically. + +## Submit feedback + +To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md)  + +The Feedback Hub will open. + +- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**. +- Under **Give us more detail**, provide additional information about the failed upgrade, such as: + - When did the failure occur? + - Were there any reboots? + - How many times did the system reboot? + - How did the upgrade fail? + - Were any error codes visible? + - Did the computer fail to a blue screen? + - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back? +- Additional details + - What type of security software is installed? + - Is the computer up to date with latest drivers and firmware? + - Are there any external devices connected? +- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**. + +You can attach a screenshot or file if desired. This is optional, but can be extremely helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs). + +Click **Submit** to send your feedback. + +See the following example: + +![feedback example](../images/feedback.png) + +After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. + +## Link to your feedback + +After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. + +![share](../images/share.jpg) + +## Related topics + +[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) + diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index fe26d367f3..b252ff670a 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -1,97 +1,97 @@ ---- -title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Troubleshooting upgrade errors - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 300 level topic (moderately advanced).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. - -Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. - -These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. - -1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. - -2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software. - - Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues. - - >[!TIP] - >If you attempt to use the media creation tool with a USB drive and this fails with error 0x80004005 - 0xa001a, this is because the USB drive is using GPT partition style. The tool requires that you use MBR partition style. You can use the DISKPART command to convert the USB drive from GPT to MBR. For more information, see [Change a GUID Partition Table Disk into a Master Boot Record Disk](https://go.microsoft.com/fwlink/?LinkId=207050). - - **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information. - - If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware. - - If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption. - -3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade. - -4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade. - -If the general troubleshooting techniques described above or the [quick fixes](quick-fixes.md) detailed below do not resolve your issue, you can attempt to analyze [log files](log-files.md) and interpret [upgrade error codes](upgrade-error-codes.md). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue. - -## The Windows 10 upgrade process - -The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. - -When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase. - -1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. - - ![downlevel phase](../images/downlevel.png) - -2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. - - ![safeOS phase](../images/safeos.png) - -3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. - - ![first boot phase](../images/firstboot.png) - -4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. - - At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. - - ![second boot phase](../images/secondboot.png) - - ![second boot phase](../images/secondboot2.png) - - ![second boot phase](../images/secondboot3.png) - -5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. - -**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): - -![Upgrade process](../images/upgrade-process.png) - -DU = Driver/device updates.
          -OOBE = Out of box experience.
          -WIM = Windows image (Microsoft) - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Troubleshooting upgrade errors + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 300 level topic (moderately advanced).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + +If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. + +Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. + +These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. + +1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. + +2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software. + + Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues. + + >[!TIP] + >If you attempt to use the media creation tool with a USB drive and this fails with error 0x80004005 - 0xa001a, this is because the USB drive is using GPT partition style. The tool requires that you use MBR partition style. You can use the DISKPART command to convert the USB drive from GPT to MBR. For more information, see [Change a GUID Partition Table Disk into a Master Boot Record Disk](https://go.microsoft.com/fwlink/?LinkId=207050). + + **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information. + + If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware. + + If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption. + +3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade. + +4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade. + +If the general troubleshooting techniques described above or the [quick fixes](quick-fixes.md) detailed below do not resolve your issue, you can attempt to analyze [log files](log-files.md) and interpret [upgrade error codes](upgrade-error-codes.md). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue. + +## The Windows 10 upgrade process + +The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. + +When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase. + +1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. + + ![downlevel phase](../images/downlevel.png) + +2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. + + ![safeOS phase](../images/safeos.png) + +3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. + + ![first boot phase](../images/firstboot.png) + +4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. + + At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. + + ![second boot phase](../images/secondboot.png) + + ![second boot phase](../images/secondboot2.png) + + ![second boot phase](../images/secondboot3.png) + +5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. + +**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): + +![Upgrade process](../images/upgrade-process.png) + +DU = Driver/device updates.
          +OOBE = Out of box experience.
          +WIM = Windows image (Microsoft) + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index efaa098dab..f06c6fb87b 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -1,159 +1,159 @@ ---- -title: Upgrade error codes - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Upgrade error codes - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 400 level topic (advanced).
          ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -If the upgrade process is not successful, Windows Setup will return two codes: - -1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error. -2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. - ->For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. - -Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned. - ->[!TIP] ->If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](windows-error-reporting.md). - -## Result codes - ->A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
          To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. - -The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: - -| Result code | Message | Description | -| --- | --- | --- | -| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | -| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | -| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | -| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | -| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | - -A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article. - -Other result codes can be matched to the specific type of error encountered. To match a result code to an error: - -1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit: -
          **8** = Win32 error code (ex: 0x**8**0070070) -
          **C** = NTSTATUS value (ex: 0x**C**1900107) -2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. -3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links: - - [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) - - [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) - -Examples: -- 0x80070070 - - Based on the "8" this is a Win32 error code - - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) table - - The error is: **ERROR_DISK_FULL** -- 0xC1900107 - - Based on the "C" this is an NTSTATUS error code - - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) table - - The error is: **STATUS_SOME_NOT_MAPPED** - -Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. - -## Extend codes - ->**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. - -Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation: - -1. Use the first digit to identify the phase (ex: 0x4000D = 4). -2. Use the last two digits to identify the operation (ex: 0x4000D = 0D). -3. Match the phase and operation to values in the tables provided below. - -The following tables provide the corresponding phase and operation for values of an extend code: - -
          - - - -
          Extend code: phase
          HexPhase -
          0SP_EXECUTION_UNKNOWN -
          1SP_EXECUTION_DOWNLEVEL -
          2SP_EXECUTION_SAFE_OS -
          3SP_EXECUTION_FIRST_BOOT -
          4SP_EXECUTION_OOBE_BOOT -
          5SP_EXECUTION_UNINSTALL -
          - - - - - - - -
          Extend code: operation
          - -
          HexOperation -
          0SP_EXECUTION_OP_UNKNOWN -
          1SP_EXECUTION_OP_COPY_PAYLOAD -
          2SP_EXECUTION_OP_DOWNLOAD_UPDATES -
          3SP_EXECUTION_OP_INSTALL_UPDATES -
          4SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT -
          5SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE -
          6SP_EXECUTION_OP_REPLICATE_OC -
          7SP_EXECUTION_OP_INSTALL_DRVIERS -
          8SP_EXECUTION_OP_PREPARE_SAFE_OS -
          9SP_EXECUTION_OP_PREPARE_ROLLBACK -
          ASP_EXECUTION_OP_PREPARE_FIRST_BOOT -
          BSP_EXECUTION_OP_PREPARE_OOBE_BOOT -
          CSP_EXECUTION_OP_APPLY_IMAGE -
          DSP_EXECUTION_OP_MIGRATE_DATA -
          ESP_EXECUTION_OP_SET_PRODUCT_KEY -
          FSP_EXECUTION_OP_ADD_UNATTEND -
          -          		 - -
          HexOperation -
          10SP_EXECUTION_OP_ADD_DRIVER -
          11SP_EXECUTION_OP_ENABLE_FEATURE -
          12SP_EXECUTION_OP_DISABLE_FEATURE -
          13SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS -
          14SP_EXECUTION_OP_REGISTER_SYNC_PROCESS -
          15SP_EXECUTION_OP_CREATE_FILE -
          16SP_EXECUTION_OP_CREATE_REGISTRY -
          17SP_EXECUTION_OP_BOOT -
          18SP_EXECUTION_OP_SYSPREP -
          19SP_EXECUTION_OP_OOBE -
          1ASP_EXECUTION_OP_BEGIN_FIRST_BOOT -
          1BSP_EXECUTION_OP_END_FIRST_BOOT -
          1CSP_EXECUTION_OP_BEGIN_OOBE_BOOT -
          1DSP_EXECUTION_OP_END_OOBE_BOOT -
          1ESP_EXECUTION_OP_PRE_OOBE -
          1FSP_EXECUTION_OP_POST_OOBE -
          20SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE -
          -
          - -For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**). - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Upgrade error codes - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Upgrade error codes + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 400 level topic (advanced).
          +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +If the upgrade process is not successful, Windows Setup will return two codes: + +1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error. +2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. + +>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. + +Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned. + +>[!TIP] +>If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](windows-error-reporting.md). + +## Result codes + +>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
          To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. + +The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: + +| Result code | Message | Description | +| --- | --- | --- | +| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | +| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | +| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | +| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | +| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | + +A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article. + +Other result codes can be matched to the specific type of error encountered. To match a result code to an error: + +1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit: +
          **8** = Win32 error code (ex: 0x**8**0070070) +
          **C** = NTSTATUS value (ex: 0x**C**1900107) +2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. +3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links: + - [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) + - [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) + +Examples: +- 0x80070070 + - Based on the "8" this is a Win32 error code + - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) table + - The error is: **ERROR_DISK_FULL** +- 0xC1900107 + - Based on the "C" this is an NTSTATUS error code + - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) table + - The error is: **STATUS_SOME_NOT_MAPPED** + +Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. + +## Extend codes + +>**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. + +Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation: + +1. Use the first digit to identify the phase (ex: 0x4000D = 4). +2. Use the last two digits to identify the operation (ex: 0x4000D = 0D). +3. Match the phase and operation to values in the tables provided below. + +The following tables provide the corresponding phase and operation for values of an extend code: + +
          + + + +
          Extend code: phase
          HexPhase +
          0SP_EXECUTION_UNKNOWN +
          1SP_EXECUTION_DOWNLEVEL +
          2SP_EXECUTION_SAFE_OS +
          3SP_EXECUTION_FIRST_BOOT +
          4SP_EXECUTION_OOBE_BOOT +
          5SP_EXECUTION_UNINSTALL +
          + + + + + + + +
          Extend code: operation
          + +
          HexOperation +
          0SP_EXECUTION_OP_UNKNOWN +
          1SP_EXECUTION_OP_COPY_PAYLOAD +
          2SP_EXECUTION_OP_DOWNLOAD_UPDATES +
          3SP_EXECUTION_OP_INSTALL_UPDATES +
          4SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT +
          5SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE +
          6SP_EXECUTION_OP_REPLICATE_OC +
          7SP_EXECUTION_OP_INSTALL_DRVIERS +
          8SP_EXECUTION_OP_PREPARE_SAFE_OS +
          9SP_EXECUTION_OP_PREPARE_ROLLBACK +
          ASP_EXECUTION_OP_PREPARE_FIRST_BOOT +
          BSP_EXECUTION_OP_PREPARE_OOBE_BOOT +
          CSP_EXECUTION_OP_APPLY_IMAGE +
          DSP_EXECUTION_OP_MIGRATE_DATA +
          ESP_EXECUTION_OP_SET_PRODUCT_KEY +
          FSP_EXECUTION_OP_ADD_UNATTEND +
          +          		 + +
          HexOperation +
          10SP_EXECUTION_OP_ADD_DRIVER +
          11SP_EXECUTION_OP_ENABLE_FEATURE +
          12SP_EXECUTION_OP_DISABLE_FEATURE +
          13SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS +
          14SP_EXECUTION_OP_REGISTER_SYNC_PROCESS +
          15SP_EXECUTION_OP_CREATE_FILE +
          16SP_EXECUTION_OP_CREATE_REGISTRY +
          17SP_EXECUTION_OP_BOOT +
          18SP_EXECUTION_OP_SYSPREP +
          19SP_EXECUTION_OP_OOBE +
          1ASP_EXECUTION_OP_BEGIN_FIRST_BOOT +
          1BSP_EXECUTION_OP_END_FIRST_BOOT +
          1CSP_EXECUTION_OP_BEGIN_OOBE_BOOT +
          1DSP_EXECUTION_OP_END_OOBE_BOOT +
          1ESP_EXECUTION_OP_PRE_OOBE +
          1FSP_EXECUTION_OP_POST_OOBE +
          20SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE +
          +
          + +For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**). + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
          [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
          [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
          [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
          [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 09a0e88f33..93d1f63cc0 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -1,96 +1,96 @@ ---- -title: Upgrade Readiness - Additional insights -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Explains additional features of Upgrade Readiness. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Additional insights - -This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: - -- [Spectre and Meltdown protections](#spectre-and-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities. -- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer. -- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers. - -## Spectre and Meltdown protection status -Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take. - -Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities: -- Verify that you are running a supported antivirus application. -- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates. -- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s). - -Upgrade Readiness reports on status of your devices in these three areas. - -![Spectre-Meltdown protection blades](../images/spectre-meltdown-prod-closeup.png) - ->[!IMPORTANT] ->To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.) - -### Anti-virus status blade -This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices. - -![Spectre-Meltdown antivirus blade](../images/AV-status-by-computer.png) - -### Security update status blade -This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled. - -![Spectre-Meltdown antivirus blade](../images/win-security-update-status-by-computer.png) - ->[!IMPORTANT] ->If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint. - -### Firmware update status blade -This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part. - - - - -## Site discovery - -The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. - -> [!NOTE] -> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. -> -> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. - -In order to use site discovery, a separate opt-in is required; see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). - -### Review most active sites - -This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page. - -For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL. - -![Most active sites](../images/upgrade-analytics-most-active-sites.png) - -Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name. - -![Site domain detail](../images/upgrade-analytics-site-domain-detail.png) - -### Review document modes in use - -This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes). - -![Site activity by document mode](../images/upgrade-analytics-site-activity-by-doc-mode.png) - -### Run browser-related queries - -You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries. - -![](../images/upgrade-analytics-query-activex-name.png) - -## Office add-ins - -Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator. - -## Related topics - -[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) +--- +title: Upgrade Readiness - Additional insights +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Explains additional features of Upgrade Readiness. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Additional insights + +This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: + +- [Spectre and Meltdown protections](#spectre-and-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities. +- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer. +- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers. + +## Spectre and Meltdown protection status +Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take. + +Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities: +- Verify that you are running a supported antivirus application. +- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates. +- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s). + +Upgrade Readiness reports on status of your devices in these three areas. + +![Spectre-Meltdown protection blades](../images/spectre-meltdown-prod-closeup.png) + +>[!IMPORTANT] +>To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.) + +### Anti-virus status blade +This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices. + +![Spectre-Meltdown antivirus blade](../images/AV-status-by-computer.png) + +### Security update status blade +This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled. + +![Spectre-Meltdown antivirus blade](../images/win-security-update-status-by-computer.png) + +>[!IMPORTANT] +>If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint. + +### Firmware update status blade +This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part. + + + + +## Site discovery + +The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. + +> [!NOTE] +> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. +> +> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. + +In order to use site discovery, a separate opt-in is required; see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). + +### Review most active sites + +This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page. + +For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL. + +![Most active sites](../images/upgrade-analytics-most-active-sites.png) + +Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name. + +![Site domain detail](../images/upgrade-analytics-site-domain-detail.png) + +### Review document modes in use + +This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes). + +![Site activity by document mode](../images/upgrade-analytics-site-activity-by-doc-mode.png) + +### Run browser-related queries + +You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries. + +![](../images/upgrade-analytics-query-activex-name.png) + +## Office add-ins + +Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator. + +## Related topics + +[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md index 2f98a96cc3..e5d5a0d480 100644 --- a/windows/deployment/upgrade/upgrade-readiness-architecture.md +++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md @@ -1,35 +1,35 @@ ---- -title: Upgrade Readiness architecture (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Describes Upgrade Readiness architecture. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness architecture - -Microsoft analyzes system, application, and driver diagnostic data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation. - - - -![Upgrade Readiness architecture](../images/ur-arch-diagram.png) - -After you enable Windows diagnostic data on user computers and install the compatibility update KB (1), user computers send computer, application and driver diagnostic data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, diagnostic data is analyzed by the Upgrade Readiness Service (3) and pushed to your workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades. - -For more information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: - -[Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
          -[Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
          -[Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
          - -## **Related topics** - -[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
          -[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
          -[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
          +--- +title: Upgrade Readiness architecture (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Describes Upgrade Readiness architecture. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness architecture + +Microsoft analyzes system, application, and driver diagnostic data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation. + + + +![Upgrade Readiness architecture](../images/ur-arch-diagram.png) + +After you enable Windows diagnostic data on user computers and install the compatibility update KB (1), user computers send computer, application and driver diagnostic data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, diagnostic data is analyzed by the Upgrade Readiness Service (3) and pushed to your workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades. + +For more information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see: + +[Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
          +[Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
          +[Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
          + +## **Related topics** + +[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
          +[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
          +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
          diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index a6470eed73..0bbda9f3df 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -1,57 +1,57 @@ ---- -title: Upgrade Readiness data sharing -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Connectivity scenarios for data sharing with Upgrade Readiness -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness data sharing - -To enable data sharing with the Upgrade Readiness solution, double-check the endpoints list in [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md#enable-data-sharing) to be sure they are whitelisted. - -## Connectivity to the Internet - -There are several different methods your organization can use to connect to the Internet, and these methods can affect how authentication is performed by the deployment script. - -### Direct connection to the Internet - -This scenario is very simple since there is no proxy involved. If you are using a network firewall which is blocking outgoing traffic, please keep in mind that even though we provide DNS names for the endpoints needed to communicate to the Microsoft diagnostic data backend, We therefore do not recommend to attempt to whitelist endpoints on your firewall based on IP-addresses. - -In order to use the direct connection scenario, set the parameter **ClientProxy=Direct** in **runconfig.bat**. - -### Connection through the WinHTTP proxy - -This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. - -In order to set the WinHTTP proxy system-wide on your computers, you need to -- Use the command netsh winhttp set proxy \:\ -- Set ClientProxy=System in runconfig.bat - -The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3. - -If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/). - -### Logged-in user’s Internet connection - -In order to accommodate complex proxy scenarios, we also support using the currently logged-in user’s internet connection. This scenario supports PAC scripts, proxy autodetection and authentication. Essentially, if the logged in user can reach the Windows diagnostic data endpoints, the diagnostic data client can send data. If runconfig.bat runs while no user is logged in, diagnostic data events get written into a buffer which gets flushed when a user logs in. - -In order to enable this scenario, you need: -- A current quality update Rollup for Windows 7, 8.1 or Windows 10 Version 1511. Updates shipped after October 2016 have the needed code -- Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly. -- Set ClientProxy=User in bat. - -> [!IMPORTANT] -> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[] - - - - - +--- +title: Upgrade Readiness data sharing +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Connectivity scenarios for data sharing with Upgrade Readiness +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness data sharing + +To enable data sharing with the Upgrade Readiness solution, double-check the endpoints list in [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md#enable-data-sharing) to be sure they are whitelisted. + +## Connectivity to the Internet + +There are several different methods your organization can use to connect to the Internet, and these methods can affect how authentication is performed by the deployment script. + +### Direct connection to the Internet + +This scenario is very simple since there is no proxy involved. If you are using a network firewall which is blocking outgoing traffic, please keep in mind that even though we provide DNS names for the endpoints needed to communicate to the Microsoft diagnostic data backend, We therefore do not recommend to attempt to whitelist endpoints on your firewall based on IP-addresses. + +In order to use the direct connection scenario, set the parameter **ClientProxy=Direct** in **runconfig.bat**. + +### Connection through the WinHTTP proxy + +This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. + +In order to set the WinHTTP proxy system-wide on your computers, you need to +- Use the command netsh winhttp set proxy \:\ +- Set ClientProxy=System in runconfig.bat + +The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3. + +If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/). + +### Logged-in user’s Internet connection + +In order to accommodate complex proxy scenarios, we also support using the currently logged-in user’s internet connection. This scenario supports PAC scripts, proxy autodetection and authentication. Essentially, if the logged in user can reach the Windows diagnostic data endpoints, the diagnostic data client can send data. If runconfig.bat runs while no user is logged in, diagnostic data events get written into a buffer which gets flushed when a user logs in. + +In order to enable this scenario, you need: +- A current quality update Rollup for Windows 7, 8.1 or Windows 10 Version 1511. Updates shipped after October 2016 have the needed code +- Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly. +- Set ClientProxy=User in bat. + +> [!IMPORTANT] +> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[] + + + + + diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index 9827ca77e8..b097017757 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -1,102 +1,102 @@ ---- -title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Step 3: Deploy Windows - -All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready. -The blades in the **Deploy** section are: - -- [Deploy eligible computers](#deploy-eligible-computers) -- [Deploy computers by group](#computer-groups) - ->Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment). - -## Deploy eligible computers - -In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways: -- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**. -- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**. -- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met. - - - -![Deploy eligible computers](../images/ua-cg-16.png) - -Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers. - ->**Important**
          When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. - -## Computer groups - -Computer groups allow you to segment your environment by creating device groups based on log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). - -Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS. - -### Getting started with Computer Groups - -When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example: - -![Computer groups](../images/ua-cg-01.png) - -To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example: - -``` -Type=UAComputer Manufacturer=DELL -``` - -![Computer groups](../images/ua-cg-02.png) - -When you are satisfied that the query is returning the intended results, add the following text to your search: - -``` -| measure count() by Computer -``` - -This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example: - -![Computer groups](../images/ua-cg-03.png) - -Your new computer group will now be available in Upgrade Readiness. See the following example: - -![Computer groups](../images/ua-cg-04.png) - -### Using Computer Groups - -When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready. - -![Computer groups](../images/ua-cg-05.png) - -Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**: - -![Computer groups](../images/ua-cg-06.png) - -Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**: - -![Computer groups](../images/ua-cg-07.png) - -A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed. - -### Upgrade assessment - -Upgrade assessment and guidance details are explained in the following table. - -| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance | -|-----------------------|------------------------------------------------|----------|-----------------|---------------| -| No known issues | No | None | Computers will upgrade seamlessly.
          | OK to use as-is in pilot. | -| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. | -| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.

          If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.

          | - -Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file. - ->**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. +--- +title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Step 3: Deploy Windows + +All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready. +The blades in the **Deploy** section are: + +- [Deploy eligible computers](#deploy-eligible-computers) +- [Deploy computers by group](#computer-groups) + +>Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment). + +## Deploy eligible computers + +In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways: +- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**. +- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**. +- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met. + + + +![Deploy eligible computers](../images/ua-cg-16.png) + +Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers. + +>**Important**
          When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. + +## Computer groups + +Computer groups allow you to segment your environment by creating device groups based on log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). + +Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS. + +### Getting started with Computer Groups + +When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example: + +![Computer groups](../images/ua-cg-01.png) + +To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example: + +``` +Type=UAComputer Manufacturer=DELL +``` + +![Computer groups](../images/ua-cg-02.png) + +When you are satisfied that the query is returning the intended results, add the following text to your search: + +``` +| measure count() by Computer +``` + +This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example: + +![Computer groups](../images/ua-cg-03.png) + +Your new computer group will now be available in Upgrade Readiness. See the following example: + +![Computer groups](../images/ua-cg-04.png) + +### Using Computer Groups + +When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready. + +![Computer groups](../images/ua-cg-05.png) + +Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**: + +![Computer groups](../images/ua-cg-06.png) + +Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**: + +![Computer groups](../images/ua-cg-07.png) + +A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed. + +### Upgrade assessment + +Upgrade assessment and guidance details are explained in the following table. + +| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance | +|-----------------------|------------------------------------------------|----------|-----------------|---------------| +| No known issues | No | None | Computers will upgrade seamlessly.
          | OK to use as-is in pilot. | +| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. | +| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.

          If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.

          | + +Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file. + +>**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 6c6a70095b..8ad77cca4e 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -8,6 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.topic: article ms.collection: M365-analytics @@ -186,5 +187,5 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi > > Then run the Enterprise Config script (RunConfig.bat) again. > -> If the script still fails, then send mail to uasupport@microsoft.com including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well. +> If the script still fails, then contact support@microsoft.com and share the log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well. diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 3cfb3be1df..47a7fc7fe2 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -1,81 +1,81 @@ ---- -title: Get started with Upgrade Readiness (Windows 10) -ms.reviewer: -manager: laurawi -description: Explains how to get started with Upgrade Readiness. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.topic: article -ms.collection: M365-analytics ---- - -# Get started with Upgrade Readiness - ->[!IMPORTANT] ->**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). - -This topic explains how to obtain and configure Upgrade Readiness for your organization. - -You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft. - -Before you begin, consider reviewing the following helpful information:
          - - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
          - - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. - ->If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). - -When you are ready to begin using Upgrade Readiness, perform the following steps: - -1. Review [data collection and privacy](#data-collection-and-privacy) information. -2. [Add the Upgrade Readiness solution to your Azure subsctiption](#add-the-upgrade-readiness-solution-to-your-azure-subscription). -3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). -4. [Use Upgrade Readiness to manage Windows Upgrades](#use-upgrade-readiness-to-manage-windows-upgrades) once your devices are enrolled. - -## Data collection and privacy - -To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information. - -## Add the Upgrade Readiness solution to your Azure subscription - -Upgrade Readiness is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps: - -1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. - - >[!NOTE] - > Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. - -2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution. - ![Azure portal page highlighting + Create a resource and with Upgrade Readiness selected](../images/UR-Azureportal1.png) - - ![Azure portal showing Upgrade Readiness fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](../images/UR-Azureportal2.png) -3. Choose an existing workspace or create a new workspace to host the Upgrade Readiness solution. - ![Azure portal showing Log Analytics workspace fly-in](../images/UR-Azureportal3.png) - - If you are using other Windows Analytics solutions (Device Health or Update Compliance) you should add Upgrade Readiness to the same workspace. - - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **per GB**. -4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**. - ![Azure portal showing workspace selected and with Create button highlighted](../images/UR-Azureportal4.png) -5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. - ![Azure portal all services page with Log Analytics found and selected as favorite](../images/CreateSolution-Part5-GoToResource.png) - - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Upgrade Readiness solution. - - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. - -## Enroll devices in Windows Analytics - - -Once you've added Upgrade Readiness to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). - - - -## Use Upgrade Readiness to manage Windows Upgrades - -Now that your devices are enrolled, you can move on to [Use Upgrade Readiness to manage Windows Upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). +--- +title: Get started with Upgrade Readiness (Windows 10) +ms.reviewer: +manager: laurawi +description: Explains how to get started with Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.topic: article +ms.collection: M365-analytics +--- + +# Get started with Upgrade Readiness + +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + +This topic explains how to obtain and configure Upgrade Readiness for your organization. + +You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft. + +Before you begin, consider reviewing the following helpful information:
          + - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
          + - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. + +>If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). + +When you are ready to begin using Upgrade Readiness, perform the following steps: + +1. Review [data collection and privacy](#data-collection-and-privacy) information. +2. [Add the Upgrade Readiness solution to your Azure subsctiption](#add-the-upgrade-readiness-solution-to-your-azure-subscription). +3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). +4. [Use Upgrade Readiness to manage Windows Upgrades](#use-upgrade-readiness-to-manage-windows-upgrades) once your devices are enrolled. + +## Data collection and privacy + +To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information. + +## Add the Upgrade Readiness solution to your Azure subscription + +Upgrade Readiness is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps: + +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. + + >[!NOTE] + > Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. + +2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution. + ![Azure portal page highlighting + Create a resource and with Upgrade Readiness selected](../images/UR-Azureportal1.png) + + ![Azure portal showing Upgrade Readiness fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](../images/UR-Azureportal2.png) +3. Choose an existing workspace or create a new workspace to host the Upgrade Readiness solution. + ![Azure portal showing Log Analytics workspace fly-in](../images/UR-Azureportal3.png) + - If you are using other Windows Analytics solutions (Device Health or Update Compliance) you should add Upgrade Readiness to the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **per GB**. +4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**. + ![Azure portal showing workspace selected and with Create button highlighted](../images/UR-Azureportal4.png) +5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. + ![Azure portal all services page with Log Analytics found and selected as favorite](../images/CreateSolution-Part5-GoToResource.png) + - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Upgrade Readiness solution. + - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. + +## Enroll devices in Windows Analytics + + +Once you've added Upgrade Readiness to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). + + + +## Use Upgrade Readiness to manage Windows Upgrades + +Now that your devices are enrolled, you can move on to [Use Upgrade Readiness to manage Windows Upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). diff --git a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md index 81992ee784..4c4477de3c 100644 --- a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md +++ b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md @@ -1,41 +1,41 @@ ---- -title: Upgrade Readiness - Identify important apps (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Step 1: Identify important apps - -This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade. - - - -![Prioritize applications](../images/upgrade-analytics-prioritize.png) - -Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them. - -To change an application’s importance level: - -1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. -2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list. -3. Click **Save** when finished. - -Importance levels include: - -| Importance level | When to use it | Recommendation | -|--------------------|------------------|------------------| -| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]

          Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
          | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.

          | -| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.

          | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. | -| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.

          | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | -| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | -| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
          | Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.

          | -| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
          | As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.

          Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
          | - +--- +title: Upgrade Readiness - Identify important apps (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Step 1: Identify important apps + +This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade. + + + +![Prioritize applications](../images/upgrade-analytics-prioritize.png) + +Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them. + +To change an application’s importance level: + +1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. +2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list. +3. Click **Save** when finished. + +Importance levels include: + +| Importance level | When to use it | Recommendation | +|--------------------|------------------|------------------| +| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]

          Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
          | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.

          | +| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.

          | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. | +| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.

          | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | +| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | +| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
          | Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.

          | +| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
          | As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.

          Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
          | + diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md index 6dffc54509..1aee2eb281 100644 --- a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md +++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md @@ -1,51 +1,51 @@ ---- -title: Monitor deployment with Upgrade Readiness -ms.reviewer: -manager: laurawi -description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.localizationpriority: medium -ms.prod: w10 -author: greg-lindsay -ms.author: greglin -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Step 4: Monitor - -Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements. - -![Upgrade Readiness dialog showing "STEP 4: Monitor" and blades for "Update progress," "Driver issues," and "User feedback"](../images/UR-monitor-main.png) - - -## Update progress - -The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attepted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc. - - -Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out. - -!["Update progress" blade showing detailed information after selecting the "failed" item](../images/UR-update-progress-failed-detail.png) - - -## Driver issues - -The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver. - - -For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually. - -!["Driver issue" blade showing detailed information after selecting a specific driver error](../images/UR-driver-issue-detail.png) - -## User feedback - -The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar. - - -We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications. - -When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.) If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well. - -![Example user feedback item](../images/UR-example-feedback.png) - +--- +title: Monitor deployment with Upgrade Readiness +ms.reviewer: +manager: laurawi +description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.localizationpriority: medium +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.author: greglin +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Step 4: Monitor + +Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements. + +![Upgrade Readiness dialog showing "STEP 4: Monitor" and blades for "Update progress," "Driver issues," and "User feedback"](../images/UR-monitor-main.png) + + +## Update progress + +The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attepted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc. + + +Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out. + +!["Update progress" blade showing detailed information after selecting the "failed" item](../images/UR-update-progress-failed-detail.png) + + +## Driver issues + +The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver. + + +For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually. + +!["Driver issue" blade showing detailed information after selecting a specific driver error](../images/UR-driver-issue-detail.png) + +## User feedback + +The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar. + + +We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications. + +When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.) If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well. + +![Example user feedback item](../images/UR-example-feedback.png) + diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 1ed4a081c1..3078890be7 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -1,76 +1,76 @@ ---- -title: Upgrade Readiness requirements (Windows 10) -ms.reviewer: -manager: laurawi -description: Provides requirements for Upgrade Readiness. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.prod: w10 -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness requirements - -This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness. - -## Supported upgrade paths - -### Windows 7 and Windows 8.1 - -To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows diagnostic data, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer. - -The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility. - - - -If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. - -> [!NOTE] -> Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. - -See [Windows 10 Specifications](https://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. - -### Windows 10 - -Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. -The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). - -While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. - -## Operations Management Suite or Azure Log Analytics - -Upgrade Readiness is offered as a solution in Azure Portal and Azure Log Analytics, a collection of cloud-based services for managing on premises and cloud computing environments. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). - -If you’re already using Azure Portal or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. - -If you are not using Azure Portal or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. - ->[!IMPORTANT] ->You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to Azure Portal. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in Azure Portal. You also need an Azure subscription to link to your Azure Portal workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. - -## System Center Configuration Manager integration - -Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). - - - -## Important information about this release - -Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release. - -**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises. - -**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in Azure Portal. Upgrade Readiness is supported in all Azure regions; however, selecting an international Azure region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US. - -### Tips - -- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items. - -- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in Azure Portal, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby). - -## Get started - -See [Get started with Upgrade Readiness](upgrade-readiness-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Readiness and getting started on your Windows upgrade project. +--- +title: Upgrade Readiness requirements (Windows 10) +ms.reviewer: +manager: laurawi +description: Provides requirements for Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness requirements + +This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness. + +## Supported upgrade paths + +### Windows 7 and Windows 8.1 + +To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows diagnostic data, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer. + +The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility. + + + +If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. + +> [!NOTE] +> Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. + +See [Windows 10 Specifications](https://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. + +### Windows 10 + +Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. +The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). + +While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. + +## Operations Management Suite or Azure Log Analytics + +Upgrade Readiness is offered as a solution in Azure Portal and Azure Log Analytics, a collection of cloud-based services for managing on premises and cloud computing environments. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). + +If you’re already using Azure Portal or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. + +If you are not using Azure Portal or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. + +>[!IMPORTANT] +>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to Azure Portal. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in Azure Portal. You also need an Azure subscription to link to your Azure Portal workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. + +## System Center Configuration Manager integration + +Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). + + + +## Important information about this release + +Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release. + +**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises. + +**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in Azure Portal. Upgrade Readiness is supported in all Azure regions; however, selecting an international Azure region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US. + +### Tips + +- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items. + +- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in Azure Portal, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby). + +## Get started + +See [Get started with Upgrade Readiness](upgrade-readiness-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Readiness and getting started on your Windows upgrade project. diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 3367363f1c..6d2a66ecdc 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -1,216 +1,216 @@ ---- -title: Upgrade Readiness - Resolve application and driver issues (Windows 10) -ms.reviewer: -manager: laurawi -description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.prod: w10 -author: greg-lindsay -ms.author: greglin -ms.localizationpriority: medium -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Step 2: Resolve app and driver issues - -This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them. - -## In this section - -The blades in the **Step 2: Resolve issues** section are: - -- [Review applications with known issues](#review-applications-with-known-issues) -- [Review known driver issues](#review-drivers-with-known-issues) -- [Review low-risk apps and drivers](#review-low-risk-apps-and-drivers) -- [Prioritize app and driver testing](#prioritize-app-and-driver-testing) - ->You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list. - -Upgrade decisions include: - - -| Upgrade decision | When to use it | Guidance | -|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Not reviewed | All drivers are marked as Not reviewed by default.

          Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
          | Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.

          | -| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.

          Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.

          | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | -| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.

          In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
          | -| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.

          Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
          | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.

          | - -As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/). - -## Review applications with known issues - -Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**. - - - -![Review applications with known issues](../images/upgrade-analytics-apps-known-issues.png) - -To change an application's upgrade decision: - -1. Select **Decide upgrade readiness** to view applications with issues. -2. In the table view, select an **UpgradeDecision** value. -3. Select **Decide upgrade readiness** to change the upgrade decision for each application. -4. Select the applications you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. -5. Click **Save** when finished. - -IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. - -For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible. - -| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | -|--------------------|-----------------------------------|-----------|-----------------|------------| -| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
          | No action is required for the upgrade to proceed. | -| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade.

          The application may work on the new operating system.
          | Remove the application before upgrading, and reinstall and test on new operating system. | -| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
          | -| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
          | -| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.

          A compatible version of the application may be available.
          | -| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
          | Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
          | -| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. | - -For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft. - -| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | -|--------------------|-----------------------------------|----------|-----------------|-------------| -| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. | -| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
          | No action is required for the upgrade to proceed. Reinstall application on the new operating system. | -| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
          | -| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
          | - -### ISV support for applications with Ready for Windows - -[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/). - -Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example: - -![Upgrade analytics Ready for Windows status](../images/upgrade-analytics-ready-for-windows-status.png) - -If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance. - -![Upgrade analytics Ready for Windows status guidance precedence](../images/upgrade-analytics-ready-for-windows-status-guidance-precedence.png) - -If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows. - -![Name publisher rollup](../images/upgrade-analytics-namepub-rollup.png) - -> [!TIP] -> Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer. -> -> To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed. -> -> Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions. - -The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) - -| Ready for Windows Status | Query rollup level | What this means | Guidance | -|-------------------|--------------------------|-----------------|----------| -|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. | -| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | -| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. | -| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A | -| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.| -|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.| -|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.| -| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A | - -## Review drivers with known issues - -Drivers that won’t migrate to the new operating system are listed, grouped by availability. - -![Review drivers with known issues](../images/upgrade-analytics-drivers-known.png) - -Availability categories are explained in the table below. - -| Driver availability | Action required before or after upgrade? | What it means | Guidance | -|-----------------------|------------------------------------------|----------------|--------------| -| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
          | No action is required for the upgrade to proceed. | -| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
          | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
          | -| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.

          Although a new driver is installed during upgrade, a newer version is available from Windows Update.
          | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
          | -| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
          | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. | - -To change a driver’s upgrade decision: - -1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table. - -2. Select **User changes** to enable user input. - -3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. - -4. Click **Save** when finished. - -## Review low-risk apps and drivers - -Applications and drivers that are meet certain criteria to be considered low risk are displayed on this blade. - -![Blade showing low-risk apps](../images/ua-step2-low-risk.png) - -The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system. - -The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in diagnostic data. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well. - -Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**. This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app. - -You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**. Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance. - ->[!NOTE] ->Apps that you have designated as *Mission critical* or *Business critical* are automatically **excluded** from the counts on this blade. If an app is critical, you should always validate it manually it prior to upgrading. - - At the bottom of the blade, the **OTHER APPS AND DRIVERS IN NEED OF REVIEW** section allows you to quickly access apps you have designated as **Mission critical** or **Business critical**, your remaining apps that still need to be reviewed, and your remaining drivers that need to be reviewed. - - - -## Prioritize app and driver testing - -Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan. - -### Proposed action plan - -The Upgrade Readiness proposed action plan is an optimally ordered list of apps and drivers that are in need of review. By testing apps and drivers in the order suggested by the proposed action plan, you are able to increase your number of “Ready to upgrade” computers in an efficient manner. The action plan can be a very powerful tool during upgrade planning – but it’s most helpful when it’s used correctly. This topic explains the proposed action plan, describes how to use it, and calls out a few misconceptions and invalid use cases that you should avoid. - -The proposed action plan represents the order thath Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently. - -Each item in the proposed action plan represents either an application or a driver that you have not yet marked “Ready to upgrade.” - ->Since “Low install count” apps are automatically marked “Ready to upgrade”, you will not see any of these apps in the proposed action plan. - -Each item in the plan has the following attributes: - -| Attribute | Description | Example value | -|-----------------------|------------------------------------------|----------------| -| ItemRank | The location of this item in the context of the proposed action plan. For example, the item with ItemRank 7 is the 7th item in the Plan. It is crucial that the Plan is viewed in order by increasing ItemRank. Sorting the Plan in any other way invalidates the insights that the Plan provides. | 7 | -| ItemType | Whether this item is an app or driver -- possible values are: "App" and "Driver." | App | -| ItemName | The name of the app or driver that is in need of review. | Microsoft Visual C++ 2005 Redistributable (x64) | -| ItemVendor | The vendor of the app or driver. | Microsoft Corporation | -| ItemVersion | The version of the app or driver. | 12.1.0.1 | -| ItemLanguage | If this item is an application, then this field will be the language of the app. If the item is a driver, then this will say "N/A." | English | -| ItemHardwareId | If this item is a driver, then this field will be the hardware id of the driver. If the item is an app, then this will say "N/A." | N/A | -| Upgrade Decision | The upgrade decision you have provided for this app or driver. If you have not defined an upgrade decision, then you will see the default value of “Not reviewed.” | Review in progress | -| ComputersUnblocked | Assuming you have already marked all previous items in the proposed action plan “Ready to upgrade”, this represents the number of additional computers that will become “Ready to upgrade” by testing this app or driver and giving it an upgrade decision of “Ready to upgrade”. For example, if ComputersUnblocked is 200, then resolving any issues associated with the app/driver in question will make 200 new computers “Ready to upgrade.” | 200 | -| CumulativeUnblocked | The total number of computers that will become “Ready to upgrade” if you validate and mark this and all prior items in the proposed action plan “Ready to upgrade”. For example, if ItemRank is 7, and CumulativeUnblocked is 950, then fixing items 1 thru 7 in the proposed action plan will cause 950 of your computers to become “Ready to upgrade.” | 950 | -| CumulativeUnblockedPct | The percentage of your machines that will become “Ready to upgrade” if you make this and all prior items in the proposed action plan “Ready to upgrade.” | 0.24 | - -See the following example action plan items (click the image for a full-size view): - -![Proposed action plan](../images/UR-lift-report.jpg) - -
          -In this example, the 3rd item is an application: Microsoft Bing Sports, a modern app, version 4.20.951.0, published by Microsoft. By validating this app and making its UpgradeDecision “Ready to upgrade”, you can potentially make 1014 computers “Ready to upgrade” – but only after you have already validated items 1 and 2 in the list. By marking items 1, 2, and 3 “Ready to upgrade”, 14779 of your computers will become upgrade-ready. This represents 10.96% of the machines in this workspace. - -#### Using the proposed action plan - -There are several valid use cases for the proposed action plan. But it’s always important to remember that the information presented in the Plan is only accurate when sorted by increasing Item Rank! Here are three potential cases in which you could use the proposed action plan: - -1. Quickly determine how many apps and drivers you’ll need to validate in order to make x% of your computers upgrade-ready. To determine this, simply find the first item in the Plan with a CumulativeUnblockedPct greater than or equal to your desired percentage of upgrade-ready computers. The corresponding ItemRank represents the smallest number of apps and drivers that you can validate in order to reach your upgrade readiness goal. The prior items in the proposed action plan itself represent the most efficient route to reaching your goal. - -2. Use the proposed action plan to prepare a small portion of your machines for a pilot of your target Operating System. Let’s say you want to test a new Operating System by upgrading a few hundred computers. You can use the proposed action plan to determine how many apps and drivers you will need to validate before you can be confident that your pilot will be successful. - -3. If your project deadline is approaching and you only have time to validate a few more apps and drivers, you can use the proposed action plan to determine which apps and drivers you should focus on to maximize the number of computers that you can confidently upgrade. - -#### Misconceptions and things to avoid - -The most common misconceptions about the proposed action plan involve the assumption that each item in the plan is independent of those around it. The apps and drivers in the plan must be considered in the correct order to draw valid conclusions. For example, if you choose to validate items 1, 3, 4, and 5 and mark each of them “Ready to upgrade,” the proposed action plan cannot tell you how many computers will become upgrade-ready as a result of your testing. Even the non-cumulative “ComputersUnblocked” count is dependent upon all prior issues having already been resolved. - -If an item with ItemRank = 7 has a ComputersUnblocked value of 50, do not assume that 50 of your computers will become upgrade-ready if you test this item. However, if you validate items 1 through 6 in the plan, you can make an additional 50 computers upgrade-ready by validating the 7th item in the plan. +--- +title: Upgrade Readiness - Resolve application and driver issues (Windows 10) +ms.reviewer: +manager: laurawi +description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.author: greglin +ms.localizationpriority: medium +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Step 2: Resolve app and driver issues + +This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them. + +## In this section + +The blades in the **Step 2: Resolve issues** section are: + +- [Review applications with known issues](#review-applications-with-known-issues) +- [Review known driver issues](#review-drivers-with-known-issues) +- [Review low-risk apps and drivers](#review-low-risk-apps-and-drivers) +- [Prioritize app and driver testing](#prioritize-app-and-driver-testing) + +>You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list. + +Upgrade decisions include: + + +| Upgrade decision | When to use it | Guidance | +|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Not reviewed | All drivers are marked as Not reviewed by default.

          Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
          | Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.

          | +| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.

          Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.

          | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
          | +| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.

          In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
          | +| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.

          Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
          | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.

          | + +As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/). + +## Review applications with known issues + +Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**. + + + +![Review applications with known issues](../images/upgrade-analytics-apps-known-issues.png) + +To change an application's upgrade decision: + +1. Select **Decide upgrade readiness** to view applications with issues. +2. In the table view, select an **UpgradeDecision** value. +3. Select **Decide upgrade readiness** to change the upgrade decision for each application. +4. Select the applications you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. +5. Click **Save** when finished. + +IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. + +For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible. + +| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | +|--------------------|-----------------------------------|-----------|-----------------|------------| +| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
          | No action is required for the upgrade to proceed. | +| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade.

          The application may work on the new operating system.
          | Remove the application before upgrading, and reinstall and test on new operating system. | +| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
          | +| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
          | +| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.

          A compatible version of the application may be available.
          | +| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
          | Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
          | +| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. | + +For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft. + +| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | +|--------------------|-----------------------------------|----------|-----------------|-------------| +| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. | +| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
          | No action is required for the upgrade to proceed. Reinstall application on the new operating system. | +| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
          | +| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
          | + +### ISV support for applications with Ready for Windows + +[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/). + +Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example: + +![Upgrade analytics Ready for Windows status](../images/upgrade-analytics-ready-for-windows-status.png) + +If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance. + +![Upgrade analytics Ready for Windows status guidance precedence](../images/upgrade-analytics-ready-for-windows-status-guidance-precedence.png) + +If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows. + +![Name publisher rollup](../images/upgrade-analytics-namepub-rollup.png) + +> [!TIP] +> Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer. +> +> To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed. +> +> Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions. + +The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) + +| Ready for Windows Status | Query rollup level | What this means | Guidance | +|-------------------|--------------------------|-----------------|----------| +|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. | +| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | +| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. | +| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A | +| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.| +|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.| +|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.| +| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A | + +## Review drivers with known issues + +Drivers that won’t migrate to the new operating system are listed, grouped by availability. + +![Review drivers with known issues](../images/upgrade-analytics-drivers-known.png) + +Availability categories are explained in the table below. + +| Driver availability | Action required before or after upgrade? | What it means | Guidance | +|-----------------------|------------------------------------------|----------------|--------------| +| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
          | No action is required for the upgrade to proceed. | +| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
          | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
          | +| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.

          Although a new driver is installed during upgrade, a newer version is available from Windows Update.
          | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
          | +| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
          | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. | + +To change a driver’s upgrade decision: + +1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table. + +2. Select **User changes** to enable user input. + +3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. + +4. Click **Save** when finished. + +## Review low-risk apps and drivers + +Applications and drivers that are meet certain criteria to be considered low risk are displayed on this blade. + +![Blade showing low-risk apps](../images/ua-step2-low-risk.png) + +The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system. + +The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in diagnostic data. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well. + +Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**. This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app. + +You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**. Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance. + +>[!NOTE] +>Apps that you have designated as *Mission critical* or *Business critical* are automatically **excluded** from the counts on this blade. If an app is critical, you should always validate it manually it prior to upgrading. + + At the bottom of the blade, the **OTHER APPS AND DRIVERS IN NEED OF REVIEW** section allows you to quickly access apps you have designated as **Mission critical** or **Business critical**, your remaining apps that still need to be reviewed, and your remaining drivers that need to be reviewed. + + + +## Prioritize app and driver testing + +Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan. + +### Proposed action plan + +The Upgrade Readiness proposed action plan is an optimally ordered list of apps and drivers that are in need of review. By testing apps and drivers in the order suggested by the proposed action plan, you are able to increase your number of “Ready to upgrade” computers in an efficient manner. The action plan can be a very powerful tool during upgrade planning – but it’s most helpful when it’s used correctly. This topic explains the proposed action plan, describes how to use it, and calls out a few misconceptions and invalid use cases that you should avoid. + +The proposed action plan represents the order thath Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently. + +Each item in the proposed action plan represents either an application or a driver that you have not yet marked “Ready to upgrade.” + +>Since “Low install count” apps are automatically marked “Ready to upgrade”, you will not see any of these apps in the proposed action plan. + +Each item in the plan has the following attributes: + +| Attribute | Description | Example value | +|-----------------------|------------------------------------------|----------------| +| ItemRank | The location of this item in the context of the proposed action plan. For example, the item with ItemRank 7 is the 7th item in the Plan. It is crucial that the Plan is viewed in order by increasing ItemRank. Sorting the Plan in any other way invalidates the insights that the Plan provides. | 7 | +| ItemType | Whether this item is an app or driver -- possible values are: "App" and "Driver." | App | +| ItemName | The name of the app or driver that is in need of review. | Microsoft Visual C++ 2005 Redistributable (x64) | +| ItemVendor | The vendor of the app or driver. | Microsoft Corporation | +| ItemVersion | The version of the app or driver. | 12.1.0.1 | +| ItemLanguage | If this item is an application, then this field will be the language of the app. If the item is a driver, then this will say "N/A." | English | +| ItemHardwareId | If this item is a driver, then this field will be the hardware id of the driver. If the item is an app, then this will say "N/A." | N/A | +| Upgrade Decision | The upgrade decision you have provided for this app or driver. If you have not defined an upgrade decision, then you will see the default value of “Not reviewed.” | Review in progress | +| ComputersUnblocked | Assuming you have already marked all previous items in the proposed action plan “Ready to upgrade”, this represents the number of additional computers that will become “Ready to upgrade” by testing this app or driver and giving it an upgrade decision of “Ready to upgrade”. For example, if ComputersUnblocked is 200, then resolving any issues associated with the app/driver in question will make 200 new computers “Ready to upgrade.” | 200 | +| CumulativeUnblocked | The total number of computers that will become “Ready to upgrade” if you validate and mark this and all prior items in the proposed action plan “Ready to upgrade”. For example, if ItemRank is 7, and CumulativeUnblocked is 950, then fixing items 1 thru 7 in the proposed action plan will cause 950 of your computers to become “Ready to upgrade.” | 950 | +| CumulativeUnblockedPct | The percentage of your machines that will become “Ready to upgrade” if you make this and all prior items in the proposed action plan “Ready to upgrade.” | 0.24 | + +See the following example action plan items (click the image for a full-size view): + +![Proposed action plan](../images/UR-lift-report.jpg) + +
          +In this example, the 3rd item is an application: Microsoft Bing Sports, a modern app, version 4.20.951.0, published by Microsoft. By validating this app and making its UpgradeDecision “Ready to upgrade”, you can potentially make 1014 computers “Ready to upgrade” – but only after you have already validated items 1 and 2 in the list. By marking items 1, 2, and 3 “Ready to upgrade”, 14779 of your computers will become upgrade-ready. This represents 10.96% of the machines in this workspace. + +#### Using the proposed action plan + +There are several valid use cases for the proposed action plan. But it’s always important to remember that the information presented in the Plan is only accurate when sorted by increasing Item Rank! Here are three potential cases in which you could use the proposed action plan: + +1. Quickly determine how many apps and drivers you’ll need to validate in order to make x% of your computers upgrade-ready. To determine this, simply find the first item in the Plan with a CumulativeUnblockedPct greater than or equal to your desired percentage of upgrade-ready computers. The corresponding ItemRank represents the smallest number of apps and drivers that you can validate in order to reach your upgrade readiness goal. The prior items in the proposed action plan itself represent the most efficient route to reaching your goal. + +2. Use the proposed action plan to prepare a small portion of your machines for a pilot of your target Operating System. Let’s say you want to test a new Operating System by upgrading a few hundred computers. You can use the proposed action plan to determine how many apps and drivers you will need to validate before you can be confident that your pilot will be successful. + +3. If your project deadline is approaching and you only have time to validate a few more apps and drivers, you can use the proposed action plan to determine which apps and drivers you should focus on to maximize the number of computers that you can confidently upgrade. + +#### Misconceptions and things to avoid + +The most common misconceptions about the proposed action plan involve the assumption that each item in the plan is independent of those around it. The apps and drivers in the plan must be considered in the correct order to draw valid conclusions. For example, if you choose to validate items 1, 3, 4, and 5 and mark each of them “Ready to upgrade,” the proposed action plan cannot tell you how many computers will become upgrade-ready as a result of your testing. Even the non-cumulative “ComputersUnblocked” count is dependent upon all prior issues having already been resolved. + +If an item with ItemRank = 7 has a ComputersUnblocked value of 50, do not assume that 50 of your computers will become upgrade-ready if you test this item. However, if you validate items 1 through 6 in the plan, you can make an additional 50 computers upgrade-ready by validating the 7th item in the plan. diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md index 3af81df13a..b4cdb30a40 100644 --- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md +++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md @@ -1,61 +1,61 @@ ---- -title: Upgrade Readiness - Targeting a new operating system version -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Targeting a new operating system version - -After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: - -## TestResults - -If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do. - -If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query: - -`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"` - -After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **TestResult** to *Not started*. Leave all other fields as they are. - -## UpgradeDecision - -If you want to preserve the UpgradeDecision from the previous operating system version testing, there is nothing you need to do. - -If you want to reset them, keep these important points in mind: - -- Make sure to *not* reset the **Ready to upgrade** decision for the "long tail" of apps that have importance of **Ignore** or **Low install count**. Doing this will make it extremely difficult to complete the Upgrade Readiness workflow. -- Decide which decisions to reset. For example, one option is just to reset the decisions marked **Ready to upgrade** (in order to retest those), while preserving states of apps marked **Won't upgrade**. Doing this means you won't lose track of this previous marking. Or you can reset everything. - -To do this, type the following query in **Log Search**: - -`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count" and UpgradeDecision == "Ready to upgrade"` - ->[!NOTE] ->If you just want to reset all **UpgradeDecision** values, you can simply remove `'and UpgradeDecision == "Ready to upgrade"` from the query. - -After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **UpgradeDecision** to *Not reviewed*. Leave all other fields as they are. - - -## Bulk-approving apps from a given vendor - -You can bulk-approve all apps from a given vendor (for example, Microsoft) if there are no known compatibility issues. To do this, type the following query in **Log Search**: - -`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and AppVendor has "Microsoft" and UpgradeAssessment=="No known issues" and UpgradeDecision<>"Ready to upgrade"` - -After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit" button**, and then set the **UpgradeDecision** to *Ready to upgrade*. Leave all other fields as they are. - -## Related topics - -[Windows Analytics overview](../update/windows-analytics-overview.md) - -[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) - -[Get started with Upgrade Readiness](upgrade-readiness-get-started.md) - +--- +title: Upgrade Readiness - Targeting a new operating system version +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Targeting a new operating system version + +After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: + +## TestResults + +If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do. + +If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"` + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **TestResult** to *Not started*. Leave all other fields as they are. + +## UpgradeDecision + +If you want to preserve the UpgradeDecision from the previous operating system version testing, there is nothing you need to do. + +If you want to reset them, keep these important points in mind: + +- Make sure to *not* reset the **Ready to upgrade** decision for the "long tail" of apps that have importance of **Ignore** or **Low install count**. Doing this will make it extremely difficult to complete the Upgrade Readiness workflow. +- Decide which decisions to reset. For example, one option is just to reset the decisions marked **Ready to upgrade** (in order to retest those), while preserving states of apps marked **Won't upgrade**. Doing this means you won't lose track of this previous marking. Or you can reset everything. + +To do this, type the following query in **Log Search**: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count" and UpgradeDecision == "Ready to upgrade"` + +>[!NOTE] +>If you just want to reset all **UpgradeDecision** values, you can simply remove `'and UpgradeDecision == "Ready to upgrade"` from the query. + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **UpgradeDecision** to *Not reviewed*. Leave all other fields as they are. + + +## Bulk-approving apps from a given vendor + +You can bulk-approve all apps from a given vendor (for example, Microsoft) if there are no known compatibility issues. To do this, type the following query in **Log Search**: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and AppVendor has "Microsoft" and UpgradeAssessment=="No known issues" and UpgradeDecision<>"Ready to upgrade"` + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit" button**, and then set the **UpgradeDecision** to *Ready to upgrade*. Leave all other fields as they are. + +## Related topics + +[Windows Analytics overview](../update/windows-analytics-overview.md) + +[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) + +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md) + diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md index 7ef0302e8a..8bbc0e4a13 100644 --- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md +++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md @@ -1,73 +1,73 @@ ---- -title: Upgrade Readiness - Upgrade Overview (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Displays the total count of computers sharing data and upgraded. -ms.prod: w10 -author: greg-lindsay -ms.topic: article -ms.collection: M365-analytics ---- - -# Upgrade Readiness - Upgrade overview - -The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases. - -The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version). - -The following color-coded status changes are reflected on the upgrade overview blade: - -- The "Last updated" banner: - - No delay in processing device inventory data = "Last updated" banner is displayed in green. - - Delay processing device inventory data = "Last updated" banner is displayed in amber. -- Computers with incomplete data: - - Less than 4% = Count is displayed in green. - - 4% - 10% = Count is displayed in amber. - - Greater than 10% = Count is displayed in red. -- Computers with outdated KB: - - Less than 10% = Count is displayed in green. - - 10% - 30% = Count is displayed in amber. - - Greater than 30% = Count is displayed in red. -- User changes: - - Pending user changes = User changes count displays "Data refresh pending" in amber. - - No pending user changes = User changes count displays "Up to date" in green. -- Target version: - - If the current value matches the recommended value, the version is displayed in green. - - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber. - - If the current value is a deprecated OS version, the version is displayed in red. - -Click a row to drill down and see details about individual computers. If updates are missing, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) for information on required updates. - -In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require an update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version: - -![Upgrade overview](../images/ur-overview.png) - - - -If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours. - -If there are computers with incomplete data, verify that you have installed the latest compatibilty updates. Install the updates if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script. - -Select **Total computers** for a list of computers and details about them, including: - -- Computer ID and computer name -- Computer manufacturer -- Computer model -- Operating system version and build -- Count of system requirement, application, and driver issues per computer -- Upgrade assessment based on analysis of computer diagnostic data -- Upgrade decision status - -Select **Total applications** for a list of applications discovered on user computers and details about them, including: - -- Application vendor -- Application version -- Count of computers the application is installed on -- Count of computers that opened the application at least once in the past 30 days -- Percentage of computers in your total computer inventory that opened the application in the past 30 days -- Issues detected, if any -- Upgrade assessment based on analysis of application data -- Rollup level +--- +title: Upgrade Readiness - Upgrade Overview (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Displays the total count of computers sharing data and upgraded. +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-analytics +--- + +# Upgrade Readiness - Upgrade overview + +The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases. + +The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version). + +The following color-coded status changes are reflected on the upgrade overview blade: + +- The "Last updated" banner: + - No delay in processing device inventory data = "Last updated" banner is displayed in green. + - Delay processing device inventory data = "Last updated" banner is displayed in amber. +- Computers with incomplete data: + - Less than 4% = Count is displayed in green. + - 4% - 10% = Count is displayed in amber. + - Greater than 10% = Count is displayed in red. +- Computers with outdated KB: + - Less than 10% = Count is displayed in green. + - 10% - 30% = Count is displayed in amber. + - Greater than 30% = Count is displayed in red. +- User changes: + - Pending user changes = User changes count displays "Data refresh pending" in amber. + - No pending user changes = User changes count displays "Up to date" in green. +- Target version: + - If the current value matches the recommended value, the version is displayed in green. + - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber. + - If the current value is a deprecated OS version, the version is displayed in red. + +Click a row to drill down and see details about individual computers. If updates are missing, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) for information on required updates. + +In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require an update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version: + +![Upgrade overview](../images/ur-overview.png) + + + +If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours. + +If there are computers with incomplete data, verify that you have installed the latest compatibilty updates. Install the updates if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script. + +Select **Total computers** for a list of computers and details about them, including: + +- Computer ID and computer name +- Computer manufacturer +- Computer model +- Operating system version and build +- Count of system requirement, application, and driver issues per computer +- Upgrade assessment based on analysis of computer diagnostic data +- Upgrade decision status + +Select **Total applications** for a list of applications discovered on user computers and details about them, including: + +- Application vendor +- Application version +- Count of computers the application is installed on +- Count of computers that opened the application at least once in the past 30 days +- Percentage of computers in your total computer inventory that opened the application in the past 30 days +- Issues detected, if any +- Upgrade assessment based on analysis of application data +- Rollup level diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 23551d5256..82f4193c52 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -1,216 +1,216 @@ ---- -title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10) -description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process. -ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.localizationpriority: medium -ms.mktglfcycl: deploy -author: greg-lindsay -ms.topic: article ---- - -# Perform an in-place upgrade to Windows 10 using Configuration Manager - - -**Applies to** - -- Windows 10 - -The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. - -## Proof-of-concept environment - - -For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -![figure 1](../images/upgrademdt-fig1-machines.png) - -Figure 1. The machines used in this topic. - -## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager - - -System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks. - -## Create the task sequence - - -To help with this process, the Configuration Manager team has published [a blog](https://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](https://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform: - -1. Download the [Windows10Upgrade1506.zip](https://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share. -2. Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder. -3. Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1. -4. Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point. - -For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above. - -## Create a device collection - - -After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed. - -1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - - General - - - Name: Windows 10 Enterprise x64 Upgrade - - - Limited Collection: All Systems - - - Membership rules: - - - Direct rule - - - Resource Class: System Resource - - - Attribute Name: Name - - - Value: PC0001 - - - Select Resources - - - Select PC0001 - -2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. - -## Deploy the Windows 10 upgrade - - -In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. -2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. -3. On the **Content** page, click **Next**. -4. On the **Deployment Settings** page, select the following settings, and then click **Next**: - - Action: Install - - - Purpose: Available - -5. On the **Scheduling** page, accept the default settings, and then click **Next**. -6. On the **User Experience** page, accept the default settings, and then click **Next**. -7. On the **Alerts** page, accept the default settings, and then click **Next**. -8. On the **Summary** page, click **Next**, and then click **Close**. - -## Start the Windows 10 upgrade - - -In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). - -1. On PC0001, start the **Software Center**. -2. Select the **Windows vNext Upgrade** task sequence, and then click **Install**. - -When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -![figure 2](../images/upgradecfg-fig2-upgrading.png) - -Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. - -After the task sequence finishes, the computer will be fully upgraded to Windows 10. - -## Upgrade to Windows 10 with System Center Configuration Manager Current Branch - - -With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10. - -**Note**   -For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released. - - - -### Create the OS upgrade package - -First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media. - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**. -2. On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**. -3. On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**. -4. On the **Summary** page, click **Next**, and then click **Close**. -5. Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point. - -### Create the task sequence - -To create an upgrade task sequence, perform the following steps: - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**. -2. On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. -3. On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**. -4. On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**. -5. Click **Next** through the remaining wizard pages, and then click **Close**. - -![figure 3](../images/upgradecfg-fig3-upgrade.png) - -Figure 3. The Configuration Manager upgrade task sequence. - -### Create a device collection - -After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed. - -1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - - General - - - Name: Windows 10 Enterprise x64 Upgrade - - - Limited Collection: All Systems - - - Membership rules: - - - Direct rule - - - Resource Class: System Resource - - - Attribute Name: Name - - - Value: PC0001 - - - Select Resources - - - Select PC0001 - -2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. - -### Deploy the Windows 10 upgrade - -In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. - -1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. -2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. -3. On the **Content** page, click **Next**. -4. On the **Deployment Settings** page, select the following settings and click **Next**: - - Action: Install - - - Purpose: Available - -5. On the **Scheduling** page, accept the default settings, and then click **Next**. -6. On the **User Experience** page, accept the default settings, and then click **Next**. -7. On the **Alerts** page, accept the default settings, and then click **Next**. -8. On the **Summary** page, click **Next**, and then click **Close**. - -### Start the Windows 10 upgrade - -In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). - -1. On PC0001, start the **Software Center**. -2. Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.** - -When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -After the task sequence completes, the computer will be fully upgraded to Windows 10. - -## Related topics - - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) - -[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109) - - - - - - - - - +--- +title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10) +description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process. +ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Perform an in-place upgrade to Windows 10 using Configuration Manager + + +**Applies to** + +- Windows 10 + +The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. + +## Proof-of-concept environment + + +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +![figure 1](../images/upgrademdt-fig1-machines.png) + +Figure 1. The machines used in this topic. + +## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager + + +System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks. + +## Create the task sequence + + +To help with this process, the Configuration Manager team has published [a blog](https://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](https://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform: + +1. Download the [Windows10Upgrade1506.zip](https://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share. +2. Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder. +3. Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1. +4. Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point. + +For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above. + +## Create a device collection + + +After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the Configuration Manager client installed. + +1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: + - General + + - Name: Windows 10 Enterprise x64 Upgrade + + - Limited Collection: All Systems + + - Membership rules: + + - Direct rule + + - Resource Class: System Resource + + - Attribute Name: Name + + - Value: PC0001 + + - Select Resources + + - Select PC0001 + +2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. + +## Deploy the Windows 10 upgrade + + +In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. +2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. +3. On the **Content** page, click **Next**. +4. On the **Deployment Settings** page, select the following settings, and then click **Next**: + - Action: Install + + - Purpose: Available + +5. On the **Scheduling** page, accept the default settings, and then click **Next**. +6. On the **User Experience** page, accept the default settings, and then click **Next**. +7. On the **Alerts** page, accept the default settings, and then click **Next**. +8. On the **Summary** page, click **Next**, and then click **Close**. + +## Start the Windows 10 upgrade + + +In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). + +1. On PC0001, start the **Software Center**. +2. Select the **Windows vNext Upgrade** task sequence, and then click **Install**. + +When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +![figure 2](../images/upgradecfg-fig2-upgrading.png) + +Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. + +After the task sequence finishes, the computer will be fully upgraded to Windows 10. + +## Upgrade to Windows 10 with System Center Configuration Manager Current Branch + + +With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10. + +**Note**   +For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released. + + + +### Create the OS upgrade package + +First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media. + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**. +2. On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**. +3. On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**. +4. On the **Summary** page, click **Next**, and then click **Close**. +5. Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point. + +### Create the task sequence + +To create an upgrade task sequence, perform the following steps: + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**. +2. On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. +3. On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**. +4. On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**. +5. Click **Next** through the remaining wizard pages, and then click **Close**. + +![figure 3](../images/upgradecfg-fig3-upgrade.png) + +Figure 3. The Configuration Manager upgrade task sequence. + +### Create a device collection + +After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed. + +1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: + - General + + - Name: Windows 10 Enterprise x64 Upgrade + + - Limited Collection: All Systems + + - Membership rules: + + - Direct rule + + - Resource Class: System Resource + + - Attribute Name: Name + + - Value: PC0001 + + - Select Resources + + - Select PC0001 + +2. Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0001 machine in the collection. + +### Deploy the Windows 10 upgrade + +In this section, you create a deployment for the Windows 10 Enterprise x64 Update application. + +1. On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**. +2. On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**. +3. On the **Content** page, click **Next**. +4. On the **Deployment Settings** page, select the following settings and click **Next**: + - Action: Install + + - Purpose: Available + +5. On the **Scheduling** page, accept the default settings, and then click **Next**. +6. On the **User Experience** page, accept the default settings, and then click **Next**. +7. On the **Alerts** page, accept the default settings, and then click **Next**. +8. On the **Summary** page, click **Next**, and then click **Close**. + +### Start the Windows 10 upgrade + +In this section, you start the Windows 10 Upgrade task sequence on PC0001 (currently running Windows 7 SP1). + +1. On PC0001, start the **Software Center**. +2. Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.** + +When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +After the task sequence completes, the computer will be fully upgraded to Windows 10. + +## Related topics + + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) + +[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109) + + + + + + + + + diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 1b00b1f559..2a7e01c1d8 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -1,109 +1,109 @@ ---- -title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) -description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. -ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article ---- - -# Perform an in-place upgrade to Windows 10 with MDT - -**Applies to** -- Windows 10 - -The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. - -## Proof-of-concept environment - -For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -![fig 1](../images/upgrademdt-fig1-machines.png) - -Figure 1. The machines used in this topic. - -## Set up the upgrade task sequence - -MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple. - -## Create the MDT production deployment share - -The steps to create the deployment share for production are the same as when you created the deployment share to create the custom reference image: - -1. On MDT01, log on as Administrator in the CONTOSO domain with a password of P@ssw0rd. -2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. -3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**. -4. On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**. -5. On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**. -6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. - -## Add Windows 10 Enterprise x64 (full source) - -In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the E:\\Downloads\\Windows 10 Enterprise x64 folder. - -1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. -2. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. -3. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: - - Full set of source files - - Source directory: E:\\Downloads\\Windows 10 Enterprise x64 - - Destination directory name: W10EX64RTM -4. After you add the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image** - -![figure 2](../images/upgrademdt-fig2-importedos.png) - -Figure 2. The imported Windows 10 operating system after you rename it. - -## Create a task sequence to upgrade to Windows 10 Enterprise - -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-UPG - - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade - - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM Default Image - - Specify Product Key: Do not specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: about:blank - - Admin Password: Do not specify an Administrator Password at this time - -![figure 3](../images/upgrademdt-fig3-tasksequence.png) - -Figure 3. The task sequence to upgrade to Windows 10. - -## Perform the Windows 10 upgrade - -To initiate the in-place upgrade, perform the following steps on PC0003 (currently running Windows 7 SP1). - -1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** -2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. - - ![figure 4](../images/upgrademdt-fig4-selecttask.png) - - Figure 4. Upgrade task sequence. - -3. On the **Credentials** tab, specify the **MDT\_BA** account, P@ssw0rd password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.) -4. On the **Ready** tab, click **Begin** to start the task sequence. - When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -![figure 5](../images/upgrademdt-fig5-winupgrade.png) - -Figure 5. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. - -After the task sequence completes, the computer will be fully upgraded to Windows 10. - -## Related topics - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) - -[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) - +--- +title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) +description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. +ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Perform an in-place upgrade to Windows 10 with MDT + +**Applies to** +- Windows 10 + +The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. + +## Proof-of-concept environment + +For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +![fig 1](../images/upgrademdt-fig1-machines.png) + +Figure 1. The machines used in this topic. + +## Set up the upgrade task sequence + +MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple. + +## Create the MDT production deployment share + +The steps to create the deployment share for production are the same as when you created the deployment share to create the custom reference image: + +1. On MDT01, log on as Administrator in the CONTOSO domain with a password of P@ssw0rd. +2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. +3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**. +4. On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**. +5. On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**. +6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. +7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. + +## Add Windows 10 Enterprise x64 (full source) + +In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the E:\\Downloads\\Windows 10 Enterprise x64 folder. + +1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. +2. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. +3. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files + - Source directory: E:\\Downloads\\Windows 10 Enterprise x64 + - Destination directory name: W10EX64RTM +4. After you add the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image** + +![figure 2](../images/upgrademdt-fig2-importedos.png) + +Figure 2. The imported Windows 10 operating system after you rename it. + +## Create a task sequence to upgrade to Windows 10 Enterprise + +1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-UPG + - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade + - Template: Standard Client Upgrade Task Sequence + - Select OS: Windows 10 Enterprise x64 RTM Default Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: about:blank + - Admin Password: Do not specify an Administrator Password at this time + +![figure 3](../images/upgrademdt-fig3-tasksequence.png) + +Figure 3. The task sequence to upgrade to Windows 10. + +## Perform the Windows 10 upgrade + +To initiate the in-place upgrade, perform the following steps on PC0003 (currently running Windows 7 SP1). + +1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** +2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. + + ![figure 4](../images/upgrademdt-fig4-selecttask.png) + + Figure 4. Upgrade task sequence. + +3. On the **Credentials** tab, specify the **MDT\_BA** account, P@ssw0rd password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.) +4. On the **Ready** tab, click **Begin** to start the task sequence. + When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +![figure 5](../images/upgrademdt-fig5-winupgrade.png) + +Figure 5. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. + +After the task sequence completes, the computer will be fully upgraded to Windows 10. + +## Related topics + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) + +[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) + diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md index 78f2f9d558..78d70d0d25 100644 --- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md @@ -1,113 +1,113 @@ ---- -title: Upgrade Windows Phone 8.1 to Windows 10 Mobile in an MDM environment (Windows 10) -ms.reviewer: -manager: laurawi -ms.author: greglin -description: This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. -keywords: upgrade, update, windows, phone, windows 10, mdm, mobile -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdm -author: greg-lindsay -ms.topic: article ---- - -# Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) - -**Applies to** - -- Windows 10 Mobile - -## Summary - -This article describes how system administrators can upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM). - ->[!IMPORTANT] ->If you are not a system administrator, see the [Windows 10 Mobile Upgrade & Updates](https://www.microsoft.com/windows/windows-10-mobile-upgrade) page for details about updating your Windows 8.1 Mobile device to Windows 10 Mobile using the [Upgrade Advisor](https://www.microsoft.com/store/p/upgrade-advisor/9nblggh0f5g4). - -## Upgrading with MDM - -The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. - -If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade. - -Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the [How to blacklist the Upgrade Advisor app](#howto-blacklist) section in this article. Enterprises that have blacklisted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. - -## More information - -To provide enterprises with a solution that's independent of the Upgrade Advisor, a new registry key in the registry configuration service provider (CSP) is available. A special GUID key value is defined. When Microsoft Update (MU) detects the presence of the registry key value on a device, any available upgrade will be made available to the device. - -### Prerequisites - -- Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. -- Device connected to Wi-Fi or cellular network to perform scan for upgrade. -- Device is already enrolled with an MDM session. -- Device is able to receive the management policy. -- MDM is capable of pushing the management policy to devices. Minimum version numbers for some popular MDM providers that support this solution are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0. - -### Instructions for the MDM server - -The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access. - -``` -[HKLM\Software\Microsoft\Provisioning\OMADM] -"EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2” -``` - - -The complete SyncML command for the solution is as follows. Note: The SyncML may vary, depending on your MDM solution. - -``` -SyncML xmlns="SYNCML:SYNCML1.1"> - - - 250 - - - ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade - - - chr - - d369c9b6-2379-466d-9162-afc53361e3c2 - - - - -           -``` - -The OMA DM server policy description is provided in the following table: - -|Item |Setting | -|------|------------| -| OMA-URI |./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | -| Data Type |String | -| Value |d369c9b6-2379-466d-9162-afc53361e3c2 | - - -After the device consumes the policy, it will be able to receive an available upgrade. - -To disable the policy, delete the **OMADM** registry key or set the **EnterpriseUpgrade** string value to anything other than the GUID. - -### How to determine whether an upgrade is available for a device - -The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). - -We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. - -Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 Mobile FAQ](https://support.microsoft.com/help/10599/windows-10-mobile-how-to-get) page. - -### How to blacklist the Upgrade Advisor app - -Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows 10 Mobile Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL: - -http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07 - -For more information about how to do this, see [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/windows/dn771706.aspx). - -## Related topics - -[Windows 10 Mobile and mobile device management](/windows/client-management/windows-10-mobile-and-mdm) +--- +title: Upgrade Windows Phone 8.1 to Windows 10 Mobile in an MDM environment (Windows 10) +ms.reviewer: +manager: laurawi +ms.author: greglin +description: This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. +keywords: upgrade, update, windows, phone, windows 10, mdm, mobile +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdm +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) + +**Applies to** + +- Windows 10 Mobile + +## Summary + +This article describes how system administrators can upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM). + +>[!IMPORTANT] +>If you are not a system administrator, see the [Windows 10 Mobile Upgrade & Updates](https://www.microsoft.com/windows/windows-10-mobile-upgrade) page for details about updating your Windows 8.1 Mobile device to Windows 10 Mobile using the [Upgrade Advisor](https://www.microsoft.com/store/p/upgrade-advisor/9nblggh0f5g4). + +## Upgrading with MDM + +The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. + +If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade. + +Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the [How to blacklist the Upgrade Advisor app](#howto-blacklist) section in this article. Enterprises that have blacklisted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. + +## More information + +To provide enterprises with a solution that's independent of the Upgrade Advisor, a new registry key in the registry configuration service provider (CSP) is available. A special GUID key value is defined. When Microsoft Update (MU) detects the presence of the registry key value on a device, any available upgrade will be made available to the device. + +### Prerequisites + +- Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. +- Device connected to Wi-Fi or cellular network to perform scan for upgrade. +- Device is already enrolled with an MDM session. +- Device is able to receive the management policy. +- MDM is capable of pushing the management policy to devices. Minimum version numbers for some popular MDM providers that support this solution are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0. + +### Instructions for the MDM server + +The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access. + +``` +[HKLM\Software\Microsoft\Provisioning\OMADM] +"EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2” +``` + + +The complete SyncML command for the solution is as follows. Note: The SyncML may vary, depending on your MDM solution. + +``` +SyncML xmlns="SYNCML:SYNCML1.1"> + + + 250 + + + ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade + + + chr + + d369c9b6-2379-466d-9162-afc53361e3c2 + + + + +           +``` + +The OMA DM server policy description is provided in the following table: + +|Item |Setting | +|------|------------| +| OMA-URI |./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | +| Data Type |String | +| Value |d369c9b6-2379-466d-9162-afc53361e3c2 | + + +After the device consumes the policy, it will be able to receive an available upgrade. + +To disable the policy, delete the **OMADM** registry key or set the **EnterpriseUpgrade** string value to anything other than the GUID. + +### How to determine whether an upgrade is available for a device + +The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). + +We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. + +Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 Mobile FAQ](https://support.microsoft.com/help/10599/windows-10-mobile-how-to-get) page. + +### How to blacklist the Upgrade Advisor app + +Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows 10 Mobile Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL: + +http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07 + +For more information about how to do this, see [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/windows/dn771706.aspx). + +## Related topics + +[Windows 10 Mobile and mobile device management](/windows/client-management/windows-10-mobile-and-mdm) diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index bc54105187..671ba50c38 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -1,63 +1,63 @@ ---- -title: Use Upgrade Readiness to manage Windows upgrades (Windows 10) -ms.reviewer: -manager: laurawi -description: Describes how to use Upgrade Readiness to manage Windows upgrades. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, -ms.localizationpriority: medium -ms.prod: w10 -author: greg-lindsay -ms.author: greglin -ms.topic: article ---- - -# Use Upgrade Readiness to manage Windows upgrades - ->[!IMPORTANT] ->>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started). - -You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues. - -- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness. -- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them. - -When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks. - -![Series of blades showing Upgrade Overview, Step 1: Identify Important Apps, Prioritize Applications, Step 2: Resolve issues, and Review applications with known issues](../images/ua-cg-15.png) - -Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. - ->**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). - -The following information and workflow is provided: - -- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers. -- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications. -- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications. -- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process. - -Also see the following topic for information about additional items that can be affected by the upgrade process: - -- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity. - -## Target version - -The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example: - -![Upgrade overview showing target version](../images/ur-target-version.png) - -The default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. - -The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. - -You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709 and Windows 10 version 1803. - -To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: - -![Upgrade Readiness dialog showing gear labeled Solution Settings](../images/ua-cg-08.png) - ->You must be signed in to Upgrade Readiness as an administrator to view settings. - -On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace. - -![Upgrade Readiness Settings dialog showing gear labeled Save and arrow labeled Cancel](../images/ur-settings.png) +--- +title: Use Upgrade Readiness to manage Windows upgrades (Windows 10) +ms.reviewer: +manager: laurawi +description: Describes how to use Upgrade Readiness to manage Windows upgrades. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.localizationpriority: medium +ms.prod: w10 +audience: itpro author: greg-lindsay +ms.author: greglin +ms.topic: article +--- + +# Use Upgrade Readiness to manage Windows upgrades + +>[!IMPORTANT] +>>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started). + +You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues. + +- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness. +- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them. + +When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks. + +![Series of blades showing Upgrade Overview, Step 1: Identify Important Apps, Prioritize Applications, Step 2: Resolve issues, and Review applications with known issues](../images/ua-cg-15.png) + +Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. + +>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). + +The following information and workflow is provided: + +- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers. +- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications. +- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications. +- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process. + +Also see the following topic for information about additional items that can be affected by the upgrade process: + +- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity. + +## Target version + +The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example: + +![Upgrade overview showing target version](../images/ur-target-version.png) + +The default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. + +The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. + +You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709 and Windows 10 version 1803. + +To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: + +![Upgrade Readiness dialog showing gear labeled Solution Settings](../images/ua-cg-08.png) + +>You must be signed in to Upgrade Readiness as an administrator to view settings. + +On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace. + +![Upgrade Readiness Settings dialog showing gear labeled Save and arrow labeled Cancel](../images/ur-settings.png) diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 4b834a7569..72345c3d54 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -1,250 +1,250 @@ ---- -title: Windows 10 edition upgrade (Windows 10) -description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. -ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mobile -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 edition upgrade - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page. - -For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). - -The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. - -Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuration Manager. - -![not supported](../images/x_blk.png) (X) = not supported
          -![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
          -![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
          - - - -| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store | -|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- | -| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | -| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | -| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (1703 - PC)
          (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (1703 - PC)
          (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | - -> [!NOTE] -> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) -> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. ->
          -> - Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. - -## Upgrade using mobile device management (MDM) -- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). - -- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). - -## Upgrade using a provisioning package -Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). - -- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. - -- To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. - -For more info about Windows Configuration Designer, see these topics: -- [Create a provisioining package for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) -- [Apply a provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package) - - -## Upgrade using a command-line tool -You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10: - -`changepk.exe /ProductKey ` - -You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. - -`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` - - -## Upgrade by manually entering a product key -If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually. - -**To manually enter a product key** - -1. From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut. - -2. Click **Change product key**. - -3. Enter your product key. - -4. Follow the on-screen instructions. - -## Upgrade by purchasing a license from the Microsoft Store -If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store. - -**To upgrade through the Microsoft Store** - -1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut. - -2. Click **Go to Store**. - -3. Follow the on-screen instructions. - - **Note**
          If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). - -## License expiration - -Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path is not supported, then a clean install is required. - -Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. - -Note: If you are using [Windows 10 Enterprise Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. - -### Scenario example - -Downgrading from Enterprise -- Original edition: **Professional OEM** -- Upgrade edition: **Enterprise** -- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education** - -You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091). - -### Supported Windows 10 downgrade paths - -✔ = Supported downgrade path
          - S  = Supported; Not considered a downgrade or an upgrade
          -[blank] = Not supported or not a downgrade
          - -
          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Destination edition
                HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise
          Starting edition
          Home
          Pro
          Pro for Workstations
          Pro Education
          EducationS
          Enterprise LTSC
          EnterpriseS
          - -> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. -> -> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. - -Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro. - -## Related topics - -[Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
          -[Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
          -[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) +--- +title: Windows 10 edition upgrade (Windows 10) +description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. +ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mobile +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 edition upgrade + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page. + +For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). + +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. + +Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuration Manager. + +![not supported](../images/x_blk.png) (X) = not supported
          +![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
          +![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
          + + + +| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store | +|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- | +| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | +| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | +| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (1703 - PC)
          (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
          (1703 - PC)
          (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
          (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | + +> [!NOTE] +> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) +> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. +>
          +> - Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. + +## Upgrade using mobile device management (MDM) +- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). + +- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). + +## Upgrade using a provisioning package +Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). + +- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. + +- To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. + +For more info about Windows Configuration Designer, see these topics: +- [Create a provisioining package for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) +- [Apply a provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package) + + +## Upgrade using a command-line tool +You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10: + +`changepk.exe /ProductKey ` + +You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. + +`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` + + +## Upgrade by manually entering a product key +If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually. + +**To manually enter a product key** + +1. From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut. + +2. Click **Change product key**. + +3. Enter your product key. + +4. Follow the on-screen instructions. + +## Upgrade by purchasing a license from the Microsoft Store +If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store. + +**To upgrade through the Microsoft Store** + +1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut. + +2. Click **Go to Store**. + +3. Follow the on-screen instructions. + + **Note**
          If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). + +## License expiration + +Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path is not supported, then a clean install is required. + +Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. + +Note: If you are using [Windows 10 Enterprise Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. + +### Scenario example + +Downgrading from Enterprise +- Original edition: **Professional OEM** +- Upgrade edition: **Enterprise** +- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education** + +You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091). + +### Supported Windows 10 downgrade paths + +✔ = Supported downgrade path
          + S  = Supported; Not considered a downgrade or an upgrade
          +[blank] = Not supported or not a downgrade
          + +
          + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Destination edition
                HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise
          Starting edition
          Home
          Pro
          Pro for Workstations
          Pro Education
          EducationS
          Enterprise LTSC
          EnterpriseS
          + +> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. +> +> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. + +Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro. + +## Related topics + +[Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
          +[Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
          +[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 42361c65c9..c1cf90e9a0 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -9,6 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium ms.pagetype: mobile +audience: itpro author: greg-lindsay ms.topic: article --- @@ -27,7 +28,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can > > **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. > -> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). +> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**. > > **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. > diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 8397184345..f0f918ef4a 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -1,73 +1,73 @@ ---- -title: Windows error reporting - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Windows Error Reporting - -**Applies to** -- Windows 10 - ->[!NOTE] -> This is a 300 level topic (moderately advanced). -> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell. - -To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt: - ->[!IMPORTANT] ->}The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable. - -```Powershell -$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"} -$event = [xml]$events[0].ToXml() -$event.Event.EventData.Data -``` - -To use Event Viewer: -1. Open Event Viewer and navigate to **Windows Logs\Application**. -2. Click **Find**, and then search for **winsetupdiag02**. -3. Double-click the event that is highlighted. - -Note: For legacy operating systems, the Event Name was WinSetupDiag01. - -Ten parameters are listed in the event: - -| Parameters | -| ------------- | -|P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) | -|P2: Setup Mode (x=default,1=Downlevel,5=Rollback) | -|P3: New OS Architecture (x=default,0=X86,9=AMD64) | -|P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) | -|**P5: Result Error Code** (Ex: 0xc1900101) | -|**P6: Extend Error Code** (Ex: 0x20017) | -|P7: Source OS build (Ex: 9600) | -|P8: Source OS branch (not typically available) | -|P9: New OS build (Ex: 16299} | -|P10: New OS branch (Ex: rs3_release} | - - -The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below. - -![Windows Error Reporting](../images/event.png) - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) -[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Windows error reporting - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Windows Error Reporting + +**Applies to** +- Windows 10 + +>[!NOTE] +> This is a 300 level topic (moderately advanced). +> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell. + +To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt: + +>[!IMPORTANT] +>}The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable. + +```Powershell +$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"} +$event = [xml]$events[0].ToXml() +$event.Event.EventData.Data +``` + +To use Event Viewer: +1. Open Event Viewer and navigate to **Windows Logs\Application**. +2. Click **Find**, and then search for **winsetupdiag02**. +3. Double-click the event that is highlighted. + +Note: For legacy operating systems, the Event Name was WinSetupDiag01. + +Ten parameters are listed in the event: + +| Parameters | +| ------------- | +|P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) | +|P2: Setup Mode (x=default,1=Downlevel,5=Rollback) | +|P3: New OS Architecture (x=default,0=X86,9=AMD64) | +|P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) | +|**P5: Result Error Code** (Ex: 0xc1900101) | +|**P6: Extend Error Code** (Ex: 0x20017) | +|P7: Source OS build (Ex: 9600) | +|P8: Source OS branch (not typically available) | +|P9: New OS build (Ex: 16299} | +|P10: New OS branch (Ex: rs3_release} | + + +The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below. + +![Windows Error Reporting](../images/event.png) + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 3d4945693b..6062bfa905 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -1,79 +1,79 @@ ---- -title: Windows Upgrade and Migration Considerations (Windows 10) -description: Windows Upgrade and Migration Considerations -ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Windows upgrade and migration considerations -Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration. - -## Upgrade from a previous version of Windows -You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete. - -## Migrate files and settings -Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves. - -For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349). - -The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer. - -### Migrate with Windows Easy Transfer -Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download. - -With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store. - -> [!NOTE] -> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10). - -### Migrate with the User State Migration Tool -You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. - -## Upgrade and migration considerations -Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: - -### Application compatibility -For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). - -### Multilingual Windows image upgrades -When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English. - -If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed. - -### Errorhandler.cmd -When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run. - -### Data drive ACL migration -During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files. - -Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature: - -``` syntax -Key: HKLM\System\Setup -Type: REG_DWORD -Value: "DDACLSys_Disabled" = 1 -``` - -This feature is disabled if this registry key value exists and is configured to `1`. - -## Related topics -[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
          -[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
          -[Windows 10 edition upgrade](windows-10-edition-upgrades.md) - - -  - -  - - - - - +--- +title: Windows Upgrade and Migration Considerations (Windows 10) +description: Windows Upgrade and Migration Considerations +ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows upgrade and migration considerations +Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration. + +## Upgrade from a previous version of Windows +You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete. + +## Migrate files and settings +Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves. + +For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349). + +The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer. + +### Migrate with Windows Easy Transfer +Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download. + +With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store. + +> [!NOTE] +> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10). + +### Migrate with the User State Migration Tool +You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. + +## Upgrade and migration considerations +Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: + +### Application compatibility +For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). + +### Multilingual Windows image upgrades +When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English. + +If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed. + +### Errorhandler.cmd +When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run. + +### Data drive ACL migration +During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files. + +Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature: + +``` syntax +Key: HKLM\System\Setup +Type: REG_DWORD +Value: "DDACLSys_Disabled" = 1 +``` + +This feature is disabled if this registry key value exists and is configured to `1`. + +## Related topics +[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
          +[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
          +[Windows 10 edition upgrade](windows-10-edition-upgrades.md) + + +  + +  + + + + + diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 18c68ba130..8a830c5fd9 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -1,86 +1,86 @@ ---- -title: Getting Started with the User State Migration Tool (USMT) (Windows 10) -description: Getting Started with the User State Migration Tool (USMT) -ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Getting Started with the User State Migration Tool (USMT) -This topic outlines the general process that you should follow to migrate files and settings. - -## In this Topic -- [Step 1: Plan Your Migration](#step-1-plan-your-migration) - -- [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer) - -- [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings) - -## Step 1: Plan your migration -1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). - -2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. - -3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). - -4. Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md) - -5. Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. - - **Important**   - We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files. - - You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). - -6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files: - - `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log` - -7. Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate. - -## Step 2: Collect files and settings from the source computer -1. Back up the source computer. - -2. Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files. - - **Note**   - USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail. - -3. Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example, - - `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log` - - **Note**   - If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md). - -4. Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted. - -## Step 3: Prepare the destination computer and restore files and settings -1. Install the operating system on the destination computer. - -2. Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. - - **Note**   - The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version. - -3. Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. - - **Note**   - Use **/C** to continue your migration if errors are encountered, and use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail. - -4. Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). - - For example, the following command migrates the files and settings: - - `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log` - - **Note**   - Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**. - -5. Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on. +--- +title: Getting Started with the User State Migration Tool (USMT) (Windows 10) +description: Getting Started with the User State Migration Tool (USMT) +ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Getting Started with the User State Migration Tool (USMT) +This topic outlines the general process that you should follow to migrate files and settings. + +## In this Topic +- [Step 1: Plan Your Migration](#step-1-plan-your-migration) + +- [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer) + +- [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings) + +## Step 1: Plan your migration +1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). + +2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. + +3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). + +4. Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md) + +5. Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. + + **Important**   + We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files. + + You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). + +6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files: + + `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log` + +7. Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate. + +## Step 2: Collect files and settings from the source computer +1. Back up the source computer. + +2. Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files. + + **Note**   + USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail. + +3. Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example, + + `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log` + + **Note**   + If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md). + +4. Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted. + +## Step 3: Prepare the destination computer and restore files and settings +1. Install the operating system on the destination computer. + +2. Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. + + **Note**   + The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version. + +3. Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. + + **Note**   + Use **/C** to continue your migration if errors are encountered, and use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail. + +4. Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). + + For example, the following command migrates the files and settings: + + `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log` + + **Note**   + Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**. + +5. Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on. diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 42df4ca724..8ca3e5b215 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -1,172 +1,172 @@ ---- -title: Migrate Application Settings (Windows 10) -description: Migrate Application Settings -ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migrate Application Settings - - -You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines. - -This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time. - -This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves. - -## In this Topic - - -- [Before You Begin](#bkmk-beforebegin) - -- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1). - -- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2). - -- [Step 3: Identify how to apply the gathered settings](#bkmk-step3). - -- [Step 4: Create the migration XML component for the application](#bkmk-step4). - -- [Step 5: Test the application settings migration](#bkmk-step5). - -## Before You Begin - - -You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application. - -## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer. - - -Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer. - -There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want. - -### Check the registry for an application uninstall key. - -When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function. - -Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry. - -### Check the file system for the application executable file. - -You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file. - -## Step 2: Identify settings to collect and determine where each setting is stored on the computer. - - -Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable. - -### - -**How To Determine Where Each Setting is Stored** - -1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109). - -2. Shut down as many applications as possible to limit the registry and file system activity on the computer. - -3. Filter the output of the tools so it only displays changes being made by the application. - - **Note**   - Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine. - - - -4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**. - -5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting. - - **Note**   - Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values. - - - -## Step 3: Identify how to apply the gathered settings. - - -If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases: - -### Case 1: The version of the application on the destination computer is newer than the one on the source computer. - -In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true: - -- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer. - - To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer. - -- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. - -### Case 2: The destination computer already contains settings for the application. - -We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function. - -### Case 3: The application overwrites settings when it is installed. - -We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer. - -## Step 4: Create the migration XML component for the application - - -After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file. - -**Note**   -We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version. - - - -**Important**   -Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration. - - - -Your script should do the following: - -1. Check whether the application and correct version is installed by: - - - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function. - - - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function. - -2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer. - - - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements. - - - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. - - - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element. - -For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md). - -## Step 5: Test the application settings migration - - -On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly. - -To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration. - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) - -[XML Elements Library](usmt-xml-elements-library.md) - -[Log Files](usmt-log-files.md) - - - - - - - - - +--- +title: Migrate Application Settings (Windows 10) +description: Migrate Application Settings +ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migrate Application Settings + + +You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines. + +This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time. + +This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves. + +## In this Topic + + +- [Before You Begin](#bkmk-beforebegin) + +- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1). + +- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2). + +- [Step 3: Identify how to apply the gathered settings](#bkmk-step3). + +- [Step 4: Create the migration XML component for the application](#bkmk-step4). + +- [Step 5: Test the application settings migration](#bkmk-step5). + +## Before You Begin + + +You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application. + +## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer. + + +Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer. + +There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want. + +### Check the registry for an application uninstall key. + +When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function. + +Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry. + +### Check the file system for the application executable file. + +You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file. + +## Step 2: Identify settings to collect and determine where each setting is stored on the computer. + + +Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable. + +### + +**How To Determine Where Each Setting is Stored** + +1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109). + +2. Shut down as many applications as possible to limit the registry and file system activity on the computer. + +3. Filter the output of the tools so it only displays changes being made by the application. + + **Note**   + Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine. + + + +4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**. + +5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting. + + **Note**   + Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values. + + + +## Step 3: Identify how to apply the gathered settings. + + +If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases: + +### Case 1: The version of the application on the destination computer is newer than the one on the source computer. + +In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true: + +- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer. + + To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer. + +- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. + +### Case 2: The destination computer already contains settings for the application. + +We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function. + +### Case 3: The application overwrites settings when it is installed. + +We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer. + +## Step 4: Create the migration XML component for the application + + +After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file. + +**Note**   +We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version. + + + +**Important**   +Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration. + + + +Your script should do the following: + +1. Check whether the application and correct version is installed by: + + - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function. + + - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function. + +2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer. + + - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements. + + - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. + + - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element. + +For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md). + +## Step 5: Test the application settings migration + + +On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly. + +To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration. + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + +[Conflicts and Precedence](usmt-conflicts-and-precedence.md) + +[XML Elements Library](usmt-xml-elements-library.md) + +[Log Files](usmt-log-files.md) + + + + + + + + + diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index b27a83634c..2d1d744fa6 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -1,81 +1,81 @@ ---- -title: Migration Store Types Overview (Windows 10) -description: Migration Store Types Overview -ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migration Store Types Overview - - -When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device. - -## In This Topic - - -[Migration Store Types](#bkmk-types) - -[Local Store vs. Remote Store](#bkmk-localvremote) - -[The /localonly Command-Line Option](#bkmk-localonly) - -## Migration Store Types - - -This section describes the three migration store types available in USMT. - -### Uncompressed (UNC) - -The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer. - -### Compressed - -The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer. - -### Hard-Link - -A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration. - -You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md). - -The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. - -![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) - -## Local Store vs. Remote Store - - -If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing. - -If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server. - -**Important**   -If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check. - - - -### The /localonly Command-Line Option - -You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md). - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - - - - - - - - - +--- +title: Migration Store Types Overview (Windows 10) +description: Migration Store Types Overview +ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migration Store Types Overview + + +When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device. + +## In This Topic + + +[Migration Store Types](#bkmk-types) + +[Local Store vs. Remote Store](#bkmk-localvremote) + +[The /localonly Command-Line Option](#bkmk-localonly) + +## Migration Store Types + + +This section describes the three migration store types available in USMT. + +### Uncompressed (UNC) + +The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer. + +### Compressed + +The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer. + +### Hard-Link + +A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration. + +You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md). + +The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. + +![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif) + +## Local Store vs. Remote Store + + +If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing. + +If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server. + +**Important**   +If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check. + + + +### The /localonly Command-Line Option + +You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md). + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + + + + + + + + + diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 805c560048..2eab7ea7b8 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -104,7 +105,7 @@ It is possible to run the ScanState tool while the drive remains encrypted by su User-group membership is not preserved during offline migrations. You must configure a **<ProfileControl>** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group: -``` syntax +``` xml @@ -242,7 +243,7 @@ Syntax: <failOnMultipleWinDir>1</failOnMultipleWinDir> or Syntax: &l The following XML example illustrates some of the elements discussed earlier in this topic. -``` syntax +``` xml C:\Windows diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index 1b14b72d27..bc484bd496 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -225,7 +226,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t For example, you can use all of the XML migration file types for a single migration, as in the following example: -``` syntax +``` Scanstate /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml /i:customrules.xml ``` @@ -258,14 +259,14 @@ To generate the XML migration rules file for a source computer: 3. At the command prompt, type: - ``` syntax + ``` cd /d scanstate.exe /genmigxml: ``` Where *<USMTpath>* is the location on your source computer where you have saved the USMT files and tools, and *<filepath.xml>* is the full path to a file where you can save the report. For example, type: - ``` syntax + ``` cd /d c:\USMT scanstate.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml" ``` @@ -313,13 +314,13 @@ The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes thr **Usage:** -``` syntax +``` MigXmlHelper.GenerateDocPatterns ("", "", "") ``` To create include data patterns for only the system drive: -``` syntax +``` xml @@ -329,7 +330,7 @@ To create include data patterns for only the system drive: To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory: -``` syntax +``` xml @@ -339,7 +340,7 @@ To create an include rule to gather files for registered extensions from the %PR To create exclude data patterns: -``` syntax +``` xml @@ -440,7 +441,7 @@ To exclude the new text document.txt file as well as any .txt files in “new fo To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension. -``` syntax +``` xml D:\Newfolder\[new text document.txt] @@ -453,7 +454,7 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f If you do not know the file name or location of the file, but you do know the file name extension, you can use the **GenerateDrivePatterns** function. However, the rule will be less specific than the default include rule generated by the MigDocs.xml file, so it will not have precedence. You must use the <UnconditionalExclude> element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). -``` syntax +``` xml @@ -465,7 +466,7 @@ If you do not know the file name or location of the file, but you do know the fi If you want the <UnconditionalExclude> element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts. -``` syntax +``` xml MigDocExcludes @@ -490,7 +491,7 @@ The application data directory is the most common location that you would need t This rule will include .pst files that are located in the default location, but are not linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer. -``` syntax +``` xml %CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst] @@ -502,7 +503,7 @@ This rule will include .pst files that are located in the default location, but For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component. -``` syntax +``` xml %CSIDL_PROGRAM_FILES%\*[*.pst] diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index ac51eb5045..48782e0bdc 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -98,7 +99,7 @@ As the authorized administrator, it is your responsibility to protect the privac Although it is not a requirement, it is good practice for <CustomFileName> to match the name of the file. For example, the following is from the MigApp.xml file: - ``` syntax + ``` xml ``` diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 50445e7561..75c4393563 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -1,65 +1,65 @@ ---- -title: Choose a Migration Store Type (Windows 10) -description: Choose a Migration Store Type -ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Choose a Migration Store Type - - -One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - -

          Migration Store Types Overview

          Choose the migration store type that works best for your needs and migration scenario.

          Estimate Migration Store Size

          Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.

          Hard-Link Migration Store

          Learn about hard-link migration stores and the scenarios in which they are used.

          Migration Store Encryption

          Learn about the using migration store encryption to protect user data integrity during a migration.

          - - - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) - - - - - - - - - +--- +title: Choose a Migration Store Type (Windows 10) +description: Choose a Migration Store Type +ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Choose a Migration Store Type + + +One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + +

          Migration Store Types Overview

          Choose the migration store type that works best for your needs and migration scenario.

          Estimate Migration Store Size

          Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.

          Hard-Link Migration Store

          Learn about hard-link migration stores and the scenarios in which they are used.

          Migration Store Encryption

          Learn about the using migration store encryption to protect user data integrity during a migration.

          + + + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + +[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 2f513af87c..43d9d9c686 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -1,54 +1,54 @@ ---- -title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) -description: User State Migration Tool (USMT) Command-line Syntax -ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Command-line Syntax - - -The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation. - -## In This Section - - - ---- - - - - - - - - - - - - - - -

          ScanState Syntax

          Lists the command-line options for using the ScanState tool.

          LoadState Syntax

          Lists the command-line options for using the LoadState tool.

          UsmtUtils Syntax

          Lists the command-line options for using the UsmtUtils tool.

          - - - - - - - - - - - +--- +title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) +description: User State Migration Tool (USMT) Command-line Syntax +ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Command-line Syntax + + +The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation. + +## In This Section + + + ++++ + + + + + + + + + + + + + + +

          ScanState Syntax

          Lists the command-line options for using the ScanState tool.

          LoadState Syntax

          Lists the command-line options for using the LoadState tool.

          UsmtUtils Syntax

          Lists the command-line options for using the UsmtUtils tool.

          + + + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md index 45c41d0914..49aa08dbfe 100644 --- a/windows/deployment/usmt/usmt-common-issues.md +++ b/windows/deployment/usmt/usmt-common-issues.md @@ -1,340 +1,340 @@ ---- -title: Common Issues (Windows 10) -description: Common Issues -ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.date: 09/19/2017 -author: greg-lindsay -ms.topic: article ---- - -# Common Issues - - -The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures. - -## In This Topic - - -[User Account Problems](#user) - -[Command-line Problems](#command) - -[XML File Problems](#xml) - -[Migration Problems](#migration) - -[Offline Migration Problems](#bkmk-offline) - -[Hard Link Migration Problems](#bkmk-hardlink) - -[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout) - -## General Guidelines for Identifying Migration Problems - - -When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem: - -- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line. - - In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger. - - **Note** - Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred. - - - -- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). - -- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -- Create a progress log using the **/Progress** option to monitor your migration. - -- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment. - -- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on. - -- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files. - - **Note** - USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate. - - - -## User Account Problems - - -The following sections describe common user account problems. Expand the section to see recommended solutions. - -### I'm having problems creating local accounts on the destination computer. - -**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md). - -### Not all of the user accounts were migrated to the destination computer. - -**Causes/Resolutions** There are two possible causes for this problem: - -When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode: - -1. Click **Start**. - -2. Click **All Programs**. - -3. Click **Accessories**. - -4. Right-click **Command Prompt**. - -5. Click **Run as administrator**. - -Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. - -Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account. - -### User accounts that I excluded were migrated to the destination computer. - -**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence. - -**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. - -### I am using the /uel option, but many accounts are still being included in the migration. - -**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date. - -**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option. - -### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test. - -**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key. - -**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile: - -1. Open the registry editor by typing `regedit` at an elevated command prompt. - -2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`. - - Each user profile is stored in a System Identifier key under `ProfileList`. - -3. Delete the key for the user profile you are trying to remove. - -### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool. - -**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration. - -**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder. - -To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files. - -### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file. - -**Cause:** The computer name was changed during an offline migration of a local user profile. - -**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example, - -``` syntax -loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore -/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1 -``` - -## Command-line Problems - - -The following sections describe common command-line problems. Expand the section to see recommended solutions. - -### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters." - -**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path. - -**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters. - -### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory." - -**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**. - -**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option. - -## XML File Problems - - -The following sections describe common XML file problems. Expand the section to see recommended solutions. - -### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications? - -**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file. - -**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following: - -`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log` - -### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct. - -**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements. - -### I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue? - -**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected. - -**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file. - -## Migration Problems - - -The following sections describe common migration problems. Expand the section to see recommended solutions. - -### Files that I specified to exclude are still being migrated. - -**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration. - -**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md). - -### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly. - -**Cause:** There might be an error in the XML syntax. - -**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics: - -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) - -[Exclude Files and Settings](usmt-exclude-files-and-settings.md) - -[Reroute Files and Settings](usmt-reroute-files-and-settings.md) - -[Include Files and Settings](usmt-include-files-and-settings.md) - -[Custom XML Examples](usmt-custom-xml-examples.md) - -### After LoadState completes, the new desktop background does not appear on the destination computer. - -There are three typical causes for this issue. - -**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted. - -**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background. - -**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate. - -**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer. - -**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate. - -**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials. - -### I included MigApp.xml in the migration, but some PST files aren’t migrating. - -**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles. - -**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files. - -### USMT does not migrate the Start layout - -**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured. - -**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function. - -**Resolution:** The following workaround is available: - -1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired: - - ``` - Export-StartLayout -Path "C:\Layout\user1.xml" - ``` -2. Migrate the user's profile with USMT. -3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command: - - ``` - Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive% - ``` - -This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout. - -## Offline Migration Problems - - -The following sections describe common offline migration problems. Expand the section to see recommended solutions. - -### Some of my system settings do not migrate in an offline migration. - -**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - -**Resolution:** In an offline migration, these system settings must be restored manually. - -### The ScanState tool fails with return code 26. - -**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error". - -**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile. - -### Include and Exclude rules for migrating user profiles do not work the same offline as they do online. - -**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping. - -**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example: - -``` syntax -Scanstate /ui:S1-5-21-124525095-708259637-1543119021* -``` - -The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well. - -You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277). - -### My script to wipe the disk fails after running the ScanState tool on a 64-bit system. - -**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running. - -**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type: - -``` syntax -reg.exe unload hklm\$dest$software -``` - -## Hard-Link Migration Problems - - -The following sections describe common hard-link migration problems. Expand the section to see recommended solutions. - -### EFS files are not restored to the new partition. - -**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition. - -**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store. - -### The ScanState tool cannot delete a previous hard-link migration store. - -**Cause:** The migration store contains hard links to locked files. - -**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type: - -``` syntax -USMTutils /rd -``` - -You should also reboot the machine. - - - - - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Frequently Asked Questions](usmt-faq.md) - -[Return Codes](usmt-return-codes.md) - -[UsmtUtils Syntax](usmt-utilities.md) - - - - - - - - - +--- +title: Common Issues (Windows 10) +description: Common Issues +ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.date: 09/19/2017 +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Common Issues + + +The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures. + +## In This Topic + + +[User Account Problems](#user) + +[Command-line Problems](#command) + +[XML File Problems](#xml) + +[Migration Problems](#migration) + +[Offline Migration Problems](#bkmk-offline) + +[Hard Link Migration Problems](#bkmk-hardlink) + +[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout) + +## General Guidelines for Identifying Migration Problems + + +When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem: + +- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line. + + In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger. + + **Note** + Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred. + + + +- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). + +- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). + +- Create a progress log using the **/Progress** option to monitor your migration. + +- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment. + +- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on. + +- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files. + + **Note** + USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate. + + + +## User Account Problems + + +The following sections describe common user account problems. Expand the section to see recommended solutions. + +### I'm having problems creating local accounts on the destination computer. + +**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md). + +### Not all of the user accounts were migrated to the destination computer. + +**Causes/Resolutions** There are two possible causes for this problem: + +When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode: + +1. Click **Start**. + +2. Click **All Programs**. + +3. Click **Accessories**. + +4. Right-click **Command Prompt**. + +5. Click **Run as administrator**. + +Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. + +Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account. + +### User accounts that I excluded were migrated to the destination computer. + +**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence. + +**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. + +### I am using the /uel option, but many accounts are still being included in the migration. + +**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date. + +**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option. + +### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test. + +**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key. + +**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile: + +1. Open the registry editor by typing `regedit` at an elevated command prompt. + +2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`. + + Each user profile is stored in a System Identifier key under `ProfileList`. + +3. Delete the key for the user profile you are trying to remove. + +### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool. + +**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration. + +**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder. + +To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files. + +### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file. + +**Cause:** The computer name was changed during an offline migration of a local user profile. + +**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example, + +``` syntax +loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore +/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1 +``` + +## Command-line Problems + + +The following sections describe common command-line problems. Expand the section to see recommended solutions. + +### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters." + +**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path. + +**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters. + +### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory." + +**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**. + +**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option. + +## XML File Problems + + +The following sections describe common XML file problems. Expand the section to see recommended solutions. + +### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications? + +**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file. + +**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following: + +`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log` + +### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct. + +**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements. + +### I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue? + +**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected. + +**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file. + +## Migration Problems + + +The following sections describe common migration problems. Expand the section to see recommended solutions. + +### Files that I specified to exclude are still being migrated. + +**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration. + +**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md). + +### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly. + +**Cause:** There might be an error in the XML syntax. + +**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics: + +[Conflicts and Precedence](usmt-conflicts-and-precedence.md) + +[Exclude Files and Settings](usmt-exclude-files-and-settings.md) + +[Reroute Files and Settings](usmt-reroute-files-and-settings.md) + +[Include Files and Settings](usmt-include-files-and-settings.md) + +[Custom XML Examples](usmt-custom-xml-examples.md) + +### After LoadState completes, the new desktop background does not appear on the destination computer. + +There are three typical causes for this issue. + +**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted. + +**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background. + +**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate. + +**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer. + +**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate. + +**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials. + +### I included MigApp.xml in the migration, but some PST files aren’t migrating. + +**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles. + +**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files. + +### USMT does not migrate the Start layout + +**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured. + +**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function. + +**Resolution:** The following workaround is available: + +1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired: + + ``` + Export-StartLayout -Path "C:\Layout\user1.xml" + ``` +2. Migrate the user's profile with USMT. +3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command: + + ``` + Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive% + ``` + +This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout. + +## Offline Migration Problems + + +The following sections describe common offline migration problems. Expand the section to see recommended solutions. + +### Some of my system settings do not migrate in an offline migration. + +**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + +**Resolution:** In an offline migration, these system settings must be restored manually. + +### The ScanState tool fails with return code 26. + +**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error". + +**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile. + +### Include and Exclude rules for migrating user profiles do not work the same offline as they do online. + +**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping. + +**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example: + +``` syntax +Scanstate /ui:S1-5-21-124525095-708259637-1543119021* +``` + +The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well. + +You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277). + +### My script to wipe the disk fails after running the ScanState tool on a 64-bit system. + +**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running. + +**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type: + +``` syntax +reg.exe unload hklm\$dest$software +``` + +## Hard-Link Migration Problems + + +The following sections describe common hard-link migration problems. Expand the section to see recommended solutions. + +### EFS files are not restored to the new partition. + +**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition. + +**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store. + +### The ScanState tool cannot delete a previous hard-link migration store. + +**Cause:** The migration store contains hard links to locked files. + +**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type: + +``` syntax +USMTutils /rd +``` + +You should also reboot the machine. + + + + + +## Related topics + + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + +[Frequently Asked Questions](usmt-faq.md) + +[Return Codes](usmt-return-codes.md) + +[UsmtUtils Syntax](usmt-utilities.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 89f0dae0bd..bfc3a1013c 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -1,154 +1,154 @@ ---- -title: Common Migration Scenarios (Windows 10) -description: Common Migration Scenarios -ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Common Migration Scenarios - - -You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred. - -One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system. - -## In This Topic - - -[PC Refresh](#bkmk-pcrefresh) - -[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh) - -[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh) - -[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh) - -[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh) - -[PC Replacement](#bkmk-pcreplace) - -[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace) - -[Scenario Two: Manual network migration](#bkmk-twopcreplace) - -[Scenario Three: Managed network migration](#bkmk-threepcreplace) - -## PC-Refresh - - -The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer. - -  - -![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg) - -  - -### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store - -A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer. - -1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. - -2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer. - -### Scenario Two: PC-refresh using a compressed migration store - -A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server. - -1. The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server. - -2. On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer. - -### Scenario Three: PC-refresh using a hard-link migration store - -A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer. - -1. The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. - -2. On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer. - -### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store - -A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer. - -1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows. - -2. On each computer, the administrator installs the company’s SOE which includes company applications. - -3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options. - -## PC-Replacement - - -The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer. - -  - -![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg) - -  - -### Scenario One: Offline migration using WinPE and an external migration store - -A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection. - -1. On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk. - -2. On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. - -3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers. - -### Scenario Two: Manual network migration - -A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. - -1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server. - -2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications. - -3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use. - -4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. - -### Scenario Three: Managed network migration - -A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store. - -1. On each source computer, the administrator runs the ScanState tool using Microsoft System Center Configuration Manager (SCCM), Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server. - -2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications. - -3. On each of the new computers, the administrator runs the LoadState tool using System Center Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers. - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[Choose a Migration Store Type](usmt-choose-migration-store-type.md) - -[Offline Migration Reference](offline-migration-reference.md) - -  - -  - - - - - +--- +title: Common Migration Scenarios (Windows 10) +description: Common Migration Scenarios +ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Common Migration Scenarios + + +You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred. + +One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system. + +## In This Topic + + +[PC Refresh](#bkmk-pcrefresh) + +[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh) + +[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh) + +[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh) + +[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh) + +[PC Replacement](#bkmk-pcreplace) + +[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace) + +[Scenario Two: Manual network migration](#bkmk-twopcreplace) + +[Scenario Three: Managed network migration](#bkmk-threepcreplace) + +## PC-Refresh + + +The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer. + +  + +![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg) + +  + +### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store + +A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer. + +1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. + +2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer. + +### Scenario Two: PC-refresh using a compressed migration store + +A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server. + +1. The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server. + +2. On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer. + +### Scenario Three: PC-refresh using a hard-link migration store + +A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer. + +1. The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. + +2. On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer. + +### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store + +A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer. + +1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows. + +2. On each computer, the administrator installs the company’s SOE which includes company applications. + +3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options. + +## PC-Replacement + + +The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer. + +  + +![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg) + +  + +### Scenario One: Offline migration using WinPE and an external migration store + +A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection. + +1. On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk. + +2. On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. + +3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers. + +### Scenario Two: Manual network migration + +A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. + +1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server. + +2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications. + +3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use. + +4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. + +### Scenario Three: Managed network migration + +A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store. + +1. On each source computer, the administrator runs the ScanState tool using Microsoft System Center Configuration Manager (SCCM), Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server. + +2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications. + +3. On each of the new computers, the administrator runs the LoadState tool using System Center Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers. + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + +[Choose a Migration Store Type](usmt-choose-migration-store-type.md) + +[Offline Migration Reference](offline-migration-reference.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 8e536f61c9..db0aad8633 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -95,7 +96,7 @@ The following example specifies that all locked files, regardless of their locat Additionally, the order in the **<ErrorControl>** section implies priority. In this example, the first **<nonFatal>** tag takes precedence over the second **<fatal>** tag. This precedence is applied, regardless of how many tags are listed. -``` syntax +``` xml * [*] @@ -265,7 +266,7 @@ The **<ErrorControl>** section can be configured to conditionally ignore f -``` syntax +``` xml diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index 960dfab3e3..5b40bd3e9d 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -68,7 +69,7 @@ If you have an <include> rule in one component and a <locationModify> The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the <exclude> rule is specified in a separate component. -``` syntax +``` xml User Documents @@ -102,7 +103,7 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil Specifying `migrate="no"` in the Config.xml file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded. -``` syntax +``` xml %CSIDL_PERSONAL%\* [*.doc] @@ -135,7 +136,7 @@ If there are conflicting rules within a component, the most specific rule is app In the following example, mp3 files will not be excluded from the migration. This is because directory names take precedence over the file extensions. -``` syntax +``` xml C:\Data\* [*] @@ -390,7 +391,7 @@ The destination computer contains the following files: You have a custom .xml file that contains the following code: -``` syntax +``` xml c:\data\* [*] diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 39269803a9..66f4f18511 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.topic: article --- @@ -36,7 +37,7 @@ Because the tables in this topic are wide, you may need to adjust the width of i The following is a template for the sections that you need to migrate your application. The template is not functional on its own, but you can use it to write your own .xml file. -``` syntax +``` xml @@ -195,7 +196,7 @@ This table describes the behavior in the following example .xml file. -``` syntax +``` xml File Migration Test @@ -231,7 +232,7 @@ This table describes the behavior in the following example .xml file. The behavior for this custom .xml file is described within the <`displayName`> tags in the code. -``` syntax +``` xml diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index e1e7522f96..9376707ccd 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -1,138 +1,138 @@ ---- -title: Customize USMT XML Files (Windows 10) -description: Customize USMT XML Files -ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Customize USMT XML Files - - -## In This Topic - - -[Overview](#bkmk-overview) - -[Migration .xml Files](#bkmk-migxml) - -[Custom .xml Files](#bkmk-customxmlfiles) - -[The Config.xml File](#bkmk-configxml) - -[Examples](#bkmk-examples) - -[Additional Information](#bkmk-addlinfo) - -## Overview - - -If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate. - -If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data. - -To modify the migration, do one or more of the following. - -- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered. - -- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines. - -- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated. - -For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. - -## Migration .xml Files - - -This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer. - -**Note**   -You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character. - - - -- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings. - -- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file. - -- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options. - - **Note**   - Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics. - - - -## Custom .xml Files - - -You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic. - -## The Config.xml File - - -The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file. - -If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state. - -When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`. - -After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. - -In addition, note the following functionality with the Config.xml file: - -- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`. - -- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated. - -- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic. - -**Note**   -To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. - - - -### Examples - -- The following command creates a Config.xml file in the current directory, but it does not create a store: - - `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5` - -- The following command creates an encrypted store using the Config.xml file and the default migration .xml files: - - `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"` - -- The following command decrypts the store and migrates the files and settings: - - `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"` - -## Additional Information - - -- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic. - -- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic. - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - -[USMT Resources](usmt-resources.md) - - - - - - - - - +--- +title: Customize USMT XML Files (Windows 10) +description: Customize USMT XML Files +ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Customize USMT XML Files + + +## In This Topic + + +[Overview](#bkmk-overview) + +[Migration .xml Files](#bkmk-migxml) + +[Custom .xml Files](#bkmk-customxmlfiles) + +[The Config.xml File](#bkmk-configxml) + +[Examples](#bkmk-examples) + +[Additional Information](#bkmk-addlinfo) + +## Overview + + +If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate. + +If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data. + +To modify the migration, do one or more of the following. + +- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered. + +- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines. + +- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated. + +For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. + +## Migration .xml Files + + +This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer. + +**Note**   +You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character. + + + +- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings. + +- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file. + +- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options. + + **Note**   + Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics. + + + +## Custom .xml Files + + +You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic. + +## The Config.xml File + + +The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file. + +If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state. + +When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`. + +After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. + +In addition, note the following functionality with the Config.xml file: + +- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`. + +- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated. + +- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic. + +**Note**   +To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. + + + +### Examples + +- The following command creates a Config.xml file in the current directory, but it does not create a store: + + `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5` + +- The following command creates an encrypted store using the Config.xml file and the default migration .xml files: + + `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"` + +- The following command decrypts the store and migrates the files and settings: + + `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"` + +## Additional Information + + +- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). + +- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic. + +- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic. + +## Related topics + + +[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) + +[USMT Resources](usmt-resources.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index c301d5075d..cb04fac7e3 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -1,67 +1,67 @@ ---- -title: Determine What to Migrate (Windows 10) -description: Determine What to Migrate -ms.assetid: 01ae1d13-c3eb-4618-b39d-ee5d18d55761 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Determine What to Migrate - - -By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration. - -However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize. - -To reduce complexity and increase standardization, your organization should consider creating a *standard operating environment (SOE)*. An SOE is a combination of hardware and software that you distribute to all users. This means selecting a baseline for all computers, including standard hardware drivers; core operating system features; core productivity applications, especially if they are under volume licensing; and core utilities. This environment should also include a standard set of security features, as outlined in the organization’s corporate policy. Using a standard operating environment can vastly simplify the migration and reduce overall deployment challenges. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - -

          Identify Users

          Use command-line options to specify which users to migrate and how they should be migrated.

          Identify Applications Settings

          Determine which applications you want to migrate and prepare a list of application settings to be migrated.

          Identify Operating System Settings

          Use migration to create a new standard environment on each of the destination computers.

          Identify File Types, Files, and Folders

          Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.

          - - - -## Related topics - - -[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - - - - - - - - - +--- +title: Determine What to Migrate (Windows 10) +description: Determine What to Migrate +ms.assetid: 01ae1d13-c3eb-4618-b39d-ee5d18d55761 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Determine What to Migrate + + +By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration. + +However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize. + +To reduce complexity and increase standardization, your organization should consider creating a *standard operating environment (SOE)*. An SOE is a combination of hardware and software that you distribute to all users. This means selecting a baseline for all computers, including standard hardware drivers; core operating system features; core productivity applications, especially if they are under volume licensing; and core utilities. This environment should also include a standard set of security features, as outlined in the organization’s corporate policy. Using a standard operating environment can vastly simplify the migration and reduce overall deployment challenges. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + +

          Identify Users

          Use command-line options to specify which users to migrate and how they should be migrated.

          Identify Applications Settings

          Determine which applications you want to migrate and prepare a list of application settings to be migrated.

          Identify Operating System Settings

          Use migration to create a new standard environment on each of the destination computers.

          Identify File Types, Files, and Folders

          Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.

          + + + +## Related topics + + +[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 0c2253be96..34eeb23adc 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -1,139 +1,139 @@ ---- -title: Estimate Migration Store Size (Windows 10) -description: Estimate Migration Store Size -ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Estimate Migration Store Size - - -The disk space requirements for a migration are dependent on the size of the migration store and the type of migration. You can estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. You can also calculate the disk space requirements using the ScanState tool. - -## In This Topic - - -- [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. - -- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer. - -- [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. - -## Hard Disk Space Requirements - - -- **Store.** For non-hard-link migrations, you should ensure that there is enough available disk space at the location where you will save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). - -- **Source Computer.** The source computer needs enough available space for the following: - - - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. - - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. - - - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. - -- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following: - - - [Operating system.](#bkmk-estmigstoresize) - - - [Applications.](#bkmk-estmigstoresize) - - - [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. - - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. - -## Calculate Disk Space Requirements using the ScanState Tool - - -You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration. - -**To run the ScanState tool on the source computer with USMT installed,** - -1. Open a command prompt with administrator privileges. - -2. Navigate to the USMT tools. For example, type - - ``` syntax - cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\" - ``` - - Where *<architecture>* is x86 or amd64. - -3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, type - - ``` syntax - ScanState.exe /p: - ``` - - Where *<StorePath>* is a path to a directory where the migration store will be saved and *<path to a file>* is the path and filename where the XML report for space requirements will be saved. For example, - - ``` syntax - ScanState.exe c:\store /p:c:\spaceRequirements.xml - ``` - - The migration store will not be created by running this command, but `StorePath` is a required parameter. - -The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). - -**Note**   -To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *<path to a file>* is still available in USMT. - - - -The space requirements report provides two elements, <**storeSize**> and <**temporarySpace**>. The <**temporarySpace**> value shows the disk space, in bytes, that USMT uses to operate during the migration—this does not include the minimum 250 MB needed to support USMT. The <**storeSize**> value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using **/p:***<path to a file>*. - -```xml - - - - 11010592768 - - - 58189144 - - -``` - -Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and will not create a store if the compliance check fails. - -## Estimate Migration Store Size - - -Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate these is to survey several computers to arrive at an average for the size of the store that you will need. - -The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization. - -**Note**   -You can create a space-estimate file (Usmtsize.txt), by using the legacy **/p** command-line option to estimate the size of the store. - - - -When trying to determine how much disk space you will need, consider the following issues: - -- **E-mail** : If users deal with a large volume of e-mail or keep e-mail on their local computers instead of on a mail server, the e-mail can take up as much disk space as all other user files combined. Prior to migrating user data, make sure that users who store e-mail locally synchronize their inboxes with their mail server. - -- **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration. - -- **User system settings** Five megabytes is usually adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB. - -## Related topics - - -[Common Migration Scenarios](usmt-common-migration-scenarios.md) - - - - - - - - - +--- +title: Estimate Migration Store Size (Windows 10) +description: Estimate Migration Store Size +ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Estimate Migration Store Size + + +The disk space requirements for a migration are dependent on the size of the migration store and the type of migration. You can estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. You can also calculate the disk space requirements using the ScanState tool. + +## In This Topic + + +- [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. + +- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer. + +- [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. + +## Hard Disk Space Requirements + + +- **Store.** For non-hard-link migrations, you should ensure that there is enough available disk space at the location where you will save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). + +- **Source Computer.** The source computer needs enough available space for the following: + + - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. + + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. + + - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. + +- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following: + + - [Operating system.](#bkmk-estmigstoresize) + + - [Applications.](#bkmk-estmigstoresize) + + - [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. + + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. + +## Calculate Disk Space Requirements using the ScanState Tool + + +You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration. + +**To run the ScanState tool on the source computer with USMT installed,** + +1. Open a command prompt with administrator privileges. + +2. Navigate to the USMT tools. For example, type + + ``` syntax + cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\" + ``` + + Where *<architecture>* is x86 or amd64. + +3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, type + + ``` syntax + ScanState.exe /p: + ``` + + Where *<StorePath>* is a path to a directory where the migration store will be saved and *<path to a file>* is the path and filename where the XML report for space requirements will be saved. For example, + + ``` syntax + ScanState.exe c:\store /p:c:\spaceRequirements.xml + ``` + + The migration store will not be created by running this command, but `StorePath` is a required parameter. + +The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). + +**Note**   +To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *<path to a file>* is still available in USMT. + + + +The space requirements report provides two elements, <**storeSize**> and <**temporarySpace**>. The <**temporarySpace**> value shows the disk space, in bytes, that USMT uses to operate during the migration—this does not include the minimum 250 MB needed to support USMT. The <**storeSize**> value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using **/p:***<path to a file>*. + +```xml + + + + 11010592768 + + + 58189144 + + +``` + +Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and will not create a store if the compliance check fails. + +## Estimate Migration Store Size + + +Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate these is to survey several computers to arrive at an average for the size of the store that you will need. + +The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization. + +**Note**   +You can create a space-estimate file (Usmtsize.txt), by using the legacy **/p** command-line option to estimate the size of the store. + + + +When trying to determine how much disk space you will need, consider the following issues: + +- **E-mail** : If users deal with a large volume of e-mail or keep e-mail on their local computers instead of on a mail server, the e-mail can take up as much disk space as all other user files combined. Prior to migrating user data, make sure that users who store e-mail locally synchronize their inboxes with their mail server. + +- **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration. + +- **User system settings** Five megabytes is usually adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB. + +## Related topics + + +[Common Migration Scenarios](usmt-common-migration-scenarios.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 4566d2d488..21a829f394 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -1,279 +1,279 @@ ---- -title: Exclude Files and Settings (Windows 10) -description: Exclude Files and Settings -ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Exclude Files and Settings -When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md). - -In this topic: - -- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude: - - - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements. - - - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. - -- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. - -## Create a custom .xml file -We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. - -### <include> and <exclude> -The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md). - -**Note**   -If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary. - -- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files) - -- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp) - -- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders) - -- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder) - -- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location) - -### Example 1: How to migrate all files from C:\\ except .mp3 files -The following .xml file migrates all files located on the C: drive, except any .mp3 files. - -``` xml - - - - MP3 Files - - - - - C:\* [*] - - - - - C:\* [*.mp3] - - - - - - -``` -### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp -The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp. - -``` xml - - - Test component - - - - - C:\Data\* [*] - - - - - C:\Data\temp\* [*] - - - - - - -``` - -### Example 3: How to exclude the files in a folder but include all subfolders -The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts. - -``` xml - - - Component to migrate all Engineering Drafts Documents without subfolders - - - - - C:\EngineeringDrafts\* [*] - - - - - C:\EngineeringDrafts\ [*] - - - - - - -``` - -### Example 4: How to exclude a file from a specific folder -The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts. - -``` xml - - - Component to migrate all Engineering Drafts Documents except Sample.doc - - - - - C:\EngineeringDrafts\* [*] - - - - - C:\EngineeringDrafts\ [Sample.doc] - - - - - - -``` - -### Example 5: How to exclude a file from any location -To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. - -``` xml - C:\* [Sample.doc] -``` - -To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded. - -``` xml - -``` -#### Examples of how to use XML to exclude files, folders, and registry keys -Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md) - -**Example 1: How to exclude all .mp3 files**
          -The following .xml file excludes all .mp3 files from the migration: - -``` xml - - - Test - - - - - - - - - - - -``` -**Example 2: How to exclude all of the files on a specific drive**
          -The following .xml file excludes only the files located on the C: drive. - -``` xml - - - Test - - - - - c:\*[*] - - - - - - -``` -**Example 3: How to exclude registry keys**
          -The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys. - -``` xml - - - - Test - - - - - HKCU\testReg[*] - - - - - HKCU\*[*] - - - - - - -``` -**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
          -The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element. - -``` xml - - - - Test - - - - - - - - - - - - C:\Program Files\* [*] -C:\Windows\* [*] - - - - - - -``` -## Create a Config XML File -You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows. - -- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file. - -- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section. - -- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not. - -See [Config.xml File](usmt-configxml-file.md) for more information. - -**Note**   -To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. - -## Related topics -- [Customize USMT XML Files](usmt-customize-xml-files.md) -- [USMT XML Reference](usmt-xml-reference.md) - - - - - - - - - +--- +title: Exclude Files and Settings (Windows 10) +description: Exclude Files and Settings +ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Exclude Files and Settings +When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md). + +In this topic: + +- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude: + + - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements. + + - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. + +- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. + +## Create a custom .xml file +We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. + +### <include> and <exclude> +The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md). + +**Note**   +If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary. + +- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files) + +- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp) + +- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders) + +- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder) + +- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location) + +### Example 1: How to migrate all files from C:\\ except .mp3 files +The following .xml file migrates all files located on the C: drive, except any .mp3 files. + +``` xml + + + + MP3 Files + + + + + C:\* [*] + + + + + C:\* [*.mp3] + + + + + + +``` +### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp +The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp. + +``` xml + + + Test component + + + + + C:\Data\* [*] + + + + + C:\Data\temp\* [*] + + + + + + +``` + +### Example 3: How to exclude the files in a folder but include all subfolders +The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts. + +``` xml + + + Component to migrate all Engineering Drafts Documents without subfolders + + + + + C:\EngineeringDrafts\* [*] + + + + + C:\EngineeringDrafts\ [*] + + + + + + +``` + +### Example 4: How to exclude a file from a specific folder +The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts. + +``` xml + + + Component to migrate all Engineering Drafts Documents except Sample.doc + + + + + C:\EngineeringDrafts\* [*] + + + + + C:\EngineeringDrafts\ [Sample.doc] + + + + + + +``` + +### Example 5: How to exclude a file from any location +To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. + +``` xml + C:\* [Sample.doc] +``` + +To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded. + +``` xml + +``` +#### Examples of how to use XML to exclude files, folders, and registry keys +Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md) + +**Example 1: How to exclude all .mp3 files**
          +The following .xml file excludes all .mp3 files from the migration: + +``` xml + + + Test + + + + + + + + + + + +``` +**Example 2: How to exclude all of the files on a specific drive**
          +The following .xml file excludes only the files located on the C: drive. + +``` xml + + + Test + + + + + c:\*[*] + + + + + + +``` +**Example 3: How to exclude registry keys**
          +The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys. + +``` xml + + + + Test + + + + + HKCU\testReg[*] + + + + + HKCU\*[*] + + + + + + +``` +**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
          +The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element. + +``` xml + + + + Test + + + + + + + + + + + + C:\Program Files\* [*] +C:\Windows\* [*] + + + + + + +``` +## Create a Config XML File +You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows. + +- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file. + +- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section. + +- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not. + +See [Config.xml File](usmt-configxml-file.md) for more information. + +**Note**   +To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. + +## Related topics +- [Customize USMT XML Files](usmt-customize-xml-files.md) +- [USMT XML Reference](usmt-xml-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index 1eb40410a6..6a97acb78b 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -1,122 +1,122 @@ ---- -title: Extract Files from a Compressed USMT Migration Store (Windows 10) -description: Extract Files from a Compressed USMT Migration Store -ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Extract Files from a Compressed USMT Migration Store - - -When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store. - -Options used with the **/extract** option can specify: - -- The cryptographic algorithm that was used to create the migration store. - -- The encryption key or the text file that contains the encryption key. - -- Include and exclude patterns for selective data extraction. - -In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools. - -## In this topic - - -- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax) - -- [To extract all files from a compressed migration store](#bkmk-extractallfiles) - -- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles) - -- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern) - -- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles) - -### To run the USMTutils tool with the /extract option - -To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax: - -Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\] - -Where the placeholders have the following values: - -- *<USMTpath>* is the location where you have saved the USMT files and tools. - -- *<filePath>* is the location of the migration store. - -- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents. - -- *<includePattern>* specifies the pattern for the files to include in the extraction. - -- *<excludePattern>* specifies the pattern for the files to omit from the extraction. - -- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. - -- *<logfile>* is the location and name of the log file. - -- *<keystring>* is the encryption key that was used to encrypt the migration store. - -- *<filename>* is the location and name of the text file that contains the encryption key. - -### To extract all files from a compressed migration store - -To extract everything from a compressed migration store to a file on the C:\\ drive, type: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore -``` - -### To extract specific file types from an encrypted compressed migration store - -To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt -``` - -In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey. - -### To extract all but one, or more, file types from an encrypted compressed migration store - -To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt -``` - -### To extract file types using the include pattern and the exclude pattern - -To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example: - -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o -``` - -In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option. - -## Related topics - - -[UsmtUtils Syntax](usmt-utilities.md) - -[Return Codes](usmt-return-codes.md) - -[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) - -  - -  - - - - - +--- +title: Extract Files from a Compressed USMT Migration Store (Windows 10) +description: Extract Files from a Compressed USMT Migration Store +ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Extract Files from a Compressed USMT Migration Store + + +When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store. + +Options used with the **/extract** option can specify: + +- The cryptographic algorithm that was used to create the migration store. + +- The encryption key or the text file that contains the encryption key. + +- Include and exclude patterns for selective data extraction. + +In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools. + +## In this topic + + +- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax) + +- [To extract all files from a compressed migration store](#bkmk-extractallfiles) + +- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles) + +- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern) + +- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles) + +### To run the USMTutils tool with the /extract option + +To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax: + +Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\] + +Where the placeholders have the following values: + +- *<USMTpath>* is the location where you have saved the USMT files and tools. + +- *<filePath>* is the location of the migration store. + +- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents. + +- *<includePattern>* specifies the pattern for the files to include in the extraction. + +- *<excludePattern>* specifies the pattern for the files to omit from the extraction. + +- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. + +- *<logfile>* is the location and name of the log file. + +- *<keystring>* is the encryption key that was used to encrypt the migration store. + +- *<filename>* is the location and name of the text file that contains the encryption key. + +### To extract all files from a compressed migration store + +To extract everything from a compressed migration store to a file on the C:\\ drive, type: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore +``` + +### To extract specific file types from an encrypted compressed migration store + +To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt +``` + +In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey. + +### To extract all but one, or more, file types from an encrypted compressed migration store + +To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt +``` + +### To extract file types using the include pattern and the exclude pattern + +To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example: + +``` syntax +usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o +``` + +In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option. + +## Related topics + + +[UsmtUtils Syntax](usmt-utilities.md) + +[Return Codes](usmt-return-codes.md) + +[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-faq.md b/windows/deployment/usmt/usmt-faq.md index 21a5b714f0..49092e9f6f 100644 --- a/windows/deployment/usmt/usmt-faq.md +++ b/windows/deployment/usmt/usmt-faq.md @@ -1,137 +1,137 @@ ---- -title: Frequently Asked Questions (Windows 10) -description: Frequently Asked Questions -ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Frequently Asked Questions - - -The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. - -## General - - -### How much space is needed on the destination computer? - -The destination computer needs enough available space for the following: - -- Operating system - -- Applications - -- Uncompressed store - -### Can I store the files and settings directly on the destination computer or do I need a server? - -You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: - -1. Create and share the directory C:\\store on the destination computer. - -2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store - -3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. - -### Can I migrate data between operating systems with different languages? - -No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. - -### Can I change the location of the temporary directory on the destination computer? - -Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. - -### How do I install USMT? - -Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. - -### How do I uninstall USMT? - -If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. - -## Files and Settings - - -### How can I exclude a folder or a certain type of file from the migration? - -You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md). - -### What happens to files that were located on a drive that does not exist on the destination computer? - -USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. - -## USMT .xml Files - - -### Where can I get examples of USMT .xml files? - -The following topics include examples of USMT .xml files: - -- [Exclude Files and Settings](usmt-exclude-files-and-settings.md) - -- [Reroute Files and Settings](usmt-reroute-files-and-settings.md) - -- [Include Files and Settings](usmt-include-files-and-settings.md) - -- [Custom XML Examples](usmt-custom-xml-examples.md) - -### Can I use custom .xml files that were written for USMT 5.0? - -Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. - -### How can I validate the .xml files? - -You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. - -### Why must I list the .xml files with both the ScanState and LoadState commands? - -The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. - -If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. - -### Which files can I modify and specify on the command line? - -You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. - -### What happens if I do not specify the .xml files on the command line? - -- **ScanState** - - If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated. - -- **LoadState** - - If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. - -## Conflicts and Precedence - - -### What happens when there are conflicting XML rules or conflicting objects on the destination computer? - -For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md) - -[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) - -  - -  - - - - - +--- +title: Frequently Asked Questions (Windows 10) +description: Frequently Asked Questions +ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Frequently Asked Questions + + +The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. + +## General + + +### How much space is needed on the destination computer? + +The destination computer needs enough available space for the following: + +- Operating system + +- Applications + +- Uncompressed store + +### Can I store the files and settings directly on the destination computer or do I need a server? + +You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: + +1. Create and share the directory C:\\store on the destination computer. + +2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store + +3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. + +### Can I migrate data between operating systems with different languages? + +No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. + +### Can I change the location of the temporary directory on the destination computer? + +Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. + +### How do I install USMT? + +Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. + +### How do I uninstall USMT? + +If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. + +## Files and Settings + + +### How can I exclude a folder or a certain type of file from the migration? + +You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md). + +### What happens to files that were located on a drive that does not exist on the destination computer? + +USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. + +## USMT .xml Files + + +### Where can I get examples of USMT .xml files? + +The following topics include examples of USMT .xml files: + +- [Exclude Files and Settings](usmt-exclude-files-and-settings.md) + +- [Reroute Files and Settings](usmt-reroute-files-and-settings.md) + +- [Include Files and Settings](usmt-include-files-and-settings.md) + +- [Custom XML Examples](usmt-custom-xml-examples.md) + +### Can I use custom .xml files that were written for USMT 5.0? + +Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. + +### How can I validate the .xml files? + +You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. + +### Why must I list the .xml files with both the ScanState and LoadState commands? + +The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. + +If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + +### Which files can I modify and specify on the command line? + +You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. + +### What happens if I do not specify the .xml files on the command line? + +- **ScanState** + + If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated. + +- **LoadState** + + If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + +## Conflicts and Precedence + + +### What happens when there are conflicting XML rules or conflicting objects on the destination computer? + +For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + +## Related topics + + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + +[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md) + +[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index daad6f47ed..2bffb25cd7 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -1,106 +1,106 @@ ---- -title: General Conventions (Windows 10) -description: General Conventions -ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# General Conventions - - -This topic describes the XML helper functions. - -## In This Topic - - -[General XML Guidelines](#bkmk-general) - -[Helper Functions](#bkmk-helperfunctions) - -## General XML Guidelines - - -Before you modify the .xml files, become familiar with the following guidelines: - -- **XML schema** - - You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files. - -- **Conflits** - - In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - -- **Required elements** - - The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**. - -- **Required child elements** - - - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration. - - - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements. - -- **File names with brackets** - - If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named File.txt, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`. - -- **Using quotation marks** - - When you surround code in quotation marks, you can use either double ("") or single (') quotation marks. - -## Helper Functions - - -You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following: - -- **All of the parameters are strings** - -- **You can leave NULL parameters blank** - - As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: - - ``` syntax - SomeFunction("My String argument",NULL,NULL) - ``` - - is equivalent to: - - ``` syntax - SomeFunction("My String argument") - ``` - -- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object** - - It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. - - For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters. - - The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. - -- **You specify a location pattern in a way that is similar to how you specify an actual location** - - The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. - - For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - - - - - - - - - +--- +title: General Conventions (Windows 10) +description: General Conventions +ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# General Conventions + + +This topic describes the XML helper functions. + +## In This Topic + + +[General XML Guidelines](#bkmk-general) + +[Helper Functions](#bkmk-helperfunctions) + +## General XML Guidelines + + +Before you modify the .xml files, become familiar with the following guidelines: + +- **XML schema** + + You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files. + +- **Conflits** + + In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + +- **Required elements** + + The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**. + +- **Required child elements** + + - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration. + + - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements. + +- **File names with brackets** + + If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named File.txt, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`. + +- **Using quotation marks** + + When you surround code in quotation marks, you can use either double ("") or single (') quotation marks. + +## Helper Functions + + +You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following: + +- **All of the parameters are strings** + +- **You can leave NULL parameters blank** + + As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: + + ``` syntax + SomeFunction("My String argument",NULL,NULL) + ``` + + is equivalent to: + + ``` syntax + SomeFunction("My String argument") + ``` + +- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object** + + It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. + + For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters. + + The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. + +- **You specify a location pattern in a way that is similar to how you specify an actual location** + + The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. + + For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 100e1e1f04..4b2d8385c2 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -209,7 +210,7 @@ You must use the **/nocompress** option with the **/HardLink** option. The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete. -``` syntax +``` xml diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 84bf06500d..5c8bbb6d9b 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -1,150 +1,150 @@ ---- -title: How USMT Works (Windows 10) -description: How USMT Works -ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# How USMT Works - - -USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer. - -- [ScanState Process](#bkmk-ssprocess) - -- [LoadState Process](#bkmk-lsprocess) - - **Note**   - For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - - -## The ScanState Process - - -When you run the ScanState tool on the source computer, it goes through the following process: - -1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. - -2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component. - - There are three types of components: - - - Components that migrate the operating system settings - - - Components that migrate application settings - - - Components that migrate users’ files - - The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line. - - In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. - -3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration. - -4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration: - - 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. - - **Note**   - From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way. - - - - 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory. - - 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues. - - 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. - - 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated. - - **Note**   - ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer. - - - -5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile. - -6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location. - - **Note**   - ScanState does not modify the source computer in any way. - - - -## The LoadState Process - - -The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer. - -1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. - -2. LoadState collects information about the migration components that need to be migrated. - - LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command. - - In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. - -3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration. - - - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated. - - - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified. - - - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). - -4. In the "Scanning" phase, LoadState does the following for each user profile: - - 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. - - **Note** - From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way. - - - - 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory). - - **Note** - LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. - - - - 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. - - 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections. - - 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState. - - **Important** - It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran. - - - -5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed. - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - - - - - - - - - +--- +title: How USMT Works (Windows 10) +description: How USMT Works +ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# How USMT Works + + +USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer. + +- [ScanState Process](#bkmk-ssprocess) + +- [LoadState Process](#bkmk-lsprocess) + + **Note**   + For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + + +## The ScanState Process + + +When you run the ScanState tool on the source computer, it goes through the following process: + +1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. + +2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component. + + There are three types of components: + + - Components that migrate the operating system settings + + - Components that migrate application settings + + - Components that migrate users’ files + + The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line. + + In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. + +3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration. + +4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration: + + 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. + + **Note**   + From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way. + + + + 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory. + + 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues. + + 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. + + 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated. + + **Note**   + ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer. + + + +5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile. + +6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location. + + **Note**   + ScanState does not modify the source computer in any way. + + + +## The LoadState Process + + +The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer. + +1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. + +2. LoadState collects information about the migration components that need to be migrated. + + LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command. + + In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. + +3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration. + + - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated. + + - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified. + + - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). + +4. In the "Scanning" phase, LoadState does the following for each user profile: + + 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. + + **Note** + From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way. + + + + 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory). + + **Note** + LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. + + + + 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. + + 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections. + + 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState. + + **Important** + It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran. + + + +5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed. + +## Related topics + + +[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index f26b1b8cd3..9fdba24603 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -1,35 +1,35 @@ ---- -title: User State Migration Tool (USMT) How-to topics (Windows 10) -description: User State Migration Tool (USMT) How-to topics -ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) How-to topics -The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. - -## In This Section - -|Topic |Description| -|------|-----------| -|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.| -|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.| -|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.| -|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.| -|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.| -|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.| -|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.| -|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.| - -## Related topics -- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md) -- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) +--- +title: User State Migration Tool (USMT) How-to topics (Windows 10) +description: User State Migration Tool (USMT) How-to topics +ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) How-to topics +The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. + +## In This Section + +|Topic |Description| +|------|-----------| +|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.| +|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.| +|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.| +|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.| +|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.| +|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.| +|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.| +|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.| + +## Related topics +- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md) +- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) +- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index 874e4e4399..2a8a430f41 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -1,62 +1,62 @@ ---- -title: Identify Applications Settings (Windows 10) -description: Identify Applications Settings -ms.assetid: eda68031-9b02-4a5b-a893-3786a6505381 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify Applications Settings - - -When planning for your migration, you should identify which applications and settings you want to migrate. For more information about how to create a custom .xml file to migrate the settings of another application, see [Customize USMT XML Files](usmt-customize-xml-files.md). - -## Applications - - -First, create and prioritize a list of applications that to be migrated. It may be helpful to review the application lists and decide which applications will be redeployed and which applications will be retired. Often, the applications are prioritized based on a combination of how widely the application is used and how complex the application is. - -Next, identify an application owner to be in charge of each application. This is necessary because the developers will not be experts on all of the applications in the organization. The application owner should have the most experience with an application. The application owner provides insight into how the organization installs, configures, and uses the application. - -## Application Settings - - -Next, determine and locate the application settings to be migrated. You can acquire much of the information that you need for this step when you are testing the new applications for compatibility with the new operating system. - -After completing the list of applications to be migrated, review the list and work with each application owner on a list of settings to be migrated. For each setting, determine whether it needs to be migrated or if the default settings are adequate. Then, determine where the setting is located; for example, in the registry or in an .ini file. Next, consider the following questions to determine what needs to be done to migrate the setting successfully: - -- Is the destination version of the application newer than the source version? - -- Do these settings work with the new version? - -- Do the settings need to be moved or altered? - -- Can the first-run process force the application to appear as if it had run already? If so, does this work correctly, or does it break the application? - -After answering these questions, create a custom .xml file to migrate settings. Work with the application owner to develop test cases and to determine the file types that need to be migrated for the application. - -## Locating Where Settings Are Stored - - -See [Migrate Application Settings](migrate-application-settings.md) and follow the directions. - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -  - -  - - - - - +--- +title: Identify Applications Settings (Windows 10) +description: Identify Applications Settings +ms.assetid: eda68031-9b02-4a5b-a893-3786a6505381 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Identify Applications Settings + + +When planning for your migration, you should identify which applications and settings you want to migrate. For more information about how to create a custom .xml file to migrate the settings of another application, see [Customize USMT XML Files](usmt-customize-xml-files.md). + +## Applications + + +First, create and prioritize a list of applications that to be migrated. It may be helpful to review the application lists and decide which applications will be redeployed and which applications will be retired. Often, the applications are prioritized based on a combination of how widely the application is used and how complex the application is. + +Next, identify an application owner to be in charge of each application. This is necessary because the developers will not be experts on all of the applications in the organization. The application owner should have the most experience with an application. The application owner provides insight into how the organization installs, configures, and uses the application. + +## Application Settings + + +Next, determine and locate the application settings to be migrated. You can acquire much of the information that you need for this step when you are testing the new applications for compatibility with the new operating system. + +After completing the list of applications to be migrated, review the list and work with each application owner on a list of settings to be migrated. For each setting, determine whether it needs to be migrated or if the default settings are adequate. Then, determine where the setting is located; for example, in the registry or in an .ini file. Next, consider the following questions to determine what needs to be done to migrate the setting successfully: + +- Is the destination version of the application newer than the source version? + +- Do these settings work with the new version? + +- Do the settings need to be moved or altered? + +- Can the first-run process force the application to appear as if it had run already? If so, does this work correctly, or does it break the application? + +After answering these questions, create a custom .xml file to migrate settings. Work with the application owner to develop test cases and to determine the file types that need to be migrated for the application. + +## Locating Where Settings Are Stored + + +See [Migrate Application Settings](migrate-application-settings.md) and follow the directions. + +## Related topics + + +[Determine What to Migrate](usmt-determine-what-to-migrate.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index 2dfe827d3f..45cd2a17a7 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -1,51 +1,51 @@ ---- -title: Identify File Types, Files, and Folders (Windows 10) -description: Identify File Types, Files, and Folders -ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify File Types, Files, and Folders - - -When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following: - -- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis. - -- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files). - -- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules. - -Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer. - -**To find the registered file types on a computer running Windows 7 or Windows 8** - -1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**. - -2. Click **Default Programs**, and click **Associate a file type or protocol with a program**. - -3. On this screen, the registered file types are displayed. - -For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -  - -  - - - - - +--- +title: Identify File Types, Files, and Folders (Windows 10) +description: Identify File Types, Files, and Folders +ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Identify File Types, Files, and Folders + + +When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following: + +- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis. + +- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files). + +- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules. + +Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer. + +**To find the registered file types on a computer running Windows 7 or Windows 8** + +1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**. + +2. Click **Default Programs**, and click **Associate a file type or protocol with a program**. + +3. On this screen, the registered file types are displayed. + +For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). + +## Related topics + + +[Determine What to Migrate](usmt-determine-what-to-migrate.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index cce810e31f..1cffd2aed8 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -1,60 +1,60 @@ ---- -title: Identify Operating System Settings (Windows 10) -description: Identify Operating System Settings -ms.assetid: 1704ab18-1765-41fb-a27c-3aa3128fa242 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify Operating System Settings - - -When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following: - -- **Apperance.** - - This includes items such as wallpaper, colors, sounds, and the location of the taskbar. - -- **Action.** - - This includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it. - -- **Internet.** - - These are the settings that let you connect to the Internet and control how your browser operates. This includes items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings. - -- **Mail.** - - This includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts. - -To help you decide which settings to migrate, you should consider any previous migration experiences as well as the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. - -You should migrate any settings that users need to get their jobs done, those that make the work environment comfortable, and those that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider that users can spend a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. - -**Note**   -For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -For information about the operating-system settings that USMT migrates, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - - - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - - - - - - - - - +--- +title: Identify Operating System Settings (Windows 10) +description: Identify Operating System Settings +ms.assetid: 1704ab18-1765-41fb-a27c-3aa3128fa242 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Identify Operating System Settings + + +When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following: + +- **Apperance.** + + This includes items such as wallpaper, colors, sounds, and the location of the taskbar. + +- **Action.** + + This includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it. + +- **Internet.** + + These are the settings that let you connect to the Internet and control how your browser operates. This includes items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings. + +- **Mail.** + + This includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts. + +To help you decide which settings to migrate, you should consider any previous migration experiences as well as the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. + +You should migrate any settings that users need to get their jobs done, those that make the work environment comfortable, and those that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider that users can spend a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. + +**Note**   +For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). + +For information about the operating-system settings that USMT migrates, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + + + +## Related topics + + +[Determine What to Migrate](usmt-determine-what-to-migrate.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 4f0534cf76..8168e90730 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -1,90 +1,90 @@ ---- -title: Identify Users (Windows 10) -description: Identify Users -ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify Users - - -It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). - -## In This Topic - - -- [Migrating Local Accounts](#bkmk-8) - -- [Migrating Domain Accounts](#bkmk-9) - -- [Command-Line Options](#bkmk-7) - -## Migrating Local Accounts - - -Before migrating local accounts, note the following: - -- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the/lac option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. - -- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. - -- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. - - **Note** - If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. - - - -## Migrating Domain Accounts - - -The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. - -## Command-Line Options - - -USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. - -- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. - - **Important**   - The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. - - - -- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. - -- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. - -- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. - - **Note**   - By default, if a user name is not specified in any of the command-line options, the user will be migrated. - - - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -[ScanState Syntax](usmt-scanstate-syntax.md) - -[LoadState Syntax](usmt-loadstate-syntax.md) - - - - - - - - - +--- +title: Identify Users (Windows 10) +description: Identify Users +ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Identify Users + + +It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). + +## In This Topic + + +- [Migrating Local Accounts](#bkmk-8) + +- [Migrating Domain Accounts](#bkmk-9) + +- [Command-Line Options](#bkmk-7) + +## Migrating Local Accounts + + +Before migrating local accounts, note the following: + +- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the/lac option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. + +- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. + +- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. + + **Note** + If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. + + + +## Migrating Domain Accounts + + +The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. + +## Command-Line Options + + +USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. + +- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. + + **Important**   + The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. + + + +- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. + +- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. + +- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. + + **Note**   + By default, if a user name is not specified in any of the command-line options, the user will be migrated. + + + +## Related topics + + +[Determine What to Migrate](usmt-determine-what-to-migrate.md) + +[ScanState Syntax](usmt-scanstate-syntax.md) + +[LoadState Syntax](usmt-loadstate-syntax.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index 89b7d8fa3a..c594b6ea7d 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -37,7 +38,7 @@ In this topic: The following .xml file migrates a single registry key. -``` syntax +``` xml Component to migrate only registry value string @@ -63,7 +64,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer. - ``` syntax + ``` xml Component to migrate all Engineering Drafts Documents including subfolders @@ -82,7 +83,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts. - ``` syntax + ``` xml Component to migrate all Engineering Drafts Documents without subfolders @@ -103,7 +104,7 @@ The following examples show how to migrate a folder from a specific drive, and f The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated. -``` syntax +``` xml Component to migrate all Engineering Drafts Documents folder on any drive on the computer @@ -123,7 +124,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated. -``` syntax +``` xml Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive @@ -146,7 +147,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer. -``` syntax +``` xml All .mp3 files to My Documents @@ -176,7 +177,7 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer. - ``` syntax + ``` xml Component to migrate all Engineering Drafts Documents @@ -195,13 +196,13 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the <pattern> element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated. - ``` syntax + ``` xml C:\* [Sample.doc] ``` To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated. - ``` syntax + ``` xml ``` diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index 63c3b443b8..ea390e9871 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -1,709 +1,709 @@ ---- -title: LoadState Syntax (Windows 10) -description: LoadState Syntax -ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# LoadState Syntax - - -This topic discusses the **LoadState** command syntax and options. - -## In This Topic - - -[Before You Begin](#before) - -[Syntax](#bkmk-s) - -[Storage Options](#bkmk-st) - -[Migration Rule Options](#bkmk-mig) - -[Monitoring Options](#bkmk-mon) - -[User Options](#bkmk-user) - -[Incompatible Command-Line Options](#bkmk-cloi) - -## Before You Begin - - -Before you run the **LoadState** command, note the following: - -- To ensure that all operating system settings migrate, we recommend that you run the **LoadState** commands in administrator mode from an account with administrative credentials. - -- For information about software requirements for running the **LoadState** command, see [USMT Requirements](usmt-requirements.md). - -- You should log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screensaver settings) will not take effect until the next time the user logs in. - -- Unless otherwise specified, you can use each option only once when running a tool on the command line. - -- **LoadState** does not require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It is not necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain. - -- The [Incompatible Command-Line Options](#bkmk-cloi) table lists which options you can use together and which command-line options are incompatible. - -## Syntax - - -This section explains the syntax and usage of the command-line options available when you use the **LoadState** command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator. - -The **LoadState** command's syntax is: - -loadstate *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\] - -For example, to decrypt the store and migrate the files and settings to a computer running Windows 7 type the following on the command line: - -`loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"` - -## Storage Options - - -USMT provides the following options that you can use to specify how and where the migrated data is stored. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          StorePath

          Indicates the folder where the files and settings data are stored. You must specify StorePath when using the LoadState command. You cannot specify more than one StorePath.

          /decrypt /key:KeyString

          -

          or

          -

          /decrypt /key:"Key String"

          -

          or

          -

          /decrypt /keyfile:[Path</em>]FileName

          Decrypts the store with the specified key. With this option, you will need to specify the encryption key in one of the following ways:

          -
            -

          • /key:KeyString specifies the encryption key. If there is a space in KeyString, you must surround the argument with quotation marks.

            • -

          • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key

            • -
          -

          KeyString cannot exceed 256 characters.

          -

          The /key and /keyfile options cannot be used on the same command line.

          -

          The /decrypt and /nocompress options cannot be used on the same command line.

          -
          -Important

          Use caution with this option, because anyone who has access to the LoadState command-line script will also have access to the encryption key.

          -
          -
          - -
          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /decrypt /key:mykey

          /decrypt:"encryption strength"

          The /decrypt option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see Migration Store Encryption.

          /hardlink

          Enables user-state data to be restored from a hard-link migration store. The /nocompress parameter must be specified with /hardlink option.

          /nocompress

          Specifies that the store is not compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option cannot be used with the /decrypt option.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /nocompress

          - - - -## Migration Rule Options - - -USMT provides the following options to specify what files you want to migrate. - - ---- - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /i:[Path]FileName

          (include)

          -

          Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigSys.xml, MigDocs.xml and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

          -

          For more information about which files to specify, see the "XML files" section of the Frequently Asked Questions topic.

          /config:[Path]FileName

          Specifies the Config.xml file that the LoadState command should use. You cannot specify this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then the FileName must be located in the current directory.

          -

          This example migrates the files and settings based on the rules in the Config.xml, MigDocs.xml, and MigApp.xml files:

          -

          loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:loadstate.log

          /auto:"path to script files"

          This option enables you to specify the location of the default .xml files and then launch your migration. If no path is specified, USMT will use the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

          - - - -## Monitoring Options - - -USMT provides several command-line options that you can use to analyze problems that occur during migration. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /l:[Path]FileName

          Specifies the location and name of the LoadState log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can specify the /v option to adjust the amount of output.

          -

          If you run the LoadState command from a shared network resource, you must specify this option or USMT will fail with the error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:load.log option.

          /v:<VerbosityLevel>

          (Verbosity)

          -

          Enables verbose output in the LoadState log file. The default value is 0.

          -

          You can set the VerbosityLevel to one of the following levels:

          - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          -

          -

          For example:

          -

          loadstate \server\share\migration\mystore /v:5 /i:migdocs.xml /i:migapp.xml

          /progress:[Path</em>]FileName

          Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

          /c

          When this option is specified, the LoadState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit on the computer, the LoadState command will log an error and continue with the migration. Without the /c option, the LoadState command will exit on the first error. You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

          /r:<TimesToRetry>

          (Retry)

          -

          Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

          -

          While restoring the user state, the /r option will not recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

          /w:<SecondsBeforeRetry>

          (Wait)

          -

          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

          /? or /help

          Displays Help on the command line.

          - - - -## User Options - - -By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or by using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md). - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /all

          Migrates all of the users on the computer.

          -

          USMT migrates all user accounts on the computer, unless you specifically exclude an account with the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to use the /all option, you cannot also use the /ui, /ue or /uel options.

          /ui:DomainName<em>UserName

          -

          or

          -

          /ui:"DomainName<em>User Name"

          -

          or

          -

          /ui:ComputerName<em>LocalUserName

          (User include)

          -

          Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue option. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotations marks.

          -

          For example:

          -
            -

          • To include only User2 from the Corporate domain, type:

            -

            /ue:* /ui:corporate\user2

            • -
          -
          -Note

          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

          -
          -
          - -
          -

          For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

          /uel:<NumberOfDays>

          -

          or

          -

          /uel:<YYYY/MM/DD>

          -

          or

          -

          /uel:0

          (User exclude based on last logon)

          -

          Migrates only the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the ScanState command is run. You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

          -
          -Note

          The /uel option is not valid in offline migrations.

          -
          -
          - -
          -

          Examples:

          -
            -

          • /uel:0 migrates accounts that were logged on to the source computer when the ScanState command was run.

            • -

          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

            • -

          • /uel:1 migrates users whose accounts have been modified within the last 24 hours.

            • -

          • /uel:2002/1/15 migrates users who have logged on or whose accounts have been modified since January 15, 2002.

            • -
          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /uel:0

          /ue:DomainName<em>UserName

          -

          or

          -

          /ue:"DomainName<em>User Name"

          -

          or

          -

          /ue:ComputerName<em>LocalUserName

          (User exclude)

          -

          Excludes the specified users from the migration. You can specify multiple /ue options but you cannot use the /ue option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /ue:contoso\user1

          -

          For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

          /md:OldDomain:NewDomain

          -

          or

          -

          /md:LocalComputerName:NewDomain

          (move domain)

          -

          Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. OldDomain may contain the asterisk () wildcard character.

          -

          You can specify this option more than once. You may want to specify multiple /md options if you are consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: /md:corporate:fabrikam and /md:farnorth:fabrikam.

          -

          If there are conflicts between two /md commands, the first rule that you specify is applied. For example, if you specify the /md:corporate:fabrikam and /md:corporate:farnorth commands, then Corporate users would be mapped to the Fabrikam domain.

          -
          -Note

          If you specify an OldDomain that did not exist on the source computer, the LoadState command will appear to complete successfully, without an error or warning. However, in this case, users will not be moved to NewDomain but will remain in their original domain. For example, if you misspell "contoso" and you specify "/md:contso:fabrikam", the users will remain in contoso on the destination computer.

          -
          -
          - -
          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          -

          /progress:prog.log /l:load.log /md:contoso:fabrikam

          /mu:OldDomain<em>OldUserName:[NewDomain]NewUserName

          -

          or

          -

          /mu:OldLocalUserName:NewDomain<em>NewUserName

          Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple /mu options. You cannot use wildcard characters with this option.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          -

          /progress:prog.log /l:load.log /mu:contoso\user1:fabrikam\user1

          /lac:[Password]

          (local account create)

          -

          Specifies that if a user account is a local (non-domain) account, and it does not exist on the destination computer, USMT will create the account on the destination computer but it will be disabled. To enable the account, you must also use the /lae option.

          -

          If the /lac option is not specified, any local user accounts that do not already exist on the destination computer will not be migrated.

          -

          Password is the password for the newly created account. An empty password is used by default.

          -
          -Caution

          Use the Password variable with caution because it is provided in plain text and can be obtained by anyone with access to the computer that is running the LoadState command.

          -

          Also, if the computer has multiple users, all migrated users will have the same password.

          -
          -
          - -
          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          -

          For instructions, see Migrate User Accounts.

          /lae

          (local account enable)

          -

          Enables the account that was created with the /lac option. You must specify the /lac option with this option.

          -

          For example:

          -

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          -

          /progress:prog.log /l:load.log /lac:password /lae

          -

          For instructions, see Migrate User Accounts.

          - - - -### Examples for the /ui and /ue options - -The following examples apply to both the **/ui** and **/ue** options. You can replace the **/ue** option with the **/ui** option to include, rather than exclude, the specified users. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          BehaviorCommand

          Exclude the user named User One in the Corporate domain.

          /ue:"corporate\user one"

          Exclude the user named User1 in the Corporate domain.

          /ue:corporate\user1

          Exclude the local user named User1.

          /ue:%computername%\user1

          Exclude all domain users.

          /ue:Domain

          Exclude all local users.

          /ue:%computername%

          Exclude users in all domains named User1, User2, and so on.

          /ue:\user

          - - - -### Using the Options Together - -You can use the **/uel**, **/ue** and **/ui** options together to migrate only the users that you want migrated. - -**The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option. - -**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user’s profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
          BehaviorCommand

          Include only User2 from the Fabrikam domain and exclude all other users.

          /ue:* /ui:fabrikam\user2

          Include only the local user named User1 and exclude all other users.

          /ue:* /ui:user1

          Include only the domain users from Contoso, except Contoso\User1.

          This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

          -
            -

          • Using the ScanState command-line tool, type: /ue:* /ui:contoso

            • -

          • Using the LoadState command-line tool, type: /ue:contoso\user1

            • -

          Include only local (non-domain) users.

          /ue: /ui:%computername%*

          - - - -## Incompatible Command-Line Options - - -The following table indicates which command-line options are not compatible with the **LoadState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line Option/keyfile/nocompress/genconfig/all

          /i

          /v

          /nocompress

          N/A

          X

          /key

          X

          X

          /decrypt

          Required*

          X

          X

          /keyfile

          N/A

          X

          /l

          /progress

          X

          /r

          X

          /w

          X

          /c

          X

          /p

          X

          N/A

          /all

          X

          /ui

          X

          X

          /ue

          X

          X

          /uel

          X

          X

          /genconfig

          N/A

          /config

          X

          StorePath

          /md

          /mu

          /lae

          /lac

          - - - -**Note** -You must specify either the **/key** or **/keyfile** option with the **/encrypt** option. - - - -## Related topics - - -[XML Elements Library](usmt-xml-elements-library.md) - - - - - - - - - +--- +title: LoadState Syntax (Windows 10) +description: LoadState Syntax +ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# LoadState Syntax + + +This topic discusses the **LoadState** command syntax and options. + +## In This Topic + + +[Before You Begin](#before) + +[Syntax](#bkmk-s) + +[Storage Options](#bkmk-st) + +[Migration Rule Options](#bkmk-mig) + +[Monitoring Options](#bkmk-mon) + +[User Options](#bkmk-user) + +[Incompatible Command-Line Options](#bkmk-cloi) + +## Before You Begin + + +Before you run the **LoadState** command, note the following: + +- To ensure that all operating system settings migrate, we recommend that you run the **LoadState** commands in administrator mode from an account with administrative credentials. + +- For information about software requirements for running the **LoadState** command, see [USMT Requirements](usmt-requirements.md). + +- You should log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screensaver settings) will not take effect until the next time the user logs in. + +- Unless otherwise specified, you can use each option only once when running a tool on the command line. + +- **LoadState** does not require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It is not necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain. + +- The [Incompatible Command-Line Options](#bkmk-cloi) table lists which options you can use together and which command-line options are incompatible. + +## Syntax + + +This section explains the syntax and usage of the command-line options available when you use the **LoadState** command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator. + +The **LoadState** command's syntax is: + +loadstate *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\] + +For example, to decrypt the store and migrate the files and settings to a computer running Windows 7 type the following on the command line: + +`loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"` + +## Storage Options + + +USMT provides the following options that you can use to specify how and where the migrated data is stored. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          StorePath

          Indicates the folder where the files and settings data are stored. You must specify StorePath when using the LoadState command. You cannot specify more than one StorePath.

          /decrypt /key:KeyString

          +

          or

          +

          /decrypt /key:"Key String"

          +

          or

          +

          /decrypt /keyfile:[Path</em>]FileName

          Decrypts the store with the specified key. With this option, you will need to specify the encryption key in one of the following ways:

          +
            +

          • /key:KeyString specifies the encryption key. If there is a space in KeyString, you must surround the argument with quotation marks.

            • +

          • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key

            • +
          +

          KeyString cannot exceed 256 characters.

          +

          The /key and /keyfile options cannot be used on the same command line.

          +

          The /decrypt and /nocompress options cannot be used on the same command line.

          +
          +Important

          Use caution with this option, because anyone who has access to the LoadState command-line script will also have access to the encryption key.

          +
          +
          + +
          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /decrypt /key:mykey

          /decrypt:"encryption strength"

          The /decrypt option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see Migration Store Encryption.

          /hardlink

          Enables user-state data to be restored from a hard-link migration store. The /nocompress parameter must be specified with /hardlink option.

          /nocompress

          Specifies that the store is not compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option cannot be used with the /decrypt option.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /nocompress

          + + + +## Migration Rule Options + + +USMT provides the following options to specify what files you want to migrate. + + ++++ + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /i:[Path]FileName

          (include)

          +

          Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigSys.xml, MigDocs.xml and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

          +

          For more information about which files to specify, see the "XML files" section of the Frequently Asked Questions topic.

          /config:[Path]FileName

          Specifies the Config.xml file that the LoadState command should use. You cannot specify this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then the FileName must be located in the current directory.

          +

          This example migrates the files and settings based on the rules in the Config.xml, MigDocs.xml, and MigApp.xml files:

          +

          loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:loadstate.log

          /auto:"path to script files"

          This option enables you to specify the location of the default .xml files and then launch your migration. If no path is specified, USMT will use the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

          + + + +## Monitoring Options + + +USMT provides several command-line options that you can use to analyze problems that occur during migration. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /l:[Path]FileName

          Specifies the location and name of the LoadState log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can specify the /v option to adjust the amount of output.

          +

          If you run the LoadState command from a shared network resource, you must specify this option or USMT will fail with the error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:load.log option.

          /v:<VerbosityLevel>

          (Verbosity)

          +

          Enables verbose output in the LoadState log file. The default value is 0.

          +

          You can set the VerbosityLevel to one of the following levels:

          + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          +

          +

          For example:

          +

          loadstate \server\share\migration\mystore /v:5 /i:migdocs.xml /i:migapp.xml

          /progress:[Path</em>]FileName

          Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

          /c

          When this option is specified, the LoadState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit on the computer, the LoadState command will log an error and continue with the migration. Without the /c option, the LoadState command will exit on the first error. You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

          /r:<TimesToRetry>

          (Retry)

          +

          Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

          +

          While restoring the user state, the /r option will not recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

          /w:<SecondsBeforeRetry>

          (Wait)

          +

          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

          /? or /help

          Displays Help on the command line.

          + + + +## User Options + + +By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or by using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md). + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /all

          Migrates all of the users on the computer.

          +

          USMT migrates all user accounts on the computer, unless you specifically exclude an account with the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to use the /all option, you cannot also use the /ui, /ue or /uel options.

          /ui:DomainName<em>UserName

          +

          or

          +

          /ui:"DomainName<em>User Name"

          +

          or

          +

          /ui:ComputerName<em>LocalUserName

          (User include)

          +

          Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue option. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotations marks.

          +

          For example:

          +
            +

          • To include only User2 from the Corporate domain, type:

            +

            /ue:* /ui:corporate\user2

            • +
          +
          +Note

          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

          +
          +
          + +
          +

          For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

          /uel:<NumberOfDays>

          +

          or

          +

          /uel:<YYYY/MM/DD>

          +

          or

          +

          /uel:0

          (User exclude based on last logon)

          +

          Migrates only the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the ScanState command is run. You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

          +
          +Note

          The /uel option is not valid in offline migrations.

          +
          +
          + +
          +

          Examples:

          +
            +

          • /uel:0 migrates accounts that were logged on to the source computer when the ScanState command was run.

            • +

          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

            • +

          • /uel:1 migrates users whose accounts have been modified within the last 24 hours.

            • +

          • /uel:2002/1/15 migrates users who have logged on or whose accounts have been modified since January 15, 2002.

            • +
          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /uel:0

          /ue:DomainName<em>UserName

          +

          or

          +

          /ue:"DomainName<em>User Name"

          +

          or

          +

          /ue:ComputerName<em>LocalUserName

          (User exclude)

          +

          Excludes the specified users from the migration. You can specify multiple /ue options but you cannot use the /ue option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /ue:contoso\user1

          +

          For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

          /md:OldDomain:NewDomain

          +

          or

          +

          /md:LocalComputerName:NewDomain

          (move domain)

          +

          Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. OldDomain may contain the asterisk () wildcard character.

          +

          You can specify this option more than once. You may want to specify multiple /md options if you are consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: /md:corporate:fabrikam and /md:farnorth:fabrikam.

          +

          If there are conflicts between two /md commands, the first rule that you specify is applied. For example, if you specify the /md:corporate:fabrikam and /md:corporate:farnorth commands, then Corporate users would be mapped to the Fabrikam domain.

          +
          +Note

          If you specify an OldDomain that did not exist on the source computer, the LoadState command will appear to complete successfully, without an error or warning. However, in this case, users will not be moved to NewDomain but will remain in their original domain. For example, if you misspell "contoso" and you specify "/md:contso:fabrikam", the users will remain in contoso on the destination computer.

          +
          +
          + +
          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          +

          /progress:prog.log /l:load.log /md:contoso:fabrikam

          /mu:OldDomain<em>OldUserName:[NewDomain]NewUserName

          +

          or

          +

          /mu:OldLocalUserName:NewDomain<em>NewUserName

          Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple /mu options. You cannot use wildcard characters with this option.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          +

          /progress:prog.log /l:load.log /mu:contoso\user1:fabrikam\user1

          /lac:[Password]

          (local account create)

          +

          Specifies that if a user account is a local (non-domain) account, and it does not exist on the destination computer, USMT will create the account on the destination computer but it will be disabled. To enable the account, you must also use the /lae option.

          +

          If the /lac option is not specified, any local user accounts that do not already exist on the destination computer will not be migrated.

          +

          Password is the password for the newly created account. An empty password is used by default.

          +
          +Caution

          Use the Password variable with caution because it is provided in plain text and can be obtained by anyone with access to the computer that is running the LoadState command.

          +

          Also, if the computer has multiple users, all migrated users will have the same password.

          +
          +
          + +
          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          +

          For instructions, see Migrate User Accounts.

          /lae

          (local account enable)

          +

          Enables the account that was created with the /lac option. You must specify the /lac option with this option.

          +

          For example:

          +

          loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

          +

          /progress:prog.log /l:load.log /lac:password /lae

          +

          For instructions, see Migrate User Accounts.

          + + + +### Examples for the /ui and /ue options + +The following examples apply to both the **/ui** and **/ue** options. You can replace the **/ue** option with the **/ui** option to include, rather than exclude, the specified users. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          BehaviorCommand

          Exclude the user named User One in the Corporate domain.

          /ue:"corporate\user one"

          Exclude the user named User1 in the Corporate domain.

          /ue:corporate\user1

          Exclude the local user named User1.

          /ue:%computername%\user1

          Exclude all domain users.

          /ue:Domain

          Exclude all local users.

          /ue:%computername%

          Exclude users in all domains named User1, User2, and so on.

          /ue:\user

          + + + +### Using the Options Together + +You can use the **/uel**, **/ue** and **/ui** options together to migrate only the users that you want migrated. + +**The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option. + +**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user’s profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
          BehaviorCommand

          Include only User2 from the Fabrikam domain and exclude all other users.

          /ue:* /ui:fabrikam\user2

          Include only the local user named User1 and exclude all other users.

          /ue:* /ui:user1

          Include only the domain users from Contoso, except Contoso\User1.

          This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

          +
            +

          • Using the ScanState command-line tool, type: /ue:* /ui:contoso

            • +

          • Using the LoadState command-line tool, type: /ue:contoso\user1

            • +

          Include only local (non-domain) users.

          /ue: /ui:%computername%*

          + + + +## Incompatible Command-Line Options + + +The following table indicates which command-line options are not compatible with the **LoadState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line Option/keyfile/nocompress/genconfig/all

          /i

          /v

          /nocompress

          N/A

          X

          /key

          X

          X

          /decrypt

          Required*

          X

          X

          /keyfile

          N/A

          X

          /l

          /progress

          X

          /r

          X

          /w

          X

          /c

          X

          /p

          X

          N/A

          /all

          X

          /ui

          X

          X

          /ue

          X

          X

          /uel

          X

          X

          /genconfig

          N/A

          /config

          X

          StorePath

          /md

          /mu

          /lae

          /lac

          + + + +**Note** +You must specify either the **/key** or **/keyfile** option with the **/encrypt** option. + + + +## Related topics + + +[XML Elements Library](usmt-xml-elements-library.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index fad90a25bf..d9917d3495 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -252,7 +253,7 @@ The following examples describe common scenarios in which you can use the diagno Let’s imagine that we have the following directory structure and that we want the “data” directory to be included in the migration along with the “New Text Document.txt” file in the “New Folder.” The directory of **C:\\data** contains: -``` syntax +``` 01/21/2009 10:08 PM . 01/21/2009 10:08 PM .. 01/21/2009 10:08 PM New Folder @@ -263,7 +264,7 @@ Let’s imagine that we have the following directory structure and that we want The directory of **C:\\data\\New Folder** contains: -``` syntax +``` 01/21/2009 10:08 PM . 01/21/2009 10:08 PM .. 01/21/2009 10:08 PM 0 New Text Document.txt @@ -294,7 +295,7 @@ To migrate these files you author the following migration XML: However, upon testing the migration you notice that the “New Text Document.txt” file isn’t included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -``` syntax +``` xml @@ -315,13 +316,13 @@ Analysis of this XML section reveals the migunit that was created when the migra An analysis of the XML elements reference topic reveals that the <pattern> tag needs to be modified as follows: -``` syntax +``` xml c:\data\* [*] ``` When the migration is preformed again with the modified tag, the diagnostic log reveals the following: -``` syntax +``` xml @@ -346,7 +347,7 @@ This diagnostic log confirms that the modified <pattern> value enables the In this scenario, you have the following directory structure and you want all files in the “data” directory to migrate, except for text files. The **C:\\Data** folder contains: -``` syntax +``` Directory of C:\Data 01/21/2009 10:08 PM . @@ -359,7 +360,7 @@ Directory of C:\Data The **C:\\Data\\New Folder\\** contains: -``` syntax +``` 01/21/2009 10:08 PM . 01/21/2009 10:08 PM .. 01/21/2009 10:08 PM 0 New Text Document.txt @@ -396,7 +397,7 @@ You author the following migration XML: However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -``` syntax +``` xml @@ -453,7 +454,7 @@ Upon reviewing the diagnostic log, you confirm that the files are still migratin Your revised migration XML script excludes the files from migrating, as confirmed in the diagnostic log: -``` syntax +``` xml diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index 0e3db8dd0c..706f2c6a6e 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -1,55 +1,55 @@ ---- -title: Migrate EFS Files and Certificates (Windows 10) -description: Migrate EFS Files and Certificates -ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migrate EFS Files and Certificates - - -This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md). - -## To Migrate EFS Files and Certificates - - -Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. - -**Note**   -The **/efs** options are not used with the LoadState command. - - - -Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. - -You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type: - -``` syntax -Cipher /D /S: -``` - -Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set. - -## Related topics - - -[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - -[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) - - - - - - - - - +--- +title: Migrate EFS Files and Certificates (Windows 10) +description: Migrate EFS Files and Certificates +ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migrate EFS Files and Certificates + + +This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md). + +## To Migrate EFS Files and Certificates + + +Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. + +**Note**   +The **/efs** options are not used with the LoadState command. + + + +Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. + +You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type: + +``` syntax +Cipher /D /S: +``` + +Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set. + +## Related topics + + +[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) + +[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 0842197047..663964c7eb 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -1,96 +1,96 @@ ---- -title: Migrate User Accounts (Windows 10) -description: Migrate User Accounts -ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migrate User Accounts - - -By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file. - -## In this Topic - - -- [To migrate all user accounts and user settings](#bkmk-migrateall) - -- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo) - -- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) - -## To migrate all user accounts and user settings -Links to detailed explanations of commands are available in the Related Topics section. - -1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: - - `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o` - -2. Log on to the destination computer as an administrator. - -3. Do one of the following: - - - If you are migrating domain accounts, specify: - - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` - - - If you are migrating local accounts along with domain accounts, specify: - - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae` - - **Note**   - You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer. - - - -## To migrate two domain accounts (User1 and User2) -Links to detailed explanations of commands are available in the Related Topics section. - -1. Log on to the source computer as an administrator, and specify: - - `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o` - -2. Log on to the destination computer as an administrator. - -3. Specify the following: - - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` - -## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain -Links to detailed explanations of commands are available in the Related Topics section. - -1. Log on to the source computer as an administrator, and type the following at the command-line prompt: - - `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o` - -2. Log on to the destination computer as an administrator. - -3. Specify the following: - - `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml` - -## Related topics - - -[Identify Users](usmt-identify-users.md) - -[ScanState Syntax](usmt-scanstate-syntax.md) - -[LoadState Syntax](usmt-loadstate-syntax.md) - - - - - - - - - +--- +title: Migrate User Accounts (Windows 10) +description: Migrate User Accounts +ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migrate User Accounts + + +By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file. + +## In this Topic + + +- [To migrate all user accounts and user settings](#bkmk-migrateall) + +- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo) + +- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) + +## To migrate all user accounts and user settings +Links to detailed explanations of commands are available in the Related Topics section. + +1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: + + `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o` + +2. Log on to the destination computer as an administrator. + +3. Do one of the following: + + - If you are migrating domain accounts, specify: + + `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` + + - If you are migrating local accounts along with domain accounts, specify: + + `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae` + + **Note**   + You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer. + + + +## To migrate two domain accounts (User1 and User2) +Links to detailed explanations of commands are available in the Related Topics section. + +1. Log on to the source computer as an administrator, and specify: + + `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o` + +2. Log on to the destination computer as an administrator. + +3. Specify the following: + + `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` + +## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain +Links to detailed explanations of commands are available in the Related Topics section. + +1. Log on to the source computer as an administrator, and type the following at the command-line prompt: + + `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o` + +2. Log on to the destination computer as an administrator. + +3. Specify the following: + + `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml` + +## Related topics + + +[Identify Users](usmt-identify-users.md) + +[ScanState Syntax](usmt-scanstate-syntax.md) + +[LoadState Syntax](usmt-loadstate-syntax.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index 007c4b258a..8ef1ea7592 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -1,76 +1,76 @@ ---- -title: Migration Store Encryption (Windows 10) -description: Migration Store Encryption -ms.assetid: b28c2657-b986-4487-bd38-cb81500b831d -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Migration Store Encryption - - -This topic discusses User State Migration Tool (USMT) 10.0 options for migration store encryption to protect the integrity of user data during a migration. - -## USMT Encryption Options - - -USMT enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES), in several bit-level options. AES is a National Institute of Standards and Technology (NIST) specification for the encryption of electronic data. - -The encryption algorithm you choose must be specified for both the **ScanState** and the **LoadState** commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the **ScanState** and the **LoadState** command lines by using the **/encrypt**:*"encryptionstrength"* and the **/decrypt**:*"encryptionstrength"* command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in Windows 7, Windows 8, and Windows 10 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the Usmtutils.exe file to determine which encryption algorithms are available to the computers' locales before you begin the migration. - -The following table describes the command-line encryption options in USMT. - - ----- - - - - - - - - - - - - - - - - - - - -
          ComponentOptionDescription

          ScanState

          /encrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

          This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the ScanState tool employs the 3DES algorithm.

          LoadState

          /decrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

          This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the LoadState tool employs the 3DES algorithm.

          - - - -**Important**   -Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the UsmtUtils command with the **/ec** option. For more information see [UsmtUtils Syntax](usmt-utilities.md) - - - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - - - - - - - - - +--- +title: Migration Store Encryption (Windows 10) +description: Migration Store Encryption +ms.assetid: b28c2657-b986-4487-bd38-cb81500b831d +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Migration Store Encryption + + +This topic discusses User State Migration Tool (USMT) 10.0 options for migration store encryption to protect the integrity of user data during a migration. + +## USMT Encryption Options + + +USMT enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES), in several bit-level options. AES is a National Institute of Standards and Technology (NIST) specification for the encryption of electronic data. + +The encryption algorithm you choose must be specified for both the **ScanState** and the **LoadState** commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the **ScanState** and the **LoadState** command lines by using the **/encrypt**:*"encryptionstrength"* and the **/decrypt**:*"encryptionstrength"* command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in Windows 7, Windows 8, and Windows 10 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the Usmtutils.exe file to determine which encryption algorithms are available to the computers' locales before you begin the migration. + +The following table describes the command-line encryption options in USMT. + + +++++ + + + + + + + + + + + + + + + + + + + +
          ComponentOptionDescription

          ScanState

          /encrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

          This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the ScanState tool employs the 3DES algorithm.

          LoadState

          /decrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

          This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the LoadState tool employs the 3DES algorithm.

          + + + +**Important**   +Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the UsmtUtils command with the **/ec** option. For more information see [UsmtUtils Syntax](usmt-utilities.md) + + + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index d35c195f0f..6d80871901 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -1,60 +1,60 @@ ---- -title: User State Migration Tool (USMT) Overview (Windows 10) -description: User State Migration Tool (USMT) Overview -ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 10/16/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Overview -You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). - -USMT enables you to do the following: - -- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). - -- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md). - -- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md). - -## Benefits -USMT provides the following benefits to businesses that are deploying Windows operating systems: - -- Safely migrates user accounts, operating system and application settings. - -- Lowers the cost of deploying Windows by preserving user state. - -- Reduces end-user downtime required to customize desktops and find missing files. - -- Reduces help-desk calls. - -- Reduces the time needed for the user to become familiar with the new operating system. - -- Increases employee satisfaction with the migration experience. - -## Limitations -USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. - -There are some scenarios in which the use of USMT is not recommended. These include: - -- Migrations that require end-user interaction. - -- Migrations that require customization on a machine-by-machine basis. - -## Related topics -- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) - - -  - - - - - +--- +title: User State Migration Tool (USMT) Overview (Windows 10) +description: User State Migration Tool (USMT) Overview +ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 10/16/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Overview +You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). + +USMT enables you to do the following: + +- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). + +- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md). + +- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md). + +## Benefits +USMT provides the following benefits to businesses that are deploying Windows operating systems: + +- Safely migrates user accounts, operating system and application settings. + +- Lowers the cost of deploying Windows by preserving user state. + +- Reduces end-user downtime required to customize desktops and find missing files. + +- Reduces help-desk calls. + +- Reduces the time needed for the user to become familiar with the new operating system. + +- Increases employee satisfaction with the migration experience. + +## Limitations +USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. + +There are some scenarios in which the use of USMT is not recommended. These include: + +- Migrations that require end-user interaction. + +- Migrations that require customization on a machine-by-machine basis. + +## Related topics +- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) + + +  + + + + + diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index 6b8319c12a..1fa60664bd 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -1,71 +1,71 @@ ---- -title: Plan Your Migration (Windows 10) -description: Plan Your Migration -ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Plan Your Migration - - -Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure. - -In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out. - -One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - -

          Common Migration Scenarios

          Determine whether you will perform a refresh migration or a replace migration.

          What Does USMT Migrate?

          Learn which applications, user data, and operating system components USMT migrates.

          Choose a Migration Store Type

          Choose an uncompressed, compressed, or hard-link migration store.

          Determine What to Migrate

          Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.

          Test Your Migration

          Test your migration before you deploy Windows to all users.

          - - - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - - - - - - - - - +--- +title: Plan Your Migration (Windows 10) +description: Plan Your Migration +ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Plan Your Migration + + +Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure. + +In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out. + +One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + +

          Common Migration Scenarios

          Determine whether you will perform a refresh migration or a replace migration.

          What Does USMT Migrate?

          Learn which applications, user data, and operating system components USMT migrates.

          Choose a Migration Store Type

          Choose an uncompressed, compressed, or hard-link migration store.

          Determine What to Migrate

          Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.

          Test Your Migration

          Test your migration before you deploy Windows to all users.

          + + + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index 29f59d9b74..d2862feb9a 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -1,470 +1,470 @@ ---- -title: Recognized Environment Variables (Windows 10) -description: Recognized Environment Variables -ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Recognized Environment Variables - - -When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file. - -## In This Topic - - -- [Variables that are processed for the operating system and in the context of each user](#bkmk-1) - -- [Variables that are recognized only in the user context](#bkmk-2) - -## Variables that are processed for the operating system and in the context of each user - - -You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          VariableExplanation

          ALLUSERSAPPDATA

          Same as CSIDL_COMMON_APPDATA.

          ALLUSERSPROFILE

          Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.

          COMMONPROGRAMFILES

          Same as CSIDL_PROGRAM_FILES_COMMON.

          COMMONPROGRAMFILES(X86)

          Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.

          CSIDL_COMMON_ADMINTOOLS

          Version 10.0. The file-system directory that contains administrative tools for all users of the computer.

          CSIDL_COMMON_ALTSTARTUP

          The file-system directory that corresponds to the non-localized Startup program group for all users.

          CSIDL_COMMON_APPDATA

          The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.

          CSIDL_COMMON_DESKTOPDIRECTORY

          The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.

          CSIDL_COMMON_DOCUMENTS

          The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.

          CSIDL_COMMON_FAVORITES

          The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.

          CSIDL_COMMON_MUSIC

          The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.

          CSIDL_COMMON_PICTURES

          The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.

          CSIDL_COMMON_PROGRAMS

          The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.

          CSIDL_COMMON_STARTMENU

          The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.

          CSIDL_COMMON_STARTUP

          The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

          CSIDL_COMMON_TEMPLATES

          The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.

          CSIDL_COMMON_VIDEO

          The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.

          CSIDL_DEFAULT_APPDATA

          Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_LOCAL_APPDATA

          Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_COOKIES

          Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_CONTACTS

          Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_DESKTOP

          Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_DOWNLOADS

          Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_FAVORITES

          Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_HISTORY

          Refers to the History folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_INTERNET_CACHE

          Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_PERSONAL

          Refers to the Personal folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYDOCUMENTS

          Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYPICTURES

          Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYMUSIC

          Refers to the My Music folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYVIDEO

          Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_RECENT

          Refers to the Recent folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_SENDTO

          Refers to the Send To folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_STARTMENU

          Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_PROGRAMS

          Refers to the Programs folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_STARTUP

          Refers to the Startup folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_TEMPLATES

          Refers to the Templates folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_QUICKLAUNCH

          Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.

          CSIDL_FONTS

          A virtual folder containing fonts. A typical path is C:\Windows\Fonts.

          CSIDL_PROGRAM_FILESX86

          The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).

          CSIDL_PROGRAM_FILES_COMMONX86

          A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.

          CSIDL_PROGRAM_FILES

          The Program Files folder. A typical path is C:\Program Files.

          CSIDL_PROGRAM_FILES_COMMON

          A folder for components that are shared across applications. A typical path is C:\Program Files\Common.

          CSIDL_RESOURCES

          The file-system directory that contains resource data. A typical path is C:\Windows\Resources.

          CSIDL_SYSTEM

          The Windows System folder. A typical path is C:\Windows\System32.

          CSIDL_WINDOWS

          The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.

          DEFAULTUSERPROFILE

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].

          PROFILESFOLDER

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].

          PROGRAMFILES

          Same as CSIDL_PROGRAM_FILES.

          PROGRAMFILES(X86)

          Refers to the C:\Program Files (x86) folder on 64-bit systems.

          SYSTEM

          Refers to %WINDIR%\system32.

          SYSTEM16

          Refers to %WINDIR%\system.

          SYSTEM32

          Refers to %WINDIR%\system32.

          SYSTEMPROFILE

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].

          SYSTEMROOT

          Refers to the root of the system drive.

          WINDIR

          Refers to the Windows folder located on the system drive.

          - -  - -## Variables that are recognized only in the user context - - -You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          VariableExplanation

          APPDATA

          Same as CSIDL_APPDATA.

          CSIDL_ADMINTOOLS

          The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.

          CSIDL_ALTSTARTUP

          The file-system directory that corresponds to the user's non-localized Startup program group.

          CSIDL_APPDATA

          The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.

          CSIDL_BITBUCKET

          The virtual folder that contains the objects in the user's Recycle Bin.

          CSIDL_CDBURN_AREA

          The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.

          CSIDL_CONNECTIONS

          The virtual folder representing Network Connections that contains network and dial-up connections.

          CSIDL_CONTACTS

          This refers to the Contacts folder in %CSIDL_PROFILE%.

          CSIDL_CONTROLS

          The virtual folder that contains icons for the Control Panel items.

          CSIDL_COOKIES

          The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.

          CSIDL_DESKTOP

          The virtual folder representing the Windows desktop.

          CSIDL_DESKTOPDIRECTORY

          The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.

          CSIDL_DRIVES

          The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.

          CSIDL_FAVORITES

          The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.

          CSIDL_HISTORY

          The file-system directory that serves as a common repository for Internet history items.

          CSIDL_INTERNET

          A virtual folder for Internet Explorer.

          CSIDL_INTERNET_CACHE

          The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files

          CSIDL_LOCAL_APPDATA

          The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.

          CSIDL_MYDOCUMENTS

          The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.

          CSIDL_MYMUSIC

          The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.

          CSIDL_MYPICTURES

          The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.

          CSIDL_MYVIDEO

          The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.

          CSIDL_NETHOOD

          A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.

          CSIDL_NETWORK

          A virtual folder representing My Network Places, the root of the network namespace hierarchy.

          CSIDL_PERSONAL

          The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.

          -

          A typical path is C:\Documents and Settings\username\My Documents.

          CSIDL_PLAYLISTS

          The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.

          CSIDL_PRINTERS

          The virtual folder that contains installed printers.

          CSIDL_PRINTHOOD

          The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.

          CSIDL_PROFILE

          The user's profile folder. A typical path is C:\Users\Username.

          CSIDL_PROGRAMS

          The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.

          CSIDL_RECENT

          The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.

          CSIDL_SENDTO

          The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.

          CSIDL_STARTMENU

          The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.

          CSIDL_STARTUP

          The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

          CSIDL_TEMPLATES

          The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.

          HOMEPATH

          Same as the standard environment variable.

          TEMP

          The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

          TMP

          The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

          USERPROFILE

          Same as CSIDL_PROFILE.

          USERSID

          Represents the current user-account security identifier (SID). For example,

          -

          S-1-5-21-1714567821-1326601894-715345443-1026.

          - -  - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - -  - -  - - - - - +--- +title: Recognized Environment Variables (Windows 10) +description: Recognized Environment Variables +ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Recognized Environment Variables + + +When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file. + +## In This Topic + + +- [Variables that are processed for the operating system and in the context of each user](#bkmk-1) + +- [Variables that are recognized only in the user context](#bkmk-2) + +## Variables that are processed for the operating system and in the context of each user + + +You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          VariableExplanation

          ALLUSERSAPPDATA

          Same as CSIDL_COMMON_APPDATA.

          ALLUSERSPROFILE

          Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.

          COMMONPROGRAMFILES

          Same as CSIDL_PROGRAM_FILES_COMMON.

          COMMONPROGRAMFILES(X86)

          Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.

          CSIDL_COMMON_ADMINTOOLS

          Version 10.0. The file-system directory that contains administrative tools for all users of the computer.

          CSIDL_COMMON_ALTSTARTUP

          The file-system directory that corresponds to the non-localized Startup program group for all users.

          CSIDL_COMMON_APPDATA

          The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.

          CSIDL_COMMON_DESKTOPDIRECTORY

          The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.

          CSIDL_COMMON_DOCUMENTS

          The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.

          CSIDL_COMMON_FAVORITES

          The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.

          CSIDL_COMMON_MUSIC

          The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.

          CSIDL_COMMON_PICTURES

          The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.

          CSIDL_COMMON_PROGRAMS

          The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.

          CSIDL_COMMON_STARTMENU

          The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.

          CSIDL_COMMON_STARTUP

          The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

          CSIDL_COMMON_TEMPLATES

          The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.

          CSIDL_COMMON_VIDEO

          The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.

          CSIDL_DEFAULT_APPDATA

          Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_LOCAL_APPDATA

          Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_COOKIES

          Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_CONTACTS

          Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_DESKTOP

          Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_DOWNLOADS

          Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_FAVORITES

          Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_HISTORY

          Refers to the History folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_INTERNET_CACHE

          Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_PERSONAL

          Refers to the Personal folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYDOCUMENTS

          Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYPICTURES

          Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYMUSIC

          Refers to the My Music folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_MYVIDEO

          Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_RECENT

          Refers to the Recent folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_SENDTO

          Refers to the Send To folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_STARTMENU

          Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_PROGRAMS

          Refers to the Programs folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_STARTUP

          Refers to the Startup folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_TEMPLATES

          Refers to the Templates folder inside %DEFAULTUSERPROFILE%.

          CSIDL_DEFAULT_QUICKLAUNCH

          Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.

          CSIDL_FONTS

          A virtual folder containing fonts. A typical path is C:\Windows\Fonts.

          CSIDL_PROGRAM_FILESX86

          The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).

          CSIDL_PROGRAM_FILES_COMMONX86

          A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.

          CSIDL_PROGRAM_FILES

          The Program Files folder. A typical path is C:\Program Files.

          CSIDL_PROGRAM_FILES_COMMON

          A folder for components that are shared across applications. A typical path is C:\Program Files\Common.

          CSIDL_RESOURCES

          The file-system directory that contains resource data. A typical path is C:\Windows\Resources.

          CSIDL_SYSTEM

          The Windows System folder. A typical path is C:\Windows\System32.

          CSIDL_WINDOWS

          The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.

          DEFAULTUSERPROFILE

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].

          PROFILESFOLDER

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].

          PROGRAMFILES

          Same as CSIDL_PROGRAM_FILES.

          PROGRAMFILES(X86)

          Refers to the C:\Program Files (x86) folder on 64-bit systems.

          SYSTEM

          Refers to %WINDIR%\system32.

          SYSTEM16

          Refers to %WINDIR%\system.

          SYSTEM32

          Refers to %WINDIR%\system32.

          SYSTEMPROFILE

          Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].

          SYSTEMROOT

          Refers to the root of the system drive.

          WINDIR

          Refers to the Windows folder located on the system drive.

          + +  + +## Variables that are recognized only in the user context + + +You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          VariableExplanation

          APPDATA

          Same as CSIDL_APPDATA.

          CSIDL_ADMINTOOLS

          The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.

          CSIDL_ALTSTARTUP

          The file-system directory that corresponds to the user's non-localized Startup program group.

          CSIDL_APPDATA

          The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.

          CSIDL_BITBUCKET

          The virtual folder that contains the objects in the user's Recycle Bin.

          CSIDL_CDBURN_AREA

          The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.

          CSIDL_CONNECTIONS

          The virtual folder representing Network Connections that contains network and dial-up connections.

          CSIDL_CONTACTS

          This refers to the Contacts folder in %CSIDL_PROFILE%.

          CSIDL_CONTROLS

          The virtual folder that contains icons for the Control Panel items.

          CSIDL_COOKIES

          The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.

          CSIDL_DESKTOP

          The virtual folder representing the Windows desktop.

          CSIDL_DESKTOPDIRECTORY

          The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.

          CSIDL_DRIVES

          The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.

          CSIDL_FAVORITES

          The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.

          CSIDL_HISTORY

          The file-system directory that serves as a common repository for Internet history items.

          CSIDL_INTERNET

          A virtual folder for Internet Explorer.

          CSIDL_INTERNET_CACHE

          The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files

          CSIDL_LOCAL_APPDATA

          The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.

          CSIDL_MYDOCUMENTS

          The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.

          CSIDL_MYMUSIC

          The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.

          CSIDL_MYPICTURES

          The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.

          CSIDL_MYVIDEO

          The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.

          CSIDL_NETHOOD

          A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.

          CSIDL_NETWORK

          A virtual folder representing My Network Places, the root of the network namespace hierarchy.

          CSIDL_PERSONAL

          The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.

          +

          A typical path is C:\Documents and Settings\username\My Documents.

          CSIDL_PLAYLISTS

          The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.

          CSIDL_PRINTERS

          The virtual folder that contains installed printers.

          CSIDL_PRINTHOOD

          The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.

          CSIDL_PROFILE

          The user's profile folder. A typical path is C:\Users\Username.

          CSIDL_PROGRAMS

          The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.

          CSIDL_RECENT

          The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.

          CSIDL_SENDTO

          The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.

          CSIDL_STARTMENU

          The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.

          CSIDL_STARTUP

          The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

          CSIDL_TEMPLATES

          The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.

          HOMEPATH

          Same as the standard environment variable.

          TEMP

          The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

          TMP

          The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.

          USERPROFILE

          Same as CSIDL_PROFILE.

          USERSID

          Represents the current user-account security identifier (SID). For example,

          +

          S-1-5-21-1714567821-1326601894-715345443-1026.

          + +  + +## Related topics + + +[USMT XML Reference](usmt-xml-reference.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index 2ab5b4c6c7..c5bcd4193c 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -1,77 +1,77 @@ ---- -title: User State Migration Toolkit (USMT) Reference (Windows 10) -description: User State Migration Toolkit (USMT) Reference -ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Toolkit (USMT) Reference - - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

          USMT Requirements

          Describes operating system, hardware, and software requirements, and user prerequisites.

          USMT Best Practices

          Discusses general and security-related best practices when using USMT.

          How USMT Works

          Learn about the processes behind the ScanState and LoadState tools.

          Plan Your Migration

          Choose what to migrate and the best migration scenario for your enterprise.

          User State Migration Tool (USMT) Command-line Syntax

          Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.

          USMT XML Reference

          Learn about customizing a migration with XML files.

          Offline Migration Reference

          Find requirements, best practices, and other considerations for performing a migration offline.

          - - - -## Related topics - - -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) - -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - - - - - - - - - +--- +title: User State Migration Toolkit (USMT) Reference (Windows 10) +description: User State Migration Toolkit (USMT) Reference +ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Toolkit (USMT) Reference + + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

          USMT Requirements

          Describes operating system, hardware, and software requirements, and user prerequisites.

          USMT Best Practices

          Discusses general and security-related best practices when using USMT.

          How USMT Works

          Learn about the processes behind the ScanState and LoadState tools.

          Plan Your Migration

          Choose what to migrate and the best migration scenario for your enterprise.

          User State Migration Tool (USMT) Command-line Syntax

          Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.

          USMT XML Reference

          Learn about customizing a migration with XML files.

          Offline Migration Reference

          Find requirements, best practices, and other considerations for performing a migration offline.

          + + + +## Related topics + + +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) + +[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index 20590672c3..45af228e40 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -1,161 +1,161 @@ ---- -title: USMT Requirements (Windows 10) -description: USMT Requirements -ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 05/03/2017 -ms.topic: article ---- - -# USMT Requirements - - -## In This Topic - - -- [Supported Operating Systems](#bkmk-1) -- [Windows PE](#windows-pe) -- [Credentials](#credentials) -- [Config.xml](#configxml) -- [LoadState](#loadstate) -- [Hard Disk Requirements](#bkmk-3) -- [User Prerequisites](#bkmk-userprereqs) - -## Supported Operating Systems - - -The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings. - -The following table lists the operating systems supported in USMT. - - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Operating SystemsScanState (source computer)LoadState (destination computer)

          32-bit versions of Windows 7

          X

          X

          64-bit versions of Windows 7

          X

          X

          32-bit versions of Windows 8

          X

          X

          64-bit versions of Windows 8

          X

          X

          32-bit versions of Windows 10

          X

          X

          64-bit versions of Windows 10

          X

          X

          - - - -**Note**   -You can migrate a 32-bit operating system to a 64-bit operating system. However, you cannot migrate a 64-bit operating system to a 32-bit operating system. - -USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7. - -USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10. -For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).  - -## Windows PE - -- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](https://msdn.microsoft.com/library/windows/hardware/dn938350.aspx). - -## Credentials - -- **Run as administrator** - When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8 or Windows 10 you must run them from an elevated command prompt to ensure that all specified users are migrated. If you do not run USMT from an elevated prompt, only the user profile that is logged on will be included in the migration. - -To open an elevated command prompt: - -1. Click **Start**. -2. Enter **cmd** in the search function. -3. Depending on the OS you are using, **cmd** or **Command Prompt** is displayed. -3. Right-click **cmd** or **Command Prompt**, and then click **Run as administrator**. -4. If the current user is not already an administrator, you will be prompted to enter administrator credentials. - -**Important**
          -You must run USMT using an account with full administrative permissions, including the following privileges: - -- SeBackupPrivilege (Back up files and directories) -- SeDebugPrivilege (Debug programs) -- SeRestorePrivilege (Restore files and directories) -- SeSecurityPrivilege (Manage auditing and security log) -- SeTakeOwnership Privilege (Take ownership of files or other objects) - - -## Config.xml - -- **Specify the /c option and <ErrorControl> settings in the Config.xml file.**
          - USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md). - -## LoadState - -- **Install applications before running the LoadState command.**
          - Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved. - -## Hard-Disk Requirements - - -Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). - -## User Prerequisites - - -This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following: - -- The navigation and hierarchy of the Windows registry. -- The files and file types that applications use. -- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors. -- XML-authoring basics. - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md)
          -[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
          -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
          - - - - - - - - - +--- +title: USMT Requirements (Windows 10) +description: USMT Requirements +ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 05/03/2017 +ms.topic: article +--- + +# USMT Requirements + + +## In This Topic + + +- [Supported Operating Systems](#bkmk-1) +- [Windows PE](#windows-pe) +- [Credentials](#credentials) +- [Config.xml](#configxml) +- [LoadState](#loadstate) +- [Hard Disk Requirements](#bkmk-3) +- [User Prerequisites](#bkmk-userprereqs) + +## Supported Operating Systems + + +The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings. + +The following table lists the operating systems supported in USMT. + + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Operating SystemsScanState (source computer)LoadState (destination computer)

          32-bit versions of Windows 7

          X

          X

          64-bit versions of Windows 7

          X

          X

          32-bit versions of Windows 8

          X

          X

          64-bit versions of Windows 8

          X

          X

          32-bit versions of Windows 10

          X

          X

          64-bit versions of Windows 10

          X

          X

          + + + +**Note**   +You can migrate a 32-bit operating system to a 64-bit operating system. However, you cannot migrate a 64-bit operating system to a 32-bit operating system. + +USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7. + +USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10. +For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).  + +## Windows PE + +- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](https://msdn.microsoft.com/library/windows/hardware/dn938350.aspx). + +## Credentials + +- **Run as administrator** + When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8 or Windows 10 you must run them from an elevated command prompt to ensure that all specified users are migrated. If you do not run USMT from an elevated prompt, only the user profile that is logged on will be included in the migration. + +To open an elevated command prompt: + +1. Click **Start**. +2. Enter **cmd** in the search function. +3. Depending on the OS you are using, **cmd** or **Command Prompt** is displayed. +3. Right-click **cmd** or **Command Prompt**, and then click **Run as administrator**. +4. If the current user is not already an administrator, you will be prompted to enter administrator credentials. + +**Important**
          +You must run USMT using an account with full administrative permissions, including the following privileges: + +- SeBackupPrivilege (Back up files and directories) +- SeDebugPrivilege (Debug programs) +- SeRestorePrivilege (Restore files and directories) +- SeSecurityPrivilege (Manage auditing and security log) +- SeTakeOwnership Privilege (Take ownership of files or other objects) + + +## Config.xml + +- **Specify the /c option and <ErrorControl> settings in the Config.xml file.**
          + USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md). + +## LoadState + +- **Install applications before running the LoadState command.**
          + Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved. + +## Hard-Disk Requirements + + +Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). + +## User Prerequisites + + +This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following: + +- The navigation and hierarchy of the Windows registry. +- The files and file types that applications use. +- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors. +- XML-authoring basics. + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md)
          +[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
          +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
          + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index 4ea1caaac3..22f64e513e 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -31,7 +32,7 @@ In this topic: The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -``` syntax +``` xml Engineering Drafts Documents to Personal Folder @@ -60,7 +61,7 @@ The following custom .xml file migrates the directories and files from C:\\Engin The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer. -``` syntax +``` xml All .mp3 files to My Documents @@ -88,7 +89,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -``` syntax +``` xml Sample.doc into My Documents diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index 32ed639508..eaaa49a5d4 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -1,50 +1,50 @@ ---- -title: USMT Resources (Windows 10) -description: USMT Resources -ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# USMT Resources - - -## USMT Online Resources - - -- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx) - -- Microsoft Visual Studio - - - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®. - - For more information about how to use the schema with your XML authoring environment, see the environment’s documentation. - -- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365) - -- Forums: - - - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386) - - - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388) - -## Related topics - - -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) - -  - -  - - - - - +--- +title: USMT Resources (Windows 10) +description: USMT Resources +ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# USMT Resources + + +## USMT Online Resources + + +- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx) + +- Microsoft Visual Studio + + - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®. + + For more information about how to use the schema with your XML authoring environment, see the environment’s documentation. + +- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365) + +- Forums: + + - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386) + + - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388) + +## Related topics + + +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md index 18d223385b..c137197a5c 100644 --- a/windows/deployment/usmt/usmt-return-codes.md +++ b/windows/deployment/usmt/usmt-return-codes.md @@ -1,786 +1,786 @@ ---- -title: Return Codes (Windows 10) -description: Return Codes -ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Return Codes - - -This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error. - -Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md). - -## In This Topic - - -[USMT Return Codes](#bkmk-returncodes) - -[USMT Error Messages](#bkmk-errormessages) - -[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors) - -## USMT Return Codes - - -If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps. - -Return codes are grouped into the following broad categories that describe their area of error reporting: - -Success or User Cancel - -Invalid Command Lines - -Setup and Initialization - -Non-fatal Errors - -Fatal Errors - -As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. - -## USMT Error Messages - - -Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received. - -You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060). - -## Troubleshooting Return Codes and Error Messages - - -The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Return code valueReturn codeError messageTroubleshooting, mitigation, workaroundsCategory

          0

          USMT_SUCCESS

          Successful run

          Not applicable

          Success or Cancel

          1

          USMT_DISPLAY_HELP

          Command line help requested

          Not applicable

          Success or Cancel

          2

          USMT_STATUS_CANCELED

          Gather was aborted because of an EFS file

          Not applicable

          User chose to cancel (such as pressing CTRL+C)

          Not applicable

          Success or Cancel

          3

          USMT_WOULD_HAVE_FAILED

          At least one error was skipped as a result of /c

          Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.

          11

          USMT_INVALID_PARAMETERS

          /all conflicts with /ui, /ue or /uel

          Review ScanState log or LoadState log for details about command-line errors.

          /auto expects an optional parameter for the script folder

          Review ScanState log or LoadState log for details about command-line errors.

          /encrypt can't be used with /nocompress

          Review ScanState log or LoadState log for details about command-line errors.

          /encrypt requires /key or /keyfile

          Review ScanState log or LoadState log for details about command-line errors.

          /genconfig can't be used with most other options

          Review ScanState log or LoadState log for details about command-line errors.

          /genmigxml can't be used with most other options

          Review ScanState log or LoadState log for details about command-line errors.

          /hardlink requires /nocompress

          Review ScanState log or LoadState log for details about command-line errors.

          /key and /keyfile both specified

          Review ScanState log or LoadState log for details about command-line errors.

          /key or /keyfile used without enabling encryption

          Review ScanState log or LoadState log for details about command-line errors.

          /lae is only used with /lac

          Review ScanState log or LoadState log for details about command-line errors.

          /listfiles cannot be used with /p

          Review ScanState log or LoadState log for details about command-line errors.

          /offline requires a valid path to an XML file describing offline paths

          Review ScanState log or LoadState log for details about command-line errors.

          /offlinewindir requires a valid path to offline windows folder

          Review ScanState log or LoadState log for details about command-line errors.

          /offlinewinold requires a valid path to offline windows folder

          Review ScanState log or LoadState log for details about command-line errors.

          A command was already specified

          Verify that the command-line syntax is correct and that there are no duplicate commands.

          An option argument is missing

          Review ScanState log or LoadState log for details about command-line errors.

          An option is specified more than once and is ambiguous

          Review ScanState log or LoadState log for details about command-line errors.

          By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.

          Review ScanState log or LoadState log for details about command-line errors.

          Command line arguments are required. Specify /? for options.

          Review ScanState log or LoadState log for details about command-line errors.

          Command line option is not valid

          Review ScanState log or LoadState log for details about command-line errors.

          EFS parameter specified is not valid for /efs

          Review ScanState log or LoadState log for details about command-line errors.

          File argument is invalid for /genconfig

          Review ScanState log or LoadState log for details about command-line errors.

          File argument is invalid for /genmigxml

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid space estimate path. Check the parameters and/or file system permissions

          Review ScanState log or LoadState log for details about command-line errors.

          List file path argument is invalid for /listfiles

          Review ScanState log or LoadState log for details about command-line errors.

          Retry argument must be an integer

          Review ScanState log or LoadState log for details about command-line errors.

          Settings store argument specified is invalid

          Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

          Specified encryption algorithm is not supported

          Review ScanState log or LoadState log for details about command-line errors.

          The /efs:hardlink requires /hardlink

          Review ScanState log or LoadState log for details about command-line errors.

          The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7

          Review ScanState log or LoadState log for details about command-line errors.

          The store parameter is required but not specified

          Review ScanState log or LoadState log for details about command-line errors.

          The source-to-target domain mapping is invalid for /md

          Review ScanState log or LoadState log for details about command-line errors.

          The source-to-target user account mapping is invalid for /mu

          Review ScanState log or LoadState log for details about command-line errors.

          Undefined or incomplete command line option

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid Command Lines

          Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate

          Review ScanState log or LoadState log for details about command-line errors.

          User exclusion argument is invalid

          Review ScanState log or LoadState log for details about command-line errors.

          Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)

          Review ScanState log or LoadState log for details about command-line errors.

          Volume shadow copy feature is not supported with a hardlink store

          Review ScanState log or LoadState log for details about command-line errors.

          Wait delay argument must be an integer

          Review ScanState log or LoadState log for details about command-line errors.

          12

          USMT_ERROR_OPTION_PARAM_TOO_LARGE

          Command line arguments cannot exceed 256 characters

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid Command Lines

          Specified settings store path exceeds the maximum allowed length of 256 characters

          Review ScanState log or LoadState log for details about command-line errors.

          13

          USMT_INIT_LOGFILE_FAILED

          Log path argument is invalid for /l

          When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.

          Invalid Command Lines

          14

          USMT_ERROR_USE_LAC

          Unable to create a local account because /lac was not specified

          When creating local accounts, the command-line options /lac and /lae should be used.

          Invalid Command Lines

          26

          USMT_INIT_ERROR

          Multiple Windows installations found

          Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.

          Setup and Initialization

          Software malfunction or unknown exception

          Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.

          Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries

          Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.

          27

          USMT_INVALID_STORE_LOCATION

          A store path can't be used because an existing store exists; specify /o to overwrite

          Specify /o to overwrite an existing intermediate or migration store.

          Setup and Initialization

          A store path is missing or has incomplete data

          Make sure that the store path is accessible and that the proper permission levels are set.

          An error occurred during store creation

          Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

          An inappropriate device such as a floppy disk was specified for the store

          Make sure that the store path is accessible and that the proper permission levels are set.

          Invalid store path; check the store parameter and/or file system permissions

          Invalid store path; check the store parameter and/or file system permissions

          The file layout and/or file content is not recognized as a valid store

          Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

          The store path holds a store incompatible with the current USMT version

          Make sure that the store path is accessible and that the proper permission levels are set.

          The store save location is read-only or does not support a requested storage option

          Make sure that the store path is accessible and that the proper permission levels are set.

          28

          USMT_UNABLE_GET_SCRIPTFILES

          Script file is invalid for /i

          Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.

          Setup and Initialization

          Unable to find a script file specified by /i

          Verify the location of your script files, and ensure that the command-line options are correct.

          29

          USMT_FAILED_MIGSTARTUP

          A minimum of 250 MB of free space is required for temporary files

          Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.

          Setup and Initialization

          Another process is preventing migration; only one migration tool can run at a time

          Check the ScanState log file for migration .xml file errors.

          Failed to start main processing, look in log for system errors or check the installation

          Check the ScanState log file for migration .xml file errors.

          Migration failed because of an XML error; look in the log for specific details

          Check the ScanState log file for migration .xml file errors.

          Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table

          Check the ScanState log file for migration .xml file errors.

          31

          USMT_UNABLE_FINDMIGUNITS

          An error occurred during the discover phase; the log should have more specific information

          Check the ScanState log file for migration .xml file errors.

          Setup and Initialization

          32

          USMT_FAILED_SETMIGRATIONTYPE

          An error occurred processing the migration system

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          Setup and Initialization

          33

          USMT_UNABLE_READKEY

          Error accessing the file specified by the /keyfile parameter

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          Setup and Initialization

          The encryption key must have at least one character

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          34

          USMT_ERROR_INSUFFICIENT_RIGHTS

          Directory removal requires elevated privileges

          Log on as Administrator, and run with elevated privileges.

          Setup and Initialization

          No rights to create user profiles; log in as Administrator; run with elevated privileges

          Log on as Administrator, and run with elevated privileges.

          No rights to read or delete user profiles; log in as Administrator, run with elevated privileges

          Log on as Administrator, and run with elevated privileges.

          35

          USMT_UNABLE_DELETE_STORE

          A reboot is required to remove the store

          Reboot to delete any files that could not be deleted when the command was executed.

          Setup and Initialization

          A store path can't be used because it contains data that could not be overwritten

          A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.

          There was an error removing the store

          Review ScanState log or LoadState log for details about command-line errors.

          36

          USMT_ERROR_UNSUPPORTED_PLATFORM

          Compliance check failure; please check the logs for details

          Investigate whether there is an active temporary profile on the system.

          Setup and Initialization

          Use of /offline is not supported during apply

          The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).

          Use /offline to run gather on this platform

          The /offline command was not used while running in WinPE.

          37

          USMT_ERROR_NO_INVALID_KEY

          The store holds encrypted data but the correct encryption key was not provided

          Verify that you have included the correct encryption /key or /keyfile.

          Setup and Initialization

          38

          USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE

          An error occurred during store access

          Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

          Setup and Initialization

          39

          USMT_UNABLE_TO_READ_CONFIG_FILE

          Error reading Config.xml

          Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.

          Setup and Initialization

          File argument is invalid for /config

          Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.

          40

          USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG

          Error writing to the progress log

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          Setup and Initialization

          Progress log argument is invalid for /progress

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          41

          USMT_PREFLIGHT_FILE_CREATION_FAILED

          Can't overwrite existing file

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          Setup and Initialization

          Invalid space estimate path. Check the parameters and/or file system permissions

          Review ScanState log or LoadState log for details about command-line errors.

          42

          USMT_ERROR_CORRUPTED_STORE

          The store contains one or more corrupted files

          Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see Extract Files from a Compressed USMT Migration Store.

          61

          USMT_MIGRATION_STOPPED_NONFATAL

          Processing stopped due to an I/O error

          USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.

          Non-fatal Errors

          71

          USMT_INIT_OPERATING_ENVIRONMENT_FAILED

          A Windows Win32 API error occurred

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Fatal Errors

          An error occurred when attempting to initialize the diagnostic mechanisms such as the log

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Failed to record diagnostic information

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Unable to start. Make sure you are running USMT with elevated privileges

          Exit USMT and log in again with elevated privileges.

          72

          USMT_UNABLE_DOMIGRATION

          An error occurred closing the store

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Fatal Errors

          An error occurred in the apply process

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          An error occurred in the gather process

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Out of disk space while writing the store

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Out of temporary disk space on the local system

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          - - - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Log Files](usmt-log-files.md) - - - - - - - - - +--- +title: Return Codes (Windows 10) +description: Return Codes +ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Return Codes + + +This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error. + +Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md). + +## In This Topic + + +[USMT Return Codes](#bkmk-returncodes) + +[USMT Error Messages](#bkmk-errormessages) + +[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors) + +## USMT Return Codes + + +If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps. + +Return codes are grouped into the following broad categories that describe their area of error reporting: + +Success or User Cancel + +Invalid Command Lines + +Setup and Initialization + +Non-fatal Errors + +Fatal Errors + +As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. + +## USMT Error Messages + + +Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received. + +You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060). + +## Troubleshooting Return Codes and Error Messages + + +The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Return code valueReturn codeError messageTroubleshooting, mitigation, workaroundsCategory

          0

          USMT_SUCCESS

          Successful run

          Not applicable

          Success or Cancel

          1

          USMT_DISPLAY_HELP

          Command line help requested

          Not applicable

          Success or Cancel

          2

          USMT_STATUS_CANCELED

          Gather was aborted because of an EFS file

          Not applicable

          User chose to cancel (such as pressing CTRL+C)

          Not applicable

          Success or Cancel

          3

          USMT_WOULD_HAVE_FAILED

          At least one error was skipped as a result of /c

          Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.

          11

          USMT_INVALID_PARAMETERS

          /all conflicts with /ui, /ue or /uel

          Review ScanState log or LoadState log for details about command-line errors.

          /auto expects an optional parameter for the script folder

          Review ScanState log or LoadState log for details about command-line errors.

          /encrypt can't be used with /nocompress

          Review ScanState log or LoadState log for details about command-line errors.

          /encrypt requires /key or /keyfile

          Review ScanState log or LoadState log for details about command-line errors.

          /genconfig can't be used with most other options

          Review ScanState log or LoadState log for details about command-line errors.

          /genmigxml can't be used with most other options

          Review ScanState log or LoadState log for details about command-line errors.

          /hardlink requires /nocompress

          Review ScanState log or LoadState log for details about command-line errors.

          /key and /keyfile both specified

          Review ScanState log or LoadState log for details about command-line errors.

          /key or /keyfile used without enabling encryption

          Review ScanState log or LoadState log for details about command-line errors.

          /lae is only used with /lac

          Review ScanState log or LoadState log for details about command-line errors.

          /listfiles cannot be used with /p

          Review ScanState log or LoadState log for details about command-line errors.

          /offline requires a valid path to an XML file describing offline paths

          Review ScanState log or LoadState log for details about command-line errors.

          /offlinewindir requires a valid path to offline windows folder

          Review ScanState log or LoadState log for details about command-line errors.

          /offlinewinold requires a valid path to offline windows folder

          Review ScanState log or LoadState log for details about command-line errors.

          A command was already specified

          Verify that the command-line syntax is correct and that there are no duplicate commands.

          An option argument is missing

          Review ScanState log or LoadState log for details about command-line errors.

          An option is specified more than once and is ambiguous

          Review ScanState log or LoadState log for details about command-line errors.

          By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.

          Review ScanState log or LoadState log for details about command-line errors.

          Command line arguments are required. Specify /? for options.

          Review ScanState log or LoadState log for details about command-line errors.

          Command line option is not valid

          Review ScanState log or LoadState log for details about command-line errors.

          EFS parameter specified is not valid for /efs

          Review ScanState log or LoadState log for details about command-line errors.

          File argument is invalid for /genconfig

          Review ScanState log or LoadState log for details about command-line errors.

          File argument is invalid for /genmigxml

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid space estimate path. Check the parameters and/or file system permissions

          Review ScanState log or LoadState log for details about command-line errors.

          List file path argument is invalid for /listfiles

          Review ScanState log or LoadState log for details about command-line errors.

          Retry argument must be an integer

          Review ScanState log or LoadState log for details about command-line errors.

          Settings store argument specified is invalid

          Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

          Specified encryption algorithm is not supported

          Review ScanState log or LoadState log for details about command-line errors.

          The /efs:hardlink requires /hardlink

          Review ScanState log or LoadState log for details about command-line errors.

          The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7

          Review ScanState log or LoadState log for details about command-line errors.

          The store parameter is required but not specified

          Review ScanState log or LoadState log for details about command-line errors.

          The source-to-target domain mapping is invalid for /md

          Review ScanState log or LoadState log for details about command-line errors.

          The source-to-target user account mapping is invalid for /mu

          Review ScanState log or LoadState log for details about command-line errors.

          Undefined or incomplete command line option

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid Command Lines

          Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate

          Review ScanState log or LoadState log for details about command-line errors.

          User exclusion argument is invalid

          Review ScanState log or LoadState log for details about command-line errors.

          Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)

          Review ScanState log or LoadState log for details about command-line errors.

          Volume shadow copy feature is not supported with a hardlink store

          Review ScanState log or LoadState log for details about command-line errors.

          Wait delay argument must be an integer

          Review ScanState log or LoadState log for details about command-line errors.

          12

          USMT_ERROR_OPTION_PARAM_TOO_LARGE

          Command line arguments cannot exceed 256 characters

          Review ScanState log or LoadState log for details about command-line errors.

          Invalid Command Lines

          Specified settings store path exceeds the maximum allowed length of 256 characters

          Review ScanState log or LoadState log for details about command-line errors.

          13

          USMT_INIT_LOGFILE_FAILED

          Log path argument is invalid for /l

          When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.

          Invalid Command Lines

          14

          USMT_ERROR_USE_LAC

          Unable to create a local account because /lac was not specified

          When creating local accounts, the command-line options /lac and /lae should be used.

          Invalid Command Lines

          26

          USMT_INIT_ERROR

          Multiple Windows installations found

          Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.

          Setup and Initialization

          Software malfunction or unknown exception

          Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.

          Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries

          Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.

          27

          USMT_INVALID_STORE_LOCATION

          A store path can't be used because an existing store exists; specify /o to overwrite

          Specify /o to overwrite an existing intermediate or migration store.

          Setup and Initialization

          A store path is missing or has incomplete data

          Make sure that the store path is accessible and that the proper permission levels are set.

          An error occurred during store creation

          Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

          An inappropriate device such as a floppy disk was specified for the store

          Make sure that the store path is accessible and that the proper permission levels are set.

          Invalid store path; check the store parameter and/or file system permissions

          Invalid store path; check the store parameter and/or file system permissions

          The file layout and/or file content is not recognized as a valid store

          Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.

          The store path holds a store incompatible with the current USMT version

          Make sure that the store path is accessible and that the proper permission levels are set.

          The store save location is read-only or does not support a requested storage option

          Make sure that the store path is accessible and that the proper permission levels are set.

          28

          USMT_UNABLE_GET_SCRIPTFILES

          Script file is invalid for /i

          Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.

          Setup and Initialization

          Unable to find a script file specified by /i

          Verify the location of your script files, and ensure that the command-line options are correct.

          29

          USMT_FAILED_MIGSTARTUP

          A minimum of 250 MB of free space is required for temporary files

          Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.

          Setup and Initialization

          Another process is preventing migration; only one migration tool can run at a time

          Check the ScanState log file for migration .xml file errors.

          Failed to start main processing, look in log for system errors or check the installation

          Check the ScanState log file for migration .xml file errors.

          Migration failed because of an XML error; look in the log for specific details

          Check the ScanState log file for migration .xml file errors.

          Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table

          Check the ScanState log file for migration .xml file errors.

          31

          USMT_UNABLE_FINDMIGUNITS

          An error occurred during the discover phase; the log should have more specific information

          Check the ScanState log file for migration .xml file errors.

          Setup and Initialization

          32

          USMT_FAILED_SETMIGRATIONTYPE

          An error occurred processing the migration system

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          Setup and Initialization

          33

          USMT_UNABLE_READKEY

          Error accessing the file specified by the /keyfile parameter

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          Setup and Initialization

          The encryption key must have at least one character

          Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

          34

          USMT_ERROR_INSUFFICIENT_RIGHTS

          Directory removal requires elevated privileges

          Log on as Administrator, and run with elevated privileges.

          Setup and Initialization

          No rights to create user profiles; log in as Administrator; run with elevated privileges

          Log on as Administrator, and run with elevated privileges.

          No rights to read or delete user profiles; log in as Administrator, run with elevated privileges

          Log on as Administrator, and run with elevated privileges.

          35

          USMT_UNABLE_DELETE_STORE

          A reboot is required to remove the store

          Reboot to delete any files that could not be deleted when the command was executed.

          Setup and Initialization

          A store path can't be used because it contains data that could not be overwritten

          A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.

          There was an error removing the store

          Review ScanState log or LoadState log for details about command-line errors.

          36

          USMT_ERROR_UNSUPPORTED_PLATFORM

          Compliance check failure; please check the logs for details

          Investigate whether there is an active temporary profile on the system.

          Setup and Initialization

          Use of /offline is not supported during apply

          The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).

          Use /offline to run gather on this platform

          The /offline command was not used while running in WinPE.

          37

          USMT_ERROR_NO_INVALID_KEY

          The store holds encrypted data but the correct encryption key was not provided

          Verify that you have included the correct encryption /key or /keyfile.

          Setup and Initialization

          38

          USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE

          An error occurred during store access

          Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.

          Setup and Initialization

          39

          USMT_UNABLE_TO_READ_CONFIG_FILE

          Error reading Config.xml

          Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.

          Setup and Initialization

          File argument is invalid for /config

          Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.

          40

          USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG

          Error writing to the progress log

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          Setup and Initialization

          Progress log argument is invalid for /progress

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          41

          USMT_PREFLIGHT_FILE_CREATION_FAILED

          Can't overwrite existing file

          The Progress log could not be created. Verify that the location is valid and that you have write access.

          Setup and Initialization

          Invalid space estimate path. Check the parameters and/or file system permissions

          Review ScanState log or LoadState log for details about command-line errors.

          42

          USMT_ERROR_CORRUPTED_STORE

          The store contains one or more corrupted files

          Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see Extract Files from a Compressed USMT Migration Store.

          61

          USMT_MIGRATION_STOPPED_NONFATAL

          Processing stopped due to an I/O error

          USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.

          Non-fatal Errors

          71

          USMT_INIT_OPERATING_ENVIRONMENT_FAILED

          A Windows Win32 API error occurred

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Fatal Errors

          An error occurred when attempting to initialize the diagnostic mechanisms such as the log

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Failed to record diagnostic information

          Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

          Unable to start. Make sure you are running USMT with elevated privileges

          Exit USMT and log in again with elevated privileges.

          72

          USMT_UNABLE_DOMIGRATION

          An error occurred closing the store

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Fatal Errors

          An error occurred in the apply process

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          An error occurred in the gather process

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Out of disk space while writing the store

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          Out of temporary disk space on the local system

          Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

          + + + +## Related topics + + +[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + +[Log Files](usmt-log-files.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 77c1c1b5d6..83afe8628b 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -1,873 +1,873 @@ ---- -title: ScanState Syntax (Windows 10) -description: ScanState Syntax -ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# ScanState Syntax - - -The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. - -## In This Topic - - -[Before You Begin](#bkmk-beforeyoubegin) - -[Syntax](#bkmk-syntax) - -[Storage Options](#bkmk-storageoptions) - -[Migration Rule Options](#bkmk-migrationruleoptions) - -[Monitoring Options](#bkmk-monitoringoptions) - -[User Options](#bkmk-useroptions) - -[Encrypted File Options](#bkmk-efs) - -[Incompatible Command-Line Options](#bkmk-iclo) - -## Before You Begin - - -Before you run the **ScanState** command, note the following: - -- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials. - -- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message. - -- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md). - -- Unless otherwise noted, you can use each option only once when running a tool on the command line. - -- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration. - -- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. - -- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan. - -## Syntax - - -This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator. - -The **ScanState** command's syntax is: - -scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] - -For example: - -To create a Config.xml file in the current directory, use: - -`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13` - -To create an encrypted store using the Config.xml file and the default migration .xml files, use: - -`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"` - -## Storage Options - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          StorePath

          Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

          /apps

          Scans the image for apps and includes them and their associated registry settings.

          /ppkg [<FileName>]

          Exports to a specific file location.

          /o

          Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.

          /vsc

          This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.

          -

          This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.

          /hardlink

          Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.

          /encrypt [{/key:<KeyString> | /keyfile:<file>]}

          Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:

          -
            -

          • /key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.

            • -

          • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.

            • -
          -

          We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.

          -
          -Important

          You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.

          -
          -
          - -
          -

          The following example shows the ScanState command and the /key option:

          -

          scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey

          /encrypt:<EncryptionStrength>

          The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.

          /nocompress

          Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.

          -

          The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.

          -

          For example:

          -

          scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress

          - - - -## Run the ScanState Command on an Offline Windows System - - -You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows. - -There are several benefits to running the **ScanState** command on an offline Windows image, including: - -- **Improved Performance.** - - Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly. - -- **Simplified end to end deployment process.** - - Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed. - -- **Improved success of migration.** - - The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system. - -- **Ability to recover an unbootable computer.** - - It might be possible to recover and migrate data from an unbootable computer. - -## Offline Migration Options - - - ---- - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDefinition

          /offline:"path to an offline.xml file"

          This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.

          /offlinewindir:"path to a Windows directory"

          This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.

          /offlinewinold:"Windows.old directory"

          This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.

          - - - -## Migration Rule Options - - -USMT provides the following options to specify what files you want to migrate. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /i:[Path]FileName

          (include)

          -

          Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.

          /genconfig:[Path]FileName

          (Generate Config.xml)

          -

          Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.

          -

          After you create this file, you will need to make use of it with the ScanState command using the /config option.

          -

          The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          -

          Examples:

          -
            -

          • The following example creates a Config.xml file in the current directory:

            -

            scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13

            • -

          /config:[Path</em>]FileName

          Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

          -

          The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:

          -

          scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log

          -

          The following example migrates the files and settings to the destination computer using the Config.xml, MigDocs.xml, and MigApp.xml files:

          -

          loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log

          /auto:path to script files

          This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

          /genmigxml:path to a file

          This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.

          /targetwindows8

          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:

          -
            -

          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.

            • -

          • To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.

            • -

          /targetwindows7

          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:

          -
            -

          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.

            • -

          • To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.

            • -

          /localonly

          Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.

          -

          Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.

          -

          The /localonly command-line option includes or excludes data in the migration as identified in the following table:

          - ---- - - - - - - - - - - - - - - - - - - - - -
          Drive typeBehavior with /localonly

          Removable drives such as a USB flash drive

          Excluded

          Network drives

          Excluded

          Fixed drives

          Included

          -

          - - - -## Monitoring Options - - -USMT provides several options that you can use to analyze problems that occur during migration. - -**Note** -The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option. - - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /listfiles:<FileName>

          You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.

          /l:[Path]FileName

          Specifies the location and name of the ScanState log.

          -

          You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.

          -

          If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.

          /v:<VerbosityLevel>

          (Verbosity)

          -

          Enables verbose output in the ScanState log file. The default value is 0.

          -

          You can set the VerbosityLevel to one of the following levels:

          - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          -

          -

          For example:

          -

          scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml

          -

          /progress:[Path</em>]FileName

          Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          -

          For example:

          -

          scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

          /c

          When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.

          -

          You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

          /r:<TimesToRetry>

          (Retry)

          -

          Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

          -

          While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

          /w:<SecondsBeforeRetry>

          (Wait)

          -

          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

          /p:<pathToFile>

          When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:

          -

          Scanstate.exe C:\MigrationLocation [additional parameters]

          -

          /p:"C:\MigrationStoreSize.xml"

          -

          For more information, see Estimate Migration Store Size.

          -

          To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.

          /? or /help

          Displays Help at the command line.

          - - - -## User Options - - -By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md). - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionDescription

          /all

          Migrates all of the users on the computer.

          -

          USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.

          /ui:<DomainName>\<UserName>

          -

          or

          -

          /ui:<ComputerName>\<LocalUserName>

          (User include)

          -

          Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

          -
          -Note

          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

          -
          -
          - -
          -

          For example:

          -
            -

            To include only User2 from the Fabrikam domain, type:

            -

            /ue:*\* /ui:fabrikam\user2

            -

            To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

            -

            /uel:30 /ui:fabrikam\*

            -

            In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

            -
          -

          For more examples, see the descriptions of the /ue and /ui options in this table.

          /uel:<NumberOfDays>

          -

          or

          -

          /uel:<YYYY/MM/DD>

          -

          or

          -

          /uel:0

          (User exclude based on last logon)

          -

          Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

          -

          You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

          -
          -Note

          The /uel option is not valid in offline migrations.

          -
          -
          - -
          -
            -

          • /uel:0 migrates any users who are currently logged on.

            • -

          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

            • -

          • /uel:1 migrates users whose account has been modified within the last 24 hours.

            • -

          • /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.

            • -
          -

          For example:

          -

          scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0

          /ue:<DomainName>\<UserName>

          -

          -or-

          -

          -

          /ue:<ComputerName>\<LocalUserName>

          (User exclude)

          -

          Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

          -

          For example:

          -

          scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1

          - - - -## How to Use /ui and /ue - - -The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          BehaviorCommand

          Exclude the user named User One in the Fabrikam domain.

          /ue:"fabrikam\user one"

          Exclude the user named User1 in the Fabrikam domain.

          /ue:fabrikam\user1

          Exclude the local user named User1.

          /ue:%computername%\user1

          Exclude all domain users.

          /ue:Domain\*

          Exclude all local users.

          /ue:%computername%\*

          Exclude users in all domains named User1, User2, and so on.

          /ue:*\user*

          - - - -## Using the Options Together - - -You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated. - -The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option. - -The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
          BehaviorCommand

          Include only User2 from the Fabrikam domain and exclude all other users.

          /ue:*\* /ui:fabrikam\user2

          Include only the local user named User1 and exclude all other users.

          /ue:*\* /ui:user1

          Include only the domain users from Contoso, except Contoso\User1.

          This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

          -
            -

          • On the ScanState command line, type: /ue:*\* /ui:contoso\*

            • -

          • On the LoadState command line, type: /ue:contoso\user1

            • -

          Include only local (non-domain) users.

          /ue:*\* /ui:%computername%\*

          - - - -## Encrypted File Options - - -You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior. - -For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). - -**Note** -EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files - - - -**Caution** -Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. - - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line OptionExplanation

          /efs:hardlink

          Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.

          /efs:abort

          Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.

          /efs:skip

          Causes the ScanState command to ignore EFS files.

          /efs:decryptcopy

          Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.

          /efs:copyraw

          Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.

          -

          For example:

          -

          ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw

          -
          -Important

          All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.

          -
          -
          - -
          - - - -## Incompatible Command-Line Options - - -The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-Line Option/keyfile/nocompress/genconfig/all

          /i

          /o

          /v

          /nocompress

          X

          N/A

          /localonly

          X

          /key

          X

          X

          /encrypt

          Required*

          X

          X

          /keyfile

          N/A

          X

          /l

          /progress

          X

          /r

          X

          /w

          X

          /c

          X

          /p

          X

          N/A

          /all

          X

          /ui

          X

          X

          /ue

          X

          X

          /uel

          X

          X

          /efs:<option>

          X

          /genconfig

          N/A

          /config

          X

          <StorePath>

          X

          - - - -**Note** -You must specify either the /**key** or /**keyfile** option with the /**encrypt** option. - - - -## Related topics - - -[XML Elements Library](usmt-xml-elements-library.md) - - - - - - - - - +--- +title: ScanState Syntax (Windows 10) +description: ScanState Syntax +ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# ScanState Syntax + + +The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. + +## In This Topic + + +[Before You Begin](#bkmk-beforeyoubegin) + +[Syntax](#bkmk-syntax) + +[Storage Options](#bkmk-storageoptions) + +[Migration Rule Options](#bkmk-migrationruleoptions) + +[Monitoring Options](#bkmk-monitoringoptions) + +[User Options](#bkmk-useroptions) + +[Encrypted File Options](#bkmk-efs) + +[Incompatible Command-Line Options](#bkmk-iclo) + +## Before You Begin + + +Before you run the **ScanState** command, note the following: + +- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials. + +- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message. + +- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md). + +- Unless otherwise noted, you can use each option only once when running a tool on the command line. + +- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration. + +- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. + +- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan. + +## Syntax + + +This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator. + +The **ScanState** command's syntax is: + +scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] + +For example: + +To create a Config.xml file in the current directory, use: + +`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13` + +To create an encrypted store using the Config.xml file and the default migration .xml files, use: + +`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"` + +## Storage Options + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          StorePath

          Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

          /apps

          Scans the image for apps and includes them and their associated registry settings.

          /ppkg [<FileName>]

          Exports to a specific file location.

          /o

          Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.

          /vsc

          This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.

          +

          This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.

          /hardlink

          Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.

          /encrypt [{/key:<KeyString> | /keyfile:<file>]}

          Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:

          +
            +

          • /key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.

            • +

          • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.

            • +
          +

          We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.

          +
          +Important

          You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.

          +
          +
          + +
          +

          The following example shows the ScanState command and the /key option:

          +

          scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey

          /encrypt:<EncryptionStrength>

          The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.

          /nocompress

          Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.

          +

          The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.

          +

          For example:

          +

          scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress

          + + + +## Run the ScanState Command on an Offline Windows System + + +You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows. + +There are several benefits to running the **ScanState** command on an offline Windows image, including: + +- **Improved Performance.** + + Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly. + +- **Simplified end to end deployment process.** + + Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed. + +- **Improved success of migration.** + + The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system. + +- **Ability to recover an unbootable computer.** + + It might be possible to recover and migrate data from an unbootable computer. + +## Offline Migration Options + + + ++++ + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDefinition

          /offline:"path to an offline.xml file"

          This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.

          /offlinewindir:"path to a Windows directory"

          This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.

          /offlinewinold:"Windows.old directory"

          This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.

          + + + +## Migration Rule Options + + +USMT provides the following options to specify what files you want to migrate. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /i:[Path]FileName

          (include)

          +

          Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.

          /genconfig:[Path]FileName

          (Generate Config.xml)

          +

          Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.

          +

          After you create this file, you will need to make use of it with the ScanState command using the /config option.

          +

          The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          +

          Examples:

          +
            +

          • The following example creates a Config.xml file in the current directory:

            +

            scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13

            • +

          /config:[Path</em>]FileName

          Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

          +

          The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:

          +

          scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log

          +

          The following example migrates the files and settings to the destination computer using the Config.xml, MigDocs.xml, and MigApp.xml files:

          +

          loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log

          /auto:path to script files

          This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

          /genmigxml:path to a file

          This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.

          /targetwindows8

          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:

          +
            +

          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.

            • +

          • To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.

            • +

          /targetwindows7

          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:

          +
            +

          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.

            • +

          • To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.

            • +

          /localonly

          Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.

          +

          Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.

          +

          The /localonly command-line option includes or excludes data in the migration as identified in the following table:

          + ++++ + + + + + + + + + + + + + + + + + + + + +
          Drive typeBehavior with /localonly

          Removable drives such as a USB flash drive

          Excluded

          Network drives

          Excluded

          Fixed drives

          Included

          +

          + + + +## Monitoring Options + + +USMT provides several options that you can use to analyze problems that occur during migration. + +**Note** +The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option. + + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /listfiles:<FileName>

          You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.

          /l:[Path]FileName

          Specifies the location and name of the ScanState log.

          +

          You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.

          +

          If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.

          /v:<VerbosityLevel>

          (Verbosity)

          +

          Enables verbose output in the ScanState log file. The default value is 0.

          +

          You can set the VerbosityLevel to one of the following levels:

          + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          +

          +

          For example:

          +

          scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml

          +

          /progress:[Path</em>]FileName

          Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

          +

          For example:

          +

          scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

          /c

          When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.

          +

          You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.

          /r:<TimesToRetry>

          (Retry)

          +

          Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

          +

          While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

          /w:<SecondsBeforeRetry>

          (Wait)

          +

          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

          /p:<pathToFile>

          When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:

          +

          Scanstate.exe C:\MigrationLocation [additional parameters]

          +

          /p:"C:\MigrationStoreSize.xml"

          +

          For more information, see Estimate Migration Store Size.

          +

          To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.

          /? or /help

          Displays Help at the command line.

          + + + +## User Options + + +By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md). + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionDescription

          /all

          Migrates all of the users on the computer.

          +

          USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.

          /ui:<DomainName>\<UserName>

          +

          or

          +

          /ui:<ComputerName>\<LocalUserName>

          (User include)

          +

          Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

          +
          +Note

          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

          +
          +
          + +
          +

          For example:

          +
            +

            To include only User2 from the Fabrikam domain, type:

            +

            /ue:*\* /ui:fabrikam\user2

            +

            To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

            +

            /uel:30 /ui:fabrikam\*

            +

            In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

            +
          +

          For more examples, see the descriptions of the /ue and /ui options in this table.

          /uel:<NumberOfDays>

          +

          or

          +

          /uel:<YYYY/MM/DD>

          +

          or

          +

          /uel:0

          (User exclude based on last logon)

          +

          Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

          +

          You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

          +
          +Note

          The /uel option is not valid in offline migrations.

          +
          +
          + +
          +
            +

          • /uel:0 migrates any users who are currently logged on.

            • +

          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

            • +

          • /uel:1 migrates users whose account has been modified within the last 24 hours.

            • +

          • /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.

            • +
          +

          For example:

          +

          scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0

          /ue:<DomainName>\<UserName>

          +

          -or-

          +

          +

          /ue:<ComputerName>\<LocalUserName>

          (User exclude)

          +

          Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

          +

          For example:

          +

          scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1

          + + + +## How to Use /ui and /ue + + +The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          BehaviorCommand

          Exclude the user named User One in the Fabrikam domain.

          /ue:"fabrikam\user one"

          Exclude the user named User1 in the Fabrikam domain.

          /ue:fabrikam\user1

          Exclude the local user named User1.

          /ue:%computername%\user1

          Exclude all domain users.

          /ue:Domain\*

          Exclude all local users.

          /ue:%computername%\*

          Exclude users in all domains named User1, User2, and so on.

          /ue:*\user*

          + + + +## Using the Options Together + + +You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated. + +The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option. + +The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
          BehaviorCommand

          Include only User2 from the Fabrikam domain and exclude all other users.

          /ue:*\* /ui:fabrikam\user2

          Include only the local user named User1 and exclude all other users.

          /ue:*\* /ui:user1

          Include only the domain users from Contoso, except Contoso\User1.

          This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

          +
            +

          • On the ScanState command line, type: /ue:*\* /ui:contoso\*

            • +

          • On the LoadState command line, type: /ue:contoso\user1

            • +

          Include only local (non-domain) users.

          /ue:*\* /ui:%computername%\*

          + + + +## Encrypted File Options + + +You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior. + +For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). + +**Note** +EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files + + + +**Caution** +Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. + + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line OptionExplanation

          /efs:hardlink

          Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.

          /efs:abort

          Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.

          /efs:skip

          Causes the ScanState command to ignore EFS files.

          /efs:decryptcopy

          Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.

          /efs:copyraw

          Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.

          +

          For example:

          +

          ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw

          +
          +Important

          All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.

          +
          +
          + +
          + + + +## Incompatible Command-Line Options + + +The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-Line Option/keyfile/nocompress/genconfig/all

          /i

          /o

          /v

          /nocompress

          X

          N/A

          /localonly

          X

          /key

          X

          X

          /encrypt

          Required*

          X

          X

          /keyfile

          N/A

          X

          /l

          /progress

          X

          /r

          X

          /w

          X

          /c

          X

          /p

          X

          N/A

          /all

          X

          /ui

          X

          X

          /ue

          X

          X

          /uel

          X

          X

          /efs:<option>

          X

          /genconfig

          N/A

          /config

          X

          <StorePath>

          X

          + + + +**Note** +You must specify either the /**key** or /**keyfile** option with the /**encrypt** option. + + + +## Related topics + + +[XML Elements Library](usmt-xml-elements-library.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 9b8726e0ce..1ee21e76d4 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -1,59 +1,59 @@ ---- -title: User State Migration Tool (USMT) Technical Reference (Windows 10) -description: The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. -ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Technical Reference -The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. - -Download the Windows ADK [from this website](https://go.microsoft.com/fwlink/p/?LinkID=526803). - -**USMT support for Microsoft Office** ->USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
          ->USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016. - -USMT includes three command-line tools: - -- ScanState.exe
          -- LoadState.exe
          -- UsmtUtils.exe - -USMT also includes a set of three modifiable .xml files: - -- MigApp.xml
          -- MigDocs.xml
          -- MigUser.xml - -Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. - -USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564). - -## In This Section -|Topic |Description| -|------|-----------| -|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.| -|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.| -|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.| -|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.| - -## Related topics -- [Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx) - -  - -  - - - - - +--- +title: User State Migration Tool (USMT) Technical Reference (Windows 10) +description: The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. +ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Technical Reference +The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. + +Download the Windows ADK [from this website](https://go.microsoft.com/fwlink/p/?LinkID=526803). + +**USMT support for Microsoft Office** +>USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
          +>USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016. + +USMT includes three command-line tools: + +- ScanState.exe
          +- LoadState.exe
          +- UsmtUtils.exe + +USMT also includes a set of three modifiable .xml files: + +- MigApp.xml
          +- MigDocs.xml
          +- MigUser.xml + +Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. + +USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564). + +## In This Section +|Topic |Description| +|------|-----------| +|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.| +|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.| +|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.| +|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.| + +## Related topics +- [Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx) + +  + +  + + + + + diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index bbe67d5535..7c4185278b 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -1,53 +1,53 @@ ---- -title: Test Your Migration (Windows 10) -description: Test Your Migration -ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Test Your Migration - - -Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data. - -After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store. - -If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line. - -In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. - -**Note**   -Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. - - - -After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft® System Center Configuration Manager (SCCM), or a non-Microsoft management technology. For more information, see [Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=140246). - -**Note**   -For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration. - - - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[Log Files](usmt-log-files.md) - - - - - - - - - +--- +title: Test Your Migration (Windows 10) +description: Test Your Migration +ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Test Your Migration + + +Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data. + +After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store. + +If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line. + +In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. + +**Note**   +Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. + + + +After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft® System Center Configuration Manager (SCCM), or a non-Microsoft management technology. For more information, see [Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=140246). + +**Note**   +For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration. + + + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md) + +[Log Files](usmt-log-files.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index 4c60bb319d..69321a476c 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -1,30 +1,30 @@ ---- -title: User State Migration Tool (USMT) Overview Topics (Windows 10) -description: User State Migration Tool (USMT) Overview Topics -ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Overview Topics -The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. - -## In This Section - -|Topic |Description| -|------|-----------| -|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.| -|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.| -|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.| - -## Related topics -- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md) -- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) +--- +title: User State Migration Tool (USMT) Overview Topics (Windows 10) +description: User State Migration Tool (USMT) Overview Topics +ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Overview Topics +The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. + +## In This Section + +|Topic |Description| +|------|-----------| +|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.| +|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.| +|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.| + +## Related topics +- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md) +- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) +- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index 29613f1c1c..085f3892d2 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -1,73 +1,73 @@ ---- -title: User State Migration Tool (USMT) Troubleshooting (Windows 10) -description: User State Migration Tool (USMT) Troubleshooting -ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# User State Migration Tool (USMT) Troubleshooting - - -The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - -

          Common Issues

          Find troubleshooting solutions for common problems in USMT.

          Frequently Asked Questions

          Find answers to questions about how to use USMT.

          Log Files

          Learn how to enable logging to help you troubleshoot issues in USMT.

          Return Codes

          Learn how to use return codes to identify problems in USMT.

          USMT Resources

          Find more information and support for using USMT.

          - - - -## Related topics - - -[USMT Best Practices](usmt-best-practices.md) - -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) - -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) - -[User State Migration Toolkit (USMT) Reference](usmt-reference.md) - - - - - - - - - +--- +title: User State Migration Tool (USMT) Troubleshooting (Windows 10) +description: User State Migration Tool (USMT) Troubleshooting +ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# User State Migration Tool (USMT) Troubleshooting + + +The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + +

          Common Issues

          Find troubleshooting solutions for common problems in USMT.

          Frequently Asked Questions

          Find answers to questions about how to use USMT.

          Log Files

          Learn how to enable logging to help you troubleshoot issues in USMT.

          Return Codes

          Learn how to use return codes to identify problems in USMT.

          USMT Resources

          Find more information and support for using USMT.

          + + + +## Related topics + + +[USMT Best Practices](usmt-best-practices.md) + +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) + +[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) + +[User State Migration Toolkit (USMT) Reference](usmt-reference.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index aad70a5dee..4e9269a29d 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -1,351 +1,351 @@ ---- -title: UsmtUtils Syntax (Windows 10) -description: UsmtUtils Syntax -ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# UsmtUtils Syntax - - -This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities: - -- Improve your ability to determine cryptographic options for your migration. - -- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock. - -- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted. - -- Extract files from the compressed migration store when you migrate files and settings to the destination computer. - -## In This Topic - - -[Usmtutils.exe](#bkmk-usmtutils-exe) - -[Verify Options](#bkmk-verifyoptions) - -[Extract Options](#bkmk-extractoptions) - -## Usmtutils.exe - - -The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options. - -The syntax for UsmtUtils.exe is: - -usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\] - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-line OptionDescription

          /ec

          Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.

          /rd<storeDir>

          Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.

          -

          For example:

          -

          usmtutils /rd D:\MyHardLinkStore

          /y

          Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.

          /verify

          Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

          -

          See Verify Options for syntax and options to use with /verify.

          /extract

          Recovers files from a compressed USMT migration store.

          -

          See Extract Options for syntax and options to use with /extract.

          - - - -## Verify Options - - -Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). - -The syntax for **/verify** is: - -usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\] - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-line OptionDescription

          <reportType>

          Specifies whether to report on all files, corrupted files only, or the status of the catalog.

          -
            -

          • Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.

            • -

          • all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.

            • -

          • failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.

            • -

          • Catalog. Returns only the status of the catalog file.

            • -
          /l: -

          <logfilePath>

          Specifies the location and name of the log file.

          /v:<VerbosityLevel>

          (Verbosity)

          -

          Enables verbose output in the UsmtUtils log file. The default value is 0.

          -

          You can set the VerbosityLevel to one of the following levels:

          - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          -

           

          /decrypt<AlgID>/:<KeyString>

          -

          or

          -

          /decrypt<AlgID>/:<“Key String”>

          -

          or

          -

          /decrypt:<AlgID>/keyfile:<FileName>

          Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:

          -
            -

          • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

            -

            <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

            • -

          • /key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

            • -

          • /keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.

            • -
          -

          For more information about supported encryption algorithms, see Migration Store Encryption

          - - - -Some examples of **/verify** commands: - -- `usmtutils /verify D:\MyMigrationStore\store.mig` - -- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig` - -- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` - -- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt` - -## Extract Options - - -Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -The syntax for **/extract** is: - -/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\] - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Command-line OptionDescription

          <filePath>

          Path to the USMT migration store.

          -

          For example:

          -

          D:\MyMigrationStore\USMT\store.mig

          <destinationPath>

          Path to the folder where the tool puts the individual files.

          /i:<includePattern>

          Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

          /e:<excludePattern>

          Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

          /l:<logfilePath>

          Specifies the location and name of the log file.

          /v:<VerbosityLevel>

          (Verbosity)

          -

          Enables verbose output in the UsmtUtils log file. The default value is 0.

          -

          You can set the VerbosityLevel to one of the following levels:

          - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          -

           

          /decrypt<AlgID>/key:<KeyString>

          -

          or

          -

          /decrypt<AlgID>/:<“Key String”>

          -

          or

          -

          /decrypt:<AlgID>/keyfile:<FileName>

          Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:

          -
            -

          • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

            -

            <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

            • -

          • /key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

            • -

          • /keyfile:<FileName> specifies a text (.txt) file that contains the encryption key

            • -
          -

          For more information about supported encryption algorithms, see Migration Store Encryption.

          /o

          Overwrites existing output files.

          - - - -Some examples of **/extract** commands: - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore` - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt` - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt` - -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o` - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - -[Return Codes](usmt-return-codes.md) - - - - - - - - - +--- +title: UsmtUtils Syntax (Windows 10) +description: UsmtUtils Syntax +ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# UsmtUtils Syntax + + +This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities: + +- Improve your ability to determine cryptographic options for your migration. + +- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock. + +- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted. + +- Extract files from the compressed migration store when you migrate files and settings to the destination computer. + +## In This Topic + + +[Usmtutils.exe](#bkmk-usmtutils-exe) + +[Verify Options](#bkmk-verifyoptions) + +[Extract Options](#bkmk-extractoptions) + +## Usmtutils.exe + + +The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options. + +The syntax for UsmtUtils.exe is: + +usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\] + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-line OptionDescription

          /ec

          Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.

          /rd<storeDir>

          Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.

          +

          For example:

          +

          usmtutils /rd D:\MyHardLinkStore

          /y

          Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.

          /verify

          Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

          +

          See Verify Options for syntax and options to use with /verify.

          /extract

          Recovers files from a compressed USMT migration store.

          +

          See Extract Options for syntax and options to use with /extract.

          + + + +## Verify Options + + +Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). + +The syntax for **/verify** is: + +usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\] + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-line OptionDescription

          <reportType>

          Specifies whether to report on all files, corrupted files only, or the status of the catalog.

          +
            +

          • Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.

            • +

          • all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.

            • +

          • failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.

            • +

          • Catalog. Returns only the status of the catalog file.

            • +
          /l: +

          <logfilePath>

          Specifies the location and name of the log file.

          /v:<VerbosityLevel>

          (Verbosity)

          +

          Enables verbose output in the UsmtUtils log file. The default value is 0.

          +

          You can set the VerbosityLevel to one of the following levels:

          + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          +

           

          /decrypt<AlgID>/:<KeyString>

          +

          or

          +

          /decrypt<AlgID>/:<“Key String”>

          +

          or

          +

          /decrypt:<AlgID>/keyfile:<FileName>

          Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:

          +
            +

          • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

            +

            <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

            • +

          • /key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

            • +

          • /keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.

            • +
          +

          For more information about supported encryption algorithms, see Migration Store Encryption

          + + + +Some examples of **/verify** commands: + +- `usmtutils /verify D:\MyMigrationStore\store.mig` + +- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig` + +- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` + +- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt` + +## Extract Options + + +Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). + +The syntax for **/extract** is: + +/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\] + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Command-line OptionDescription

          <filePath>

          Path to the USMT migration store.

          +

          For example:

          +

          D:\MyMigrationStore\USMT\store.mig

          <destinationPath>

          Path to the folder where the tool puts the individual files.

          /i:<includePattern>

          Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

          /e:<excludePattern>

          Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.

          /l:<logfilePath>

          Specifies the location and name of the log file.

          /v:<VerbosityLevel>

          (Verbosity)

          +

          Enables verbose output in the UsmtUtils log file. The default value is 0.

          +

          You can set the VerbosityLevel to one of the following levels:

          + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          LevelExplanation

          0

          Only the default errors and warnings are enabled.

          1

          Enables verbose output.

          4

          Enables error and status output.

          5

          Enables verbose and status output.

          8

          Enables error output to a debugger.

          9

          Enables verbose output to a debugger.

          12

          Enables error and status output to a debugger.

          13

          Enables verbose, status, and debugger output.

          +

           

          /decrypt<AlgID>/key:<KeyString>

          +

          or

          +

          /decrypt<AlgID>/:<“Key String”>

          +

          or

          +

          /decrypt:<AlgID>/keyfile:<FileName>

          Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:

          +
            +

          • <AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.

            +

            <AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.

            • +

          • /key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

            • +

          • /keyfile:<FileName> specifies a text (.txt) file that contains the encryption key

            • +
          +

          For more information about supported encryption algorithms, see Migration Store Encryption.

          /o

          Overwrites existing output files.

          + + + +Some examples of **/extract** commands: + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore` + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt` + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt` + +- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o` + +## Related topics + + +[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) + +[Return Codes](usmt-return-codes.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index 16fd8bd5bc..4fc36c33bc 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -1,429 +1,429 @@ ---- -title: What does USMT migrate (Windows 10) -description: What does USMT migrate -ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 09/12/2017 -ms.topic: article ---- - -# What does USMT migrate? - - -## In this topic - - -- [Default migration scripts](#bkmk-defaultmigscripts) - -- [User Data](#bkmk-3) - -- [Operating-system components](#bkmk-4) - -- [Supported applications](#bkmk-2) - -- [What USMT does not migrate](#no) - -## Default migration scripts - - -The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: - -- **MigApp.XML.** Rules to migrate application settings. - -- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files. - -- **MigUser.XML.** Rules to migrate user profiles and user data. - - MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration. - - The following data does not migrate with MigUser.xml: - - - Files outside the user profile that don’t match one of the file extensions in MigUser.xml. - - - Access control lists (ACLs) for folders outside the user profile. - -## User data - - -This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs. - -- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following: - - My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites. - - >[!IMPORTANT] - >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). - -- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8: - - - Shared Documents - - - Shared Video - - - Shared Music - - - Shared desktop files - - - Shared Pictures - - - Shared Start menu - - - Shared Favorites - -- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions: - - **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.** - - **Note**   - The asterisk (\*) stands for zero or more characters. - - - -- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration. - -**Important**   -To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`. - - - -## Operating-system components - - -USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 - -The following components are migrated by default using the manifest files: - -- Accessibility settings - -- Address book - -- Command-prompt settings - -- \*Desktop wallpaper - -- EFS files - -- Favorites - -- Folder options - -- Fonts - -- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required. - -- \*Windows Internet Explorer® settings - -- Microsoft® Open Database Connectivity (ODBC) settings - -- Mouse and keyboard settings - -- Network drive mapping - -- \*Network printer mapping - -- \*Offline files - -- \*Phone and modem options - -- RAS connection and phone book (.pbk) files - -- \*Regional settings - -- Remote Access - -- \*Taskbar settings - -- User personal certificates (all) - -- Windows Mail. - -- \*Windows Media Player - -- Windows Rights Management - -\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md). - -**Important**   -This list may not be complete. There may be additional components that are migrated. - - - -**Note**   -Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool. - - - -## Supported applications - - -Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers. - -**Note**   -The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. - - - -**Note**   -USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate. - - - -When you specify the MigApp.xml file, USMT migrates the settings for the following applications: - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ProductVersion

          Adobe Acrobat Reader

          9

          AOL Instant Messenger

          6.8

          Adobe Creative Suite

          2

          Adobe Photoshop CS

          8, 9

          Adobe ImageReady CS

          Apple iTunes

          6, 7, 8

          Apple QuickTime Player

          5, 6, 7

          Apple Safari

          3.1.2

          Google Chrome

          beta

          Google Picasa

          3

          Google Talk

          beta

          IBM Lotus 1-2-3

          9

          IBM Lotus Notes

          6,7, 8

          IBM Lotus Organizer

          5

          IBM Lotus WordPro

          9.9

          Intuit Quicken Deluxe

          2009

          Money Plus Business

          2008

          Money Plus Home

          2008

          Mozilla Firefox

          3

          Microsoft Office

          2003, 2007, 2010

          Microsoft Office Access®

          2003, 2007, 2010

          Microsoft Office Excel®

          2003, 2007, 2010

          Microsoft Office FrontPage®

          2003, 2007, 2010

          Microsoft Office OneNote®

          2003, 2007, 2010

          Microsoft Office Outlook®

          2003, 2007, 2010

          Microsoft Office PowerPoint®

          2003, 2007, 2010

          Microsoft Office Publisher

          2003, 2007, 2010

          Microsoft Office Word

          2003, 2007, 2010

          Opera Software Opera

          9.5

          Microsoft Outlook Express

          (only mailbox file)

          Microsoft Project

          2003, 2007

          Microsoft Office Visio®

          2003, 2007

          RealPlayer Basic

          11

          Sage Peachtree

          2009

          Skype

          3.8

          Windows Live Mail

          12, 14

          Windows Live Messenger

          8.5, 14

          Windows Live MovieMaker

          14

          Windows Live Photo Gallery

          12, 14

          Windows Live Writer

          12, 14

          Windows Mail

          (Windows 7 and 8)

          Microsoft Works

          9

          Yahoo Messenger

          9

          Microsoft Zune™ Software

          3

          - - - -## What USMT does not migrate - - -The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md). - -### Application settings - -USMT does not migrate the following application settings: - -- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version. - -- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate. - -- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system. - -- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when: - - - You change the default installation location on 32-bit destination computers. - - - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”. - -### Operating-System settings - -USMT does not migrate the following operating-system settings. - -- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files. - -- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer. - -- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer. - -- Customized icons for shortcuts may not migrate. - -- Taskbar settings, when the source computer is running Windows XP. - -You should also note the following: - -- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**. - -- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md). - -### Start menu layout - -Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). - -## Related topics - - -[Plan your migration](usmt-plan-your-migration.md) - - - - - - - - - +--- +title: What does USMT migrate (Windows 10) +description: What does USMT migrate +ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 09/12/2017 +ms.topic: article +--- + +# What does USMT migrate? + + +## In this topic + + +- [Default migration scripts](#bkmk-defaultmigscripts) + +- [User Data](#bkmk-3) + +- [Operating-system components](#bkmk-4) + +- [Supported applications](#bkmk-2) + +- [What USMT does not migrate](#no) + +## Default migration scripts + + +The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: + +- **MigApp.XML.** Rules to migrate application settings. + +- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files. + +- **MigUser.XML.** Rules to migrate user profiles and user data. + + MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration. + + The following data does not migrate with MigUser.xml: + + - Files outside the user profile that don’t match one of the file extensions in MigUser.xml. + + - Access control lists (ACLs) for folders outside the user profile. + +## User data + + +This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs. + +- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following: + + My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites. + + >[!IMPORTANT] + >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). + +- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8: + + - Shared Documents + + - Shared Video + + - Shared Music + + - Shared desktop files + + - Shared Pictures + + - Shared Start menu + + - Shared Favorites + +- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions: + + **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.** + + **Note**   + The asterisk (\*) stands for zero or more characters. + + + +- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration. + +**Important**   +To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`. + + + +## Operating-system components + + +USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 + +The following components are migrated by default using the manifest files: + +- Accessibility settings + +- Address book + +- Command-prompt settings + +- \*Desktop wallpaper + +- EFS files + +- Favorites + +- Folder options + +- Fonts + +- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required. + +- \*Windows Internet Explorer® settings + +- Microsoft® Open Database Connectivity (ODBC) settings + +- Mouse and keyboard settings + +- Network drive mapping + +- \*Network printer mapping + +- \*Offline files + +- \*Phone and modem options + +- RAS connection and phone book (.pbk) files + +- \*Regional settings + +- Remote Access + +- \*Taskbar settings + +- User personal certificates (all) + +- Windows Mail. + +- \*Windows Media Player + +- Windows Rights Management + +\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md). + +**Important**   +This list may not be complete. There may be additional components that are migrated. + + + +**Note**   +Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool. + + + +## Supported applications + + +Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers. + +**Note**   +The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. + + + +**Note**   +USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate. + + + +When you specify the MigApp.xml file, USMT migrates the settings for the following applications: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          ProductVersion

          Adobe Acrobat Reader

          9

          AOL Instant Messenger

          6.8

          Adobe Creative Suite

          2

          Adobe Photoshop CS

          8, 9

          Adobe ImageReady CS

          Apple iTunes

          6, 7, 8

          Apple QuickTime Player

          5, 6, 7

          Apple Safari

          3.1.2

          Google Chrome

          beta

          Google Picasa

          3

          Google Talk

          beta

          IBM Lotus 1-2-3

          9

          IBM Lotus Notes

          6,7, 8

          IBM Lotus Organizer

          5

          IBM Lotus WordPro

          9.9

          Intuit Quicken Deluxe

          2009

          Money Plus Business

          2008

          Money Plus Home

          2008

          Mozilla Firefox

          3

          Microsoft Office

          2003, 2007, 2010

          Microsoft Office Access®

          2003, 2007, 2010

          Microsoft Office Excel®

          2003, 2007, 2010

          Microsoft Office FrontPage®

          2003, 2007, 2010

          Microsoft Office OneNote®

          2003, 2007, 2010

          Microsoft Office Outlook®

          2003, 2007, 2010

          Microsoft Office PowerPoint®

          2003, 2007, 2010

          Microsoft Office Publisher

          2003, 2007, 2010

          Microsoft Office Word

          2003, 2007, 2010

          Opera Software Opera

          9.5

          Microsoft Outlook Express

          (only mailbox file)

          Microsoft Project

          2003, 2007

          Microsoft Office Visio®

          2003, 2007

          RealPlayer Basic

          11

          Sage Peachtree

          2009

          Skype

          3.8

          Windows Live Mail

          12, 14

          Windows Live Messenger

          8.5, 14

          Windows Live MovieMaker

          14

          Windows Live Photo Gallery

          12, 14

          Windows Live Writer

          12, 14

          Windows Mail

          (Windows 7 and 8)

          Microsoft Works

          9

          Yahoo Messenger

          9

          Microsoft Zune™ Software

          3

          + + + +## What USMT does not migrate + + +The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md). + +### Application settings + +USMT does not migrate the following application settings: + +- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version. + +- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate. + +- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system. + +- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when: + + - You change the default installation location on 32-bit destination computers. + + - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”. + +### Operating-System settings + +USMT does not migrate the following operating-system settings. + +- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files. + +- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer. + +- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer. + +- Customized icons for shortcuts may not migrate. + +- Taskbar settings, when the source computer is running Windows XP. + +You should also note the following: + +- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**. + +- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md). + +### Start menu layout + +Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout). + +## Related topics + + +[Plan your migration](usmt-plan-your-migration.md) + + + + + + + + + diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 13fcf0effc..bfbd4e2c61 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -138,7 +139,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -212,7 +213,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -275,7 +276,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -455,7 +456,7 @@ For example, In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example: -``` syntax +``` xml A @@ -468,7 +469,7 @@ In the code sample below, the <condition> elements, A and B, are joined to However, in the code sample below, the <condition> elements, A and B, are joined together by the OR operator because they are in the same <conditions> section. -``` syntax +``` xml A @@ -826,7 +827,7 @@ For example: ~~~ For example: -``` syntax +``` xml MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","") ``` ~~~ @@ -914,7 +915,7 @@ For example: ~~~ For example: -``` syntax +``` xml MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%") %CSIDL_FAVORITES%\* [*] @@ -1055,7 +1056,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +``` xml MigXmlHelper.IsNative64Bit() @@ -1152,13 +1153,13 @@ The following functions generate patterns out of the content of an object. These ~~~ For example: -``` syntax +``` xml ``` and -``` syntax +``` xml ``` ~~~ @@ -1243,7 +1244,7 @@ and ~~~ For example: -``` syntax +``` xml @@ -1365,7 +1366,7 @@ The following functions change the content of objects as they are migrated. Thes ~~~ For example: -``` syntax +``` xml HKCU\Control Panel\Desktop [ScreenSaveUsePassword] @@ -1622,7 +1623,7 @@ Syntax: The following code sample shows how the <description> element defines the "My custom component" description.: -``` syntax +``` xml My custom component ``` @@ -1677,7 +1678,7 @@ Syntax: For example: -``` syntax +``` xml HKCU\Software\Lotus\123\99.0\DDE Preferences\* [*] @@ -1807,7 +1808,7 @@ Syntax: The following example is from the MigApp.xml file. -``` syntax +``` xml MigXmlHelper.DoesFileVersionMatch("%Lotus123InstPath%\123w.exe","ProductVersion","9.*") @@ -1878,7 +1879,7 @@ Syntax: For example: -``` syntax +``` xml MigXmlHelper.DoesObjectExist("Registry","HKCU\Software\Adobe\Photoshop\8.0") @@ -1889,7 +1890,7 @@ For example: and -``` syntax +``` xml @@ -1945,7 +1946,7 @@ Syntax: For example: -``` syntax +``` xml Command Prompt settings ``` @@ -2012,7 +2013,7 @@ Syntax: In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example: -``` syntax +``` xml @@ -2022,7 +2023,7 @@ In this scenario, you want to generate the location of objects at run time depen Then you can use an include rule as follows. You can use any of the [<script> functions](#scriptfunctions) to perform similar tasks. -``` syntax +``` xml %INSTALLPATH%\ [*.xyz] @@ -2032,7 +2033,7 @@ Then you can use an include rule as follows. You can use any of the [<script& Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\]. -``` syntax +``` xml @@ -2050,7 +2051,7 @@ Second, you can also filter registry values that contain data that you need. The In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following <include> rule in an .xml file: -``` syntax +``` xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File1.txt] @@ -2064,7 +2065,7 @@ In this scenario, you want to migrate five files named File1.txt, File2.txt, and Instead of typing the path five times, you can create a variable for the location as follows: -``` syntax +``` xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 @@ -2074,7 +2075,7 @@ Instead of typing the path five times, you can create a variable for the locatio Then, you can specify the variable in an <include> rule as follows: -``` syntax +``` xml %DATAPATH% [File1.txt] @@ -2133,7 +2134,7 @@ Syntax: For example, from the MigUser.xml file: -``` syntax +``` xml %CSIDL_MYMUSIC%\* [*] @@ -2190,7 +2191,7 @@ Syntax: Example: -``` syntax +``` xml @@ -2297,7 +2298,7 @@ Syntax: For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element: -``` syntax +``` xml doc @@ -2305,7 +2306,7 @@ For example, if you want to migrate all \*.doc files from the source computer, s is the same as specifying the following code below the <rules> element: -``` syntax +``` xml @@ -2418,7 +2419,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +``` xml My Video @@ -2501,7 +2502,7 @@ The following functions return a Boolean value. You can use them to migrate cert For example: - ``` syntax + ``` xml %CSIDL_COMMON_VIDEO%\* [*] @@ -2517,7 +2518,7 @@ The following functions return a Boolean value. You can use them to migrate cert In the following example, HKCU\\Control Panel\\International \[Locale\] will be included in the store, but it will not be migrated to the destination computer: - ``` syntax + ``` xml HKCU\Control Panel\International [Locale] @@ -2634,7 +2635,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -2695,7 +2696,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +``` xml %CSIDL_APPDATA%\Microsoft\Office\ [Access10.pip] @@ -2740,7 +2741,7 @@ The following functions change the location of objects as they are migrated when ~~~ For example: -``` syntax +``` xml HKCU\Keyboard Layout\Toggle [] @@ -2817,7 +2818,7 @@ For example: ~~~ For example: -``` syntax +``` xml %CSIDL_COMMON_FAVORITES%\* [*] @@ -2923,7 +2924,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +``` xml @@ -2948,7 +2949,7 @@ These functions control how collisions are resolved. For example: - ``` syntax + ``` xml HKCU\Software\Microsoft\Office\9.0\PhotoDraw\ [MyPictures] @@ -3037,7 +3038,7 @@ These functions control how collisions are resolved. For example: - ``` syntax + ``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Publisher [UpgradeVersion] @@ -3097,7 +3098,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +``` xml ``` @@ -3138,7 +3139,7 @@ This filter helper function can be used to filter the migration of files based o -``` syntax +``` xml File_size @@ -3194,7 +3195,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +``` xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -3230,7 +3231,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +``` xml My Music @@ -3273,7 +3274,7 @@ This is an internal USMT element. Do not use this element. You can use this element to specify multiple objects. You can specify multiple <pattern> elements for each <objectSet> element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with <script> instead. GenerateDrivePatterns is basically the same as a <pattern> rule, without the drive letter specification. For example, the following two lines of code are similar: -``` syntax +``` xml C:\Folder\* [Sample.doc] ``` @@ -3336,13 +3337,13 @@ For example: - To migrate a single registry key: - ``` syntax + ``` xml HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] ``` - To migrate the EngineeringDrafts folder and any subfolders from the C: drive: - ``` syntax + ``` xml C:\EngineeringDrafts\* [*] ``` @@ -3352,13 +3353,13 @@ For example: - To migrate the Sample.doc file from C:\\EngineeringDrafts: - ``` syntax + ``` xml C:\EngineeringDrafts\ [Sample.doc] ``` - To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated. - ``` syntax + ``` xml C:\* [Sample.doc] ``` @@ -3484,7 +3485,7 @@ Syntax: The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file: -``` syntax +``` xml Start Menu @@ -3571,7 +3572,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +``` xml My Music @@ -3679,7 +3680,7 @@ Examples: To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated. -``` syntax +``` xml ``` @@ -3744,7 +3745,7 @@ These functions return either a string or a pattern. ~~~ For example: -``` syntax +``` xml @@ -3849,7 +3850,7 @@ If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called whil The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected. -``` syntax +``` xml @@ -3915,7 +3916,7 @@ This helper function invokes the document finder to scan the system for all file -``` syntax +``` xml MigDocUser @@ -3942,7 +3943,7 @@ The following scripts have no return value. You can use the following errors wit - **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example: - ``` syntax + ``` xml @@ -3952,7 +3953,7 @@ The following scripts have no return value. You can use the following errors wit - **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example: - ``` syntax + ``` xml @@ -3960,7 +3961,7 @@ The following scripts have no return value. You can use the following errors wit - **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example: - ``` syntax + ``` xml @@ -3970,7 +3971,7 @@ The following scripts have no return value. You can use the following errors wit - **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example: - ``` syntax + ``` xml @@ -4020,7 +4021,7 @@ Syntax: For example: -``` syntax +``` xml %CSIDL_COMMON_APPDATA%\QuickTime @@ -4045,7 +4046,7 @@ Syntax: The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md). -``` syntax +``` xml Test @@ -4116,7 +4117,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +``` xml HKLM\Software @@ -4168,7 +4169,7 @@ Syntax: For example: -``` syntax +``` xml 4.* ``` diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index 8dda62c31d..e69e94db8f 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -1,78 +1,78 @@ ---- -title: USMT XML Reference (Windows 10) -description: USMT XML Reference -ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# USMT XML Reference - - -This section contains topics that you can use to work with and to customize the migration XML files. - -## In This Section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

          Understanding Migration XML Files

          Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.

          Config.xml File

          Describes the Config.xml file and policies concerning its configuration.

          Customize USMT XML Files

          Describes how to customize USMT XML files.

          Custom XML Examples

          Gives examples of XML files for various migration scenarios.

          Conflicts and Precedence

          Describes the precedence of migration rules and how conflicts are handled.

          General Conventions

          Describes the XML helper functions.

          XML File Requirements

          Describes the requirements for custom XML files.

          Recognized Environment Variables

          Describes environment variables recognized by USMT.

          XML Elements Library

          Describes the XML elements and helper functions for authoring migration XML files to use with USMT.

          - - - - - - - - - - - +--- +title: USMT XML Reference (Windows 10) +description: USMT XML Reference +ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# USMT XML Reference + + +This section contains topics that you can use to work with and to customize the migration XML files. + +## In This Section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

          Understanding Migration XML Files

          Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.

          Config.xml File

          Describes the Config.xml file and policies concerning its configuration.

          Customize USMT XML Files

          Describes how to customize USMT XML files.

          Custom XML Examples

          Gives examples of XML files for various migration scenarios.

          Conflicts and Precedence

          Describes the precedence of migration rules and how conflicts are handled.

          General Conventions

          Describes the XML helper functions.

          XML File Requirements

          Describes the requirements for custom XML files.

          Recognized Environment Variables

          Describes environment variables recognized by USMT.

          XML Elements Library

          Describes the XML elements and helper functions for authoring migration XML files to use with USMT.

          + + + + + + + + + + + diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 5c83d3b22e..433a6a1605 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -1,128 +1,128 @@ ---- -title: Verify the Condition of a Compressed Migration Store (Windows 10) -description: Verify the Condition of a Compressed Migration Store -ms.assetid: 4a3fda96-5f7d-494a-955f-6b865ec9fcae -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Verify the Condition of a Compressed Migration Store - - -When you migrate files and settings during a typical PC-refresh migration, the user state is usually stored in a compressed folder on the intermediate store. This compressed folder, also called the compressed migration store, is a single image file that contains: - -- All of the files being migrated. - -- The user’s settings. - -- A catalog file that contains metadata for all files in the migration store. - -When you run the **LoadState** command to load the data from these files to the destination computer, LoadState requires a valid catalog file in order to open the migration store. You can run the **UsmtUtils** command with the **/verify** option to determine whether the compressed migration store is intact, or whether it contains corrupted files or a corrupted catalog. You should run the **/verify** option on the migration store before you overwrite the original user-state files and settings. - -When you use the **/verify** option, you can specify what type of information to report in the UsmtUtils log file. These report types are: - -- **Catalog**: Displays the status of only the catalog file. - -- **All**: Displays the status of all files, including the catalog file. - -- **Failure only**: Displays only the files that are corrupted. - -## In This Topic - - -The following sections demonstrate how to run the **UsmtUtils** command with the **/verify** option, and how to specify the information to display in the UsmtUtils log file. - -- [The UsmtUtils syntax for the /verify option](#bkmk-verifysyntax) - -- [To verify that the migration store is intact](#bkmk-verifyintactstore) - -- [To verify the status of only the catalog file](#bkmk-verifycatalog) - -- [To verify the status of all files](#bkmk-verifyallfiles) - -- [To verify the status of the files and return only the corrupted files](#bkmk-returncorrupted) - -### The UsmtUtils Syntax for the /verify Option - -To verify the condition of a compressed migration store, use the following UsmtUtils syntax: - -cd /d<USMTpath>usmtutils /verify\[:<reportType>\] <filePath> \[/l:<logfile>\] \[/decrypt \[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] - -Where the placeholders have the following values: - -- *<USMTpath>* is the location where you have saved the USMT files and tools. - -- *<reportType>* specifies whether to report on all files, corrupted files only, or the status of the catalog. - -- *<filePath>* is the location of the compressed migration store. - -- *<logfile>* is the location and name of the log file. - -- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. - -- *<keystring>* is the encryption key that was used to encrypt the migration store. - -- *<filename>* is the location and name of the text file that contains the encryption key. - -### To Verify that the Migration Store is Intact - -To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, type: - -``` syntax -usmtutils /verify D:\MyMigrationStore\store.mig -``` - -Because no report type is specified, UsmtUtils displays the default summary report. - -### To Verify the Status of Only the Catalog File - -To verify whether the catalog file is corrupted or intact, type: - -``` syntax -usmtutils /verify:catalog D:\MyMigrationStore\store.mig -``` - -### To Verify the Status of all Files - -To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, type: - -`usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` - -In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, UsmtUtils uses the default 3DES cryptographic algorithm. - -### To Verify the Status of the Files and Return Only the Corrupted Files - -In this example, the log file will only list the files that became corrupted during the ScanState process. This list will include the catalog file if it is also corrupted. - -``` syntax -usmtutils /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt -``` - -This example also decrypts the files by specifying the cryptographic algorithm and the location of the file that contains the encryption key. - -### Next Steps - -If the **/verify** option indicates that there are corrupted files in the migration store, you can use the **/extract** option in the UsmtUtils tool to recover data from some corrupted stores. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -## Related topics - - -[UsmtUtils Syntax](usmt-utilities.md) - -[Return Codes](usmt-return-codes.md) - -  - -  - - - - - +--- +title: Verify the Condition of a Compressed Migration Store (Windows 10) +description: Verify the Condition of a Compressed Migration Store +ms.assetid: 4a3fda96-5f7d-494a-955f-6b865ec9fcae +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Verify the Condition of a Compressed Migration Store + + +When you migrate files and settings during a typical PC-refresh migration, the user state is usually stored in a compressed folder on the intermediate store. This compressed folder, also called the compressed migration store, is a single image file that contains: + +- All of the files being migrated. + +- The user’s settings. + +- A catalog file that contains metadata for all files in the migration store. + +When you run the **LoadState** command to load the data from these files to the destination computer, LoadState requires a valid catalog file in order to open the migration store. You can run the **UsmtUtils** command with the **/verify** option to determine whether the compressed migration store is intact, or whether it contains corrupted files or a corrupted catalog. You should run the **/verify** option on the migration store before you overwrite the original user-state files and settings. + +When you use the **/verify** option, you can specify what type of information to report in the UsmtUtils log file. These report types are: + +- **Catalog**: Displays the status of only the catalog file. + +- **All**: Displays the status of all files, including the catalog file. + +- **Failure only**: Displays only the files that are corrupted. + +## In This Topic + + +The following sections demonstrate how to run the **UsmtUtils** command with the **/verify** option, and how to specify the information to display in the UsmtUtils log file. + +- [The UsmtUtils syntax for the /verify option](#bkmk-verifysyntax) + +- [To verify that the migration store is intact](#bkmk-verifyintactstore) + +- [To verify the status of only the catalog file](#bkmk-verifycatalog) + +- [To verify the status of all files](#bkmk-verifyallfiles) + +- [To verify the status of the files and return only the corrupted files](#bkmk-returncorrupted) + +### The UsmtUtils Syntax for the /verify Option + +To verify the condition of a compressed migration store, use the following UsmtUtils syntax: + +cd /d<USMTpath>usmtutils /verify\[:<reportType>\] <filePath> \[/l:<logfile>\] \[/decrypt \[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] + +Where the placeholders have the following values: + +- *<USMTpath>* is the location where you have saved the USMT files and tools. + +- *<reportType>* specifies whether to report on all files, corrupted files only, or the status of the catalog. + +- *<filePath>* is the location of the compressed migration store. + +- *<logfile>* is the location and name of the log file. + +- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. + +- *<keystring>* is the encryption key that was used to encrypt the migration store. + +- *<filename>* is the location and name of the text file that contains the encryption key. + +### To Verify that the Migration Store is Intact + +To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, type: + +``` syntax +usmtutils /verify D:\MyMigrationStore\store.mig +``` + +Because no report type is specified, UsmtUtils displays the default summary report. + +### To Verify the Status of Only the Catalog File + +To verify whether the catalog file is corrupted or intact, type: + +``` syntax +usmtutils /verify:catalog D:\MyMigrationStore\store.mig +``` + +### To Verify the Status of all Files + +To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, type: + +`usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` + +In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, UsmtUtils uses the default 3DES cryptographic algorithm. + +### To Verify the Status of the Files and Return Only the Corrupted Files + +In this example, the log file will only list the files that became corrupted during the ScanState process. This list will include the catalog file if it is also corrupted. + +``` syntax +usmtutils /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt +``` + +This example also decrypts the files by specifying the cryptographic algorithm and the location of the file that contains the encryption key. + +### Next Steps + +If the **/verify** option indicates that there are corrupted files in the migration store, you can use the **/extract** option in the UsmtUtils tool to recover data from some corrupted stores. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). + +## Related topics + + +[UsmtUtils Syntax](usmt-utilities.md) + +[Return Codes](usmt-return-codes.md) + +  + +  + + + + + diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 8baca0f103..aeae8b54ae 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -8,6 +8,7 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article @@ -20,20 +21,20 @@ When creating custom .xml files, note the following requirements: - **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file: - ``` syntax + ``` xml ``` - **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file: - ``` syntax + ``` xml ``` - **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax: - ``` syntax + ``` xml My Application ``` diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 11795953dd..1ed8638bcc 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -1,149 +1,149 @@ ---- -title: Configure VDA for Windows 10 Subscription Activation -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -ms.topic: article -ms.collection: M365-modern-desktop ---- - -# Configure VDA for Windows 10 Subscription Activation - -This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. - -Deployment instructions are provided for the following scenarios: -1. [Active Directory-joined VMs](#active-directory-joined-vms) -2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms) -3. [Azure Gallery VMs](#azure-gallery-vms) - -## Requirements - -- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. -- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. -- VMs must be generation 1. -- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). - -## Activation - -### Scenario 1 -- The VM is running Windows 10, version 1803 or later. -- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). - - When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. - -### Scenario 2 -- The Hyper-V host and the VM are both running Windows 10, version 1803 or later. - - [Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. - -### Scenario 3 -- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. - - In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). - -For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience). - -## Active Directory-joined VMs - -1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image) -2. (Optional) To disable network level authentication, type the following at an elevated command prompt: - - ``` - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f - ``` - -3. At an elevated command prompt, type **sysdm.cpl** and press ENTER. -4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. -5. Click **Add**, type **Authenticated users**, and then click **OK** three times. -6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again. -7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). -8. Open Windows Configuration Designer and click **Provison desktop services**. -9. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 10. - - 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. - - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step. - 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. -10. On the Set up network page, choose **Off**. -11. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. - - Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms). -12. On the Add applications page, add applications if desired. This step is optional. -13. On the Add certificates page, add certificates if desired. This step is optional. -14. On the Finish page, click **Create**. -15. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 16. - 1. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image. - 2. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested: - - ``` - Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" - ``` - 3. Right-click the mounted image in file explorer and click **Eject**. -16. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image. - -## Azure Active Directory-joined VMs - ->[!IMPORTANT] ->Azure Active Directory (Azure AD) provisioning packages have a 180 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 180 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated. - -For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: -- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. -- In step 11, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials. -- In step 15, sub-step 2, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**) -- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). - -## Azure Gallery VMs - -1. (Optional) To disable network level authentication, type the following at an elevated command prompt: - - ``` - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f - ``` - -2. At an elevated command prompt, type **sysdm.cpl** and press ENTER. -3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. -4. Click **Add**, type **Authenticated users**, and then click **OK** three times. -5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). -6. Open Windows Configuration Designer and click **Provison desktop services**. -7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. - 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. - 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. -8. Under **Name**, type **Desktop Bulk Enrollment**, click **Finish**, and then on the **Set up device** page enter a device name. -9. On the Set up network page, choose **Off**. -10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. -11. On the Add applications page, add applications if desired. This step is optional. -12. On the Add certificates page, add certificates if desired. This step is optional. -13. On the Finish page, click **Create**. -14. Copy the .ppkg file to the remote Virtual machine. Double click to initiate the provisioning package install. This will reboot the system. - -- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described [below](#create-custom-rdp-settings-for-azure). - -## Create custom RDP settings for Azure - -To create custom RDP settings for Azure: - -1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host. -2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it. -3. Close the Remote Desktop Connection window and open Notepad. -4. Drag the RDP file into the Notepad window to edit it. -5. Enter or replace the line that specifies authentication level with the following two lines of text: - - ```text - enablecredsspsupport:i:0 - authentication level:i:2 - ``` -6. **enablecredsspsupport** and **authentication level** should each appear only once in the file. -7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM. - -## Related topics - -[Windows 10 Subscription Activation](windows-10-subscription-activation.md) -
          [Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) -
          [Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) - +--- +title: Configure VDA for Windows 10 Subscription Activation +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Configure VDA for Windows 10 Subscription Activation + +This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. + +Deployment instructions are provided for the following scenarios: +1. [Active Directory-joined VMs](#active-directory-joined-vms) +2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms) +3. [Azure Gallery VMs](#azure-gallery-vms) + +## Requirements + +- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. +- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. +- VMs must be generation 1. +- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). + +## Activation + +### Scenario 1 +- The VM is running Windows 10, version 1803 or later. +- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). + + When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. + +### Scenario 2 +- The Hyper-V host and the VM are both running Windows 10, version 1803 or later. + + [Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. + +### Scenario 3 +- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. + + In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). + +For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience). + +## Active Directory-joined VMs + +1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image) +2. (Optional) To disable network level authentication, type the following at an elevated command prompt: + + ``` + REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + ``` + +3. At an elevated command prompt, type **sysdm.cpl** and press ENTER. +4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. +5. Click **Add**, type **Authenticated users**, and then click **OK** three times. +6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again. +7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). +8. Open Windows Configuration Designer and click **Provison desktop services**. +9. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 10. + + 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. + - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step. + 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. +10. On the Set up network page, choose **Off**. +11. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. + - Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms). +12. On the Add applications page, add applications if desired. This step is optional. +13. On the Add certificates page, add certificates if desired. This step is optional. +14. On the Finish page, click **Create**. +15. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 16. + 1. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image. + 2. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested: + + ``` + Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" + ``` + 3. Right-click the mounted image in file explorer and click **Eject**. +16. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image. + +## Azure Active Directory-joined VMs + +>[!IMPORTANT] +>Azure Active Directory (Azure AD) provisioning packages have a 180 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 180 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated. + +For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: +- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. +- In step 11, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials. +- In step 15, sub-step 2, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**) +- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). + +## Azure Gallery VMs + +1. (Optional) To disable network level authentication, type the following at an elevated command prompt: + + ``` + REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + ``` + +2. At an elevated command prompt, type **sysdm.cpl** and press ENTER. +3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. +4. Click **Add**, type **Authenticated users**, and then click **OK** three times. +5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). +6. Open Windows Configuration Designer and click **Provison desktop services**. +7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. + 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. + 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. +8. Under **Name**, type **Desktop Bulk Enrollment**, click **Finish**, and then on the **Set up device** page enter a device name. +9. On the Set up network page, choose **Off**. +10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. +11. On the Add applications page, add applications if desired. This step is optional. +12. On the Add certificates page, add certificates if desired. This step is optional. +13. On the Finish page, click **Create**. +14. Copy the .ppkg file to the remote Virtual machine. Double click to initiate the provisioning package install. This will reboot the system. + +- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described [below](#create-custom-rdp-settings-for-azure). + +## Create custom RDP settings for Azure + +To create custom RDP settings for Azure: + +1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host. +2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it. +3. Close the Remote Desktop Connection window and open Notepad. +4. Drag the RDP file into the Notepad window to edit it. +5. Enter or replace the line that specifies authentication level with the following two lines of text: + + ```text + enablecredsspsupport:i:0 + authentication level:i:2 + ``` +6. **enablecredsspsupport** and **authentication level** should each appear only once in the file. +7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM. + +## Related topics + +[Windows 10 Subscription Activation](windows-10-subscription-activation.md) +
          [Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) +
          [Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) + diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md index 78990c1268..772b7e9d11 100644 --- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md @@ -1,56 +1,56 @@ ---- -title: Activate by Proxy an Active Directory Forest (Windows 10) -description: Activate by Proxy an Active Directory Forest -ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Activate by Proxy an Active Directory Forest - -You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain. - -**Important**   -ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host key (CSVLK). To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. - -In a typical proxy-activation scenario, the VAMT host computer distributes a product key to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. If you use this activation method, only the VAMT host computer needs to have Internet access. - -**Note**   -For workgroups that are isolated from any larger network, you can still perform an AD forest activation. This requires installing a second instance of VAMT on a computer in the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. You can also activate by proxy a KMS Host key (CSVLK) in the core network if you do not want the host computer to connect to Microsoft over the Internet. - -## Requirements - -Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements: -- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup. -- VAMT has administrative permissions to the Active Directory domain. - -**To perform an Active Directory forest proxy activation** - -1. Open VAMT. -2. In the left-side pane, click the **Active Directory-Based Activation** node. -3. In the right-side **Actions** pane, click **Proxy activate forest** to open the **Install Product Key** dialog box. -4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate. -5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. -6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device. -7. Click **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. -9. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. -10. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box. -11. In the **Acquire confirmation IDs for file** dialog box, browse to where the .cilx file you exported from the isolated workgroup host computer is located. Select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs. -12. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Click **OK** to close the message. -13. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup. -14. Open VAMT and then click the **Active Directory-Based Activation** node in the left-side pane. -15. In the right-side **Actions** pane, click **Apply confirmation ID to Active Directory domain**, browse to the .cilx file and then click **Open**. - -VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. - -## Related topics - -- [Add and Remove Computers](add-remove-computers-vamt.md) +--- +title: Activate by Proxy an Active Directory Forest (Windows 10) +description: Activate by Proxy an Active Directory Forest +ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Activate by Proxy an Active Directory Forest + +You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain. + +**Important**   +ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host key (CSVLK). To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. + +In a typical proxy-activation scenario, the VAMT host computer distributes a product key to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. If you use this activation method, only the VAMT host computer needs to have Internet access. + +**Note**   +For workgroups that are isolated from any larger network, you can still perform an AD forest activation. This requires installing a second instance of VAMT on a computer in the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. You can also activate by proxy a KMS Host key (CSVLK) in the core network if you do not want the host computer to connect to Microsoft over the Internet. + +## Requirements + +Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements: +- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup. +- VAMT has administrative permissions to the Active Directory domain. + +**To perform an Active Directory forest proxy activation** + +1. Open VAMT. +2. In the left-side pane, click the **Active Directory-Based Activation** node. +3. In the right-side **Actions** pane, click **Proxy activate forest** to open the **Install Product Key** dialog box. +4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate. +5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. +6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device. +7. Click **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. +9. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. +10. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box. +11. In the **Acquire confirmation IDs for file** dialog box, browse to where the .cilx file you exported from the isolated workgroup host computer is located. Select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs. +12. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Click **OK** to close the message. +13. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup. +14. Open VAMT and then click the **Active Directory-Based Activation** node in the left-side pane. +15. In the right-side **Actions** pane, click **Apply confirmation ID to Active Directory domain**, browse to the .cilx file and then click **Open**. + +VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. + +## Related topics + +- [Add and Remove Computers](add-remove-computers-vamt.md) diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md index 0f46e1a22e..06362064ff 100644 --- a/windows/deployment/volume-activation/activate-forest-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-vamt.md @@ -1,50 +1,50 @@ ---- -title: Activate an Active Directory Forest Online (Windows 10) -description: Activate an Active Directory Forest Online -ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Activate an Active Directory Forest Online - -You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain. - -**Important**   -ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. - -## Requirements - -Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: -- VAMT is installed on a host computer that has Internet access. -- VAMT has administrative permissions to the Active Directory domain. -- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node. - -**To perform an online Active Directory forest activation** - -1. Open VAMT. -2. In the left-side pane, click the **Active Directory-Based Activation** node. -3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box. -4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest. -5. If required, enter a new Active Directory-Based Activation Object name - - **Important**   - If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. - -6. Click **Install Key**. -7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. - -The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane. - -## Related topics - -- [Scenario 1: Online Activation](scenario-online-activation-vamt.md) -- [Add and Remove Computers](add-remove-computers-vamt.md) +--- +title: Activate an Active Directory Forest Online (Windows 10) +description: Activate an Active Directory Forest Online +ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Activate an Active Directory Forest Online + +You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain. + +**Important**   +ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. + +## Requirements + +Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: +- VAMT is installed on a host computer that has Internet access. +- VAMT has administrative permissions to the Active Directory domain. +- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node. + +**To perform an online Active Directory forest activation** + +1. Open VAMT. +2. In the left-side pane, click the **Active Directory-Based Activation** node. +3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box. +4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest. +5. If required, enter a new Active Directory-Based Activation Object name + + **Important**   + If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. + +6. Click **Install Key**. +7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. + +The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane. + +## Related topics + +- [Scenario 1: Online Activation](scenario-online-activation-vamt.md) +- [Add and Remove Computers](add-remove-computers-vamt.md) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 40953c27e9..2ab639a904 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -1,101 +1,101 @@ ---- -title: Activate using Active Directory-based activation (Windows 10) -description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. -ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Activate using Active Directory-based activation -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2016 - -**Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients. -Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. -To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. -The process proceeds as follows: -1. Perform one of the following tasks: - - Install the Volume Activation Services server role on a domain controller running Windows Server 2012 R2, and add a KMS host key by using the Volume Activation Tools Wizard. - - Extend the domain to the Windows Server 2012 R2 schema level, and add a KMS host key by using the VAMT. -2. Microsoft verifies the KMS host key, and an activation object is created. -3. Client computers are activated by receiving the activation object from a domain controller during startup. - - ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) - - **Figure 10**. The Active Directory-based activation flow - -For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. -If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. -Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days. -When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. -## Step-by-step configuration: Active Directory-based activation -**Note**   -You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. -**To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:** -1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. -2. Launch Server Manager. -3. Add the Volume Activation Services role, as shown in Figure 11. - - ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) - - **Figure 11**. Adding the Volume Activation Services role - -4. Click the link to launch the Volume Activation Tools (Figure 12). - - ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg) - - **Figure 12**. Launching the Volume Activation Tools - -5. Select the **Active Directory-Based Activation** option (Figure 13). - - ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg) - - **Figure 13**. Selecting Active Directory-Based Activation - -6. Enter your KMS host key and (optionally) a display name (Figure 14). - - ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg) - - **Figure 14**. Entering your KMS host key - -7. Activate your KMS host key by phone or online (Figure 15). - - ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) - - **Figure 15**. Choosing how to activate your product - -8. After activating the key, click **Commit**, and then click **Close**. - -## Verifying the configuration of Active Directory-based activation - -To verify your Active Directory-based activation configuration, complete the following steps: -1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. -2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. -3. If the computer is not joined to your domain, join it to the domain. -4. Sign in to the computer. -5. Open Windows Explorer, right-click **Computer**, and then click **Properties**. -6. Scroll down to the **Windows activation** section, and verify that this client has been activated. - - **Note**
          - If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. - -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) +--- +title: Activate using Active Directory-based activation (Windows 10) +description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. +ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Activate using Active Directory-based activation +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2016 + +**Looking for retail activation?** +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients. +Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. +To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. +The process proceeds as follows: +1. Perform one of the following tasks: + - Install the Volume Activation Services server role on a domain controller running Windows Server 2012 R2, and add a KMS host key by using the Volume Activation Tools Wizard. + - Extend the domain to the Windows Server 2012 R2 schema level, and add a KMS host key by using the VAMT. +2. Microsoft verifies the KMS host key, and an activation object is created. +3. Client computers are activated by receiving the activation object from a domain controller during startup. + + ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) + + **Figure 10**. The Active Directory-based activation flow + +For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. +If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. +Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days. +When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. +## Step-by-step configuration: Active Directory-based activation +**Note**   +You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. +**To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:** +1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. +2. Launch Server Manager. +3. Add the Volume Activation Services role, as shown in Figure 11. + + ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) + + **Figure 11**. Adding the Volume Activation Services role + +4. Click the link to launch the Volume Activation Tools (Figure 12). + + ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg) + + **Figure 12**. Launching the Volume Activation Tools + +5. Select the **Active Directory-Based Activation** option (Figure 13). + + ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg) + + **Figure 13**. Selecting Active Directory-Based Activation + +6. Enter your KMS host key and (optionally) a display name (Figure 14). + + ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg) + + **Figure 14**. Entering your KMS host key + +7. Activate your KMS host key by phone or online (Figure 15). + + ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) + + **Figure 15**. Choosing how to activate your product + +8. After activating the key, click **Commit**, and then click **Close**. + +## Verifying the configuration of Active Directory-based activation + +To verify your Active Directory-based activation configuration, complete the following steps: +1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. +2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. +3. If the computer is not joined to your domain, join it to the domain. +4. Sign in to the computer. +5. Open Windows Explorer, right-click **Computer**, and then click **Properties**. +6. Scroll down to the **Windows activation** section, and verify that this client has been activated. + + **Note**
          + If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. + +## See also +- [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index aff4f923e1..01010689aa 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -1,144 +1,144 @@ ---- -title: Activate using Key Management Service (Windows 10) -ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac -ms.reviewer: -manager: laurawi -ms.author: greglin -description: -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 10/16/2017 -ms.topic: article ---- - -# Activate using Key Management Service - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host: -- Host KMS on a computer running Windows 10 -- Host KMS on a computer running Windows Server 2012 R2 -- Host KMS on a computer running an earlier version of Windows - -Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/). - -## Key Management Service in Windows 10 - -Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7. -Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers. -To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services. - -**Configure KMS in Windows 10** - -1. Open an elevated command prompt. -2. Enter one of the following commands. - - To install a KMS key, type **slmgr.vbs /ipk <KmsKey>**. - - To activate online, type **slmgr.vbs /ato**. - - To activate by using the telephone, type **slui.exe 4**. -3. After activating the KMS key, restart the Software Protection Service. - -For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032). - -## Key Management Service in Windows Server 2012 R2 -Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. - -**Note**   -You cannot install a client KMS key into the KMS in Windows Server. - -This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden. - -**Note**   - -If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687). - -**Configure KMS in Windows Server 2012 R2** - -1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials. -2. Launch Server Manager. -3. Add the Volume Activation Services role, as shown in Figure 4. - - ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg) - - **Figure 4**. Adding the Volume Activation Services role in Server Manager\ - -4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). - - ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg) - - **Figure 5**. Launching the Volume Activation Tools - - 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). - This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. - - ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg) - - **Figure 6**. Configuring the computer as a KMS host - -5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). - - ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg) - - **Figure 7**. Installing your KMS host key - -6. If asked to confirm replacement of an existing key, click **Yes**. -7. After the product key is installed, you must activate it. Click **Next** (Figure 8). - - ![Activating the software](../images/volumeactivationforwindows81-08.jpg) - - **Figure 8**. Activating the software - - The KMS key can be activated online or by phone. See Figure 9. - - ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg) - - **Figure 9**. Choosing to activate online - -Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met. - -## Verifying the configuration of Key Management Service - -You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message. -**Note**   - -If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2. - -To verify that KMS volume activation works, complete the following steps: - -1. On the KMS host, open the event log and confirm that DNS publishing is successful. -2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.

          -The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information. -3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.

          - -The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated. - -For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639). - -## Key Management Service in earlier versions of Windows - -If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps: - -1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed. -2. Request a new KMS host key from the Volume Licensing Service Center. -3. Install the new KMS host key on your KMS host. -4. Activate the new KMS host key by running the slmgr.vbs script. - -For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590). - -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) +--- +title: Activate using Key Management Service (Windows 10) +ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac +ms.reviewer: +manager: laurawi +ms.author: greglin +description: +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 10/16/2017 +ms.topic: article +--- + +# Activate using Key Management Service + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host: +- Host KMS on a computer running Windows 10 +- Host KMS on a computer running Windows Server 2012 R2 +- Host KMS on a computer running an earlier version of Windows + +Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/). + +## Key Management Service in Windows 10 + +Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7. +Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers. +To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services. + +**Configure KMS in Windows 10** + +1. Open an elevated command prompt. +2. Enter one of the following commands. + - To install a KMS key, type **slmgr.vbs /ipk <KmsKey>**. + - To activate online, type **slmgr.vbs /ato**. + - To activate by using the telephone, type **slui.exe 4**. +3. After activating the KMS key, restart the Software Protection Service. + +For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032). + +## Key Management Service in Windows Server 2012 R2 +Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. + +**Note**   +You cannot install a client KMS key into the KMS in Windows Server. + +This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden. + +**Note**   + +If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687). + +**Configure KMS in Windows Server 2012 R2** + +1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials. +2. Launch Server Manager. +3. Add the Volume Activation Services role, as shown in Figure 4. + + ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg) + + **Figure 4**. Adding the Volume Activation Services role in Server Manager\ + +4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). + + ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg) + + **Figure 5**. Launching the Volume Activation Tools + + 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). + This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. + + ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg) + + **Figure 6**. Configuring the computer as a KMS host + +5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). + + ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg) + + **Figure 7**. Installing your KMS host key + +6. If asked to confirm replacement of an existing key, click **Yes**. +7. After the product key is installed, you must activate it. Click **Next** (Figure 8). + + ![Activating the software](../images/volumeactivationforwindows81-08.jpg) + + **Figure 8**. Activating the software + + The KMS key can be activated online or by phone. See Figure 9. + + ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg) + + **Figure 9**. Choosing to activate online + +Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met. + +## Verifying the configuration of Key Management Service + +You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message. +**Note**   + +If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2. + +To verify that KMS volume activation works, complete the following steps: + +1. On the KMS host, open the event log and confirm that DNS publishing is successful. +2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.

          +The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information. +3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.

          + +The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated. + +For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639). + +## Key Management Service in earlier versions of Windows + +If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps: + +1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed. +2. Request a new KMS host key from the Volume Licensing Service Center. +3. Install the new KMS host key on your KMS host. +4. Activate the new KMS host key by running the slmgr.vbs script. + +For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590). + +## See also +- [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index 2ca1ee6338..0664a272c5 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -1,127 +1,127 @@ ---- -title: Activate clients running Windows 10 (Windows 10) -description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. -ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Activate clients running Windows 10 - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works. -Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer. -If activation or reactivation is required, the following sequence occurs: -1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals. -2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK. -3. The computer tries to activate against Microsoft servers if it is configured with a MAK. - -If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart. - -## How Key Management Service works - -KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP. - -### Key Management Service activation thresholds - -You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met. - -A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more. -When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met. - -In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated. - -### Activation count cache - -To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one. -However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days. -The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size. - -### Key Management Service connectivity - -KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements. - -### Key Management Service activation renewal - -KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again. - -### Publication of the Key Management Service - -The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts. - -### Client discovery of the Key Management Service - -By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it. -Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters. -If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records. -By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way. - -### Domain Name System server configuration - -The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update. -The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records. - -### Activating the first Key Management Service host - -KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers. - -### Activating subsequent Key Management Service hosts - -Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception. - -## How Multiple Activation Key works - -A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit. - -You can activate computers by using a MAK in two ways: -- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. - - ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg) - - **Figure 16**. MAK independent activation -- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. - - ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg) - - **Figure 17**. MAK proxy activation with the VAMT - -A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold. - -You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment. - -### Multiple Activation Key architecture and activation - -MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet. -In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID. - -## Activating as a standard user - -Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.” - -## See also - -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +--- +title: Activate clients running Windows 10 (Windows 10) +description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. +ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Activate clients running Windows 10 + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works. +Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer. +If activation or reactivation is required, the following sequence occurs: +1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals. +2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK. +3. The computer tries to activate against Microsoft servers if it is configured with a MAK. + +If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart. + +## How Key Management Service works + +KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP. + +### Key Management Service activation thresholds + +You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met. + +A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more. +When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met. + +In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated. + +### Activation count cache + +To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one. +However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days. +The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size. + +### Key Management Service connectivity + +KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements. + +### Key Management Service activation renewal + +KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again. + +### Publication of the Key Management Service + +The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts. + +### Client discovery of the Key Management Service + +By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it. +Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters. +If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records. +By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way. + +### Domain Name System server configuration + +The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update. +The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records. + +### Activating the first Key Management Service host + +KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers. + +### Activating subsequent Key Management Service hosts + +Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception. + +## How Multiple Activation Key works + +A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit. + +You can activate computers by using a MAK in two ways: +- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. + + ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg) + + **Figure 16**. MAK independent activation +- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. + + ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg) + + **Figure 17**. MAK proxy activation with the VAMT + +A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold. + +You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment. + +### Multiple Activation Key architecture and activation + +MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet. +In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID. + +## Activating as a standard user + +Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.” + +## See also + +- [Volume Activation for Windows 10](volume-activation-windows-10.md) +  +  diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index df06a4be92..b0c4c10975 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -1,43 +1,43 @@ ---- -title: Active Directory-Based Activation Overview (Windows 10) -description: Active Directory-Based Activation Overview -ms.assetid: c1dac3bd-6a86-4c45-83dd-421e63a398c0 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 12/07/2018 -ms.topic: article ---- - -# Active Directory-Based Activation overview - -Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain. - -## ADBA scenarios - -You might use ADBA if you only want to activate domain joined devices. - -If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. - -ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values. - -Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. - - -## ADBA methods - -VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods: -- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name. -- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. - -## Related topics - -- [How to Activate an Active Directory Forest Online](https://go.microsoft.com/fwlink/p/?LinkId=246565) -- [How to Proxy Activate an Active Directory Forest](https://go.microsoft.com/fwlink/p/?LinkId=246566) -  -  +--- +title: Active Directory-Based Activation Overview (Windows 10) +description: Active Directory-Based Activation Overview +ms.assetid: c1dac3bd-6a86-4c45-83dd-421e63a398c0 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 12/07/2018 +ms.topic: article +--- + +# Active Directory-Based Activation overview + +Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain. + +## ADBA scenarios + +You might use ADBA if you only want to activate domain joined devices. + +If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. + +ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values. + +Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. + + +## ADBA methods + +VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods: +- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name. +- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. + +## Related topics + +- [How to Activate an Active Directory Forest Online](https://go.microsoft.com/fwlink/p/?LinkId=246565) +- [How to Proxy Activate an Active Directory Forest](https://go.microsoft.com/fwlink/p/?LinkId=246566) +  +  diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md index f913c13504..255bda4716 100644 --- a/windows/deployment/volume-activation/add-manage-products-vamt.md +++ b/windows/deployment/volume-activation/add-manage-products-vamt.md @@ -1,30 +1,30 @@ ---- -title: Add and Manage Products (Windows 10) -description: Add and Manage Products -ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Add and Manage Products - -This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network. - -## In this Section - -|Topic |Description | -|------|------------| -|[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. | -|[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. | -|[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. | - - - +--- +title: Add and Manage Products (Windows 10) +description: Add and Manage Products +ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Add and Manage Products + +This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network. + +## In this Section + +|Topic |Description | +|------|------------| +|[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. | +|[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. | +|[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. | + + + diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 0f68956571..0784cbb98a 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -1,63 +1,63 @@ ---- -title: Add and Remove Computers (Windows 10) -description: Add and Remove Computers -ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.pagetype: activation -ms.date: 04/25/2017 -ms.topic: article ---- - -# Add and Remove Computers - -You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function. - -Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md). - -## To add computers to a VAMT database - -1. Open VAMT. -2. Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box. -3. In the **Discover products** dialog box, click **Search for computers in the Active Directory** to display the search options, then click the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. - - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names click the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search by individual computer name or IP address, click **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. - - To search for computers in a workgroup, click **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names click the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks. -4. Click **Search**. -5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below. - To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane. - - ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif) - - **Important**   - This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. - -## To add products to VAMT - -1. In the **Products** list, select the computers that need to have their product information added to the VAMT database. -2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. -6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. - - **Note**   - If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. - -## To remove computers from a VAMT database - -You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database. - -## Related topics - -- [Add and Manage Products](add-manage-products-vamt.md) - - +--- +title: Add and Remove Computers (Windows 10) +description: Add and Remove Computers +ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.pagetype: activation +ms.date: 04/25/2017 +ms.topic: article +--- + +# Add and Remove Computers + +You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function. + +Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md). + +## To add computers to a VAMT database + +1. Open VAMT. +2. Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box. +3. In the **Discover products** dialog box, click **Search for computers in the Active Directory** to display the search options, then click the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. + - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names click the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + - To search by individual computer name or IP address, click **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. + - To search for computers in a workgroup, click **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names click the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks. +4. Click **Search**. +5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below. + To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane. + + ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif) + + **Important**   + This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. + +## To add products to VAMT + +1. In the **Products** list, select the computers that need to have their product information added to the VAMT database. +2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +4. Click **Filter**. VAMT displays the filtered list in the center pane. +5. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. +6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. + + **Note**   + If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. + +## To remove computers from a VAMT database + +You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database. + +## Related topics + +- [Add and Manage Products](add-manage-products-vamt.md) + + diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md index 93ac0b75a1..fc7b9b051d 100644 --- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md +++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md @@ -1,39 +1,39 @@ ---- -title: Add and Remove a Product Key (Windows 10) -description: Add and Remove a Product Key -ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Add and Remove a Product Key - -Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database. - -## To Add a Product Key - -1. Open VAMT. -2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu. -3. Click **Add product keys** to open the **Add Product Keys** dialog box. -4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys: - - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**. - - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. - - **Note**   - If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. - -## Remove a Product Key - -- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network. - -## Related topics - -- [Manage Product Keys](manage-product-keys-vamt.md) +--- +title: Add and Remove a Product Key (Windows 10) +description: Add and Remove a Product Key +ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Add and Remove a Product Key + +Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database. + +## To Add a Product Key + +1. Open VAMT. +2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu. +3. Click **Add product keys** to open the **Add Product Keys** dialog box. +4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys: + - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**. + - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. + + **Note**   + If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. + +## Remove a Product Key + +- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network. + +## Related topics + +- [Manage Product Keys](manage-product-keys-vamt.md) diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index e311d05013..d56ff58a30 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -1,71 +1,71 @@ ---- -title: Appendix Information sent to Microsoft during activation (Windows 10) -ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 -ms.reviewer: -manager: laurawi -ms.author: greglin -description: -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Appendix: Information sent to Microsoft during activation -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -When you activate a computer running Windows 10, the following information is sent to Microsoft: - -- The Microsoft product code (a five-digit code that identifies the Windows product you are activating) -- A channel ID or site code that identifies how the Windows product was originally obtained - - For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer. - -- The date of installation and whether the installation was successful -- Information that helps confirm that your Windows product key has not been altered -- Computer make and model -- Version information for the operating system and software -- Region and language settings -- A unique number called a *globally unique identifier*, which is assigned to your computer -- Product key (hashed) and product ID -- BIOS name, revision number, and revision date -- Volume serial number (hashed) of the hard disk drive -- The result of the activation check - - This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: - - - The activation exploit’s identifier - - The activation exploit’s current state, such as cleaned or quarantined - - Computer manufacturer’s identification - - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit -- The name and a hash of the contents of your computer’s startup instructions file -- If your Windows license is on a subscription basis, information about how your subscription works - -Standard computer information is also sent, but your computer’s IP address is only retained temporarily. - -## Use of information - -Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. -For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). - -## See also - -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +--- +title: Appendix Information sent to Microsoft during activation (Windows 10) +ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 +ms.reviewer: +manager: laurawi +ms.author: greglin +description: +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Appendix: Information sent to Microsoft during activation +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +When you activate a computer running Windows 10, the following information is sent to Microsoft: + +- The Microsoft product code (a five-digit code that identifies the Windows product you are activating) +- A channel ID or site code that identifies how the Windows product was originally obtained + + For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer. + +- The date of installation and whether the installation was successful +- Information that helps confirm that your Windows product key has not been altered +- Computer make and model +- Version information for the operating system and software +- Region and language settings +- A unique number called a *globally unique identifier*, which is assigned to your computer +- Product key (hashed) and product ID +- BIOS name, revision number, and revision date +- Volume serial number (hashed) of the hard disk drive +- The result of the activation check + + This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: + + - The activation exploit’s identifier + - The activation exploit’s current state, such as cleaned or quarantined + - Computer manufacturer’s identification + - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit +- The name and a hash of the contents of your computer’s startup instructions file +- If your Windows license is on a subscription basis, information about how your subscription works + +Standard computer information is also sent, but your computer’s IP address is only retained temporarily. + +## Use of information + +Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. +For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). + +## See also + +- [Volume Activation for Windows 10](volume-activation-windows-10.md) +  +  diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index c602675503..9cd6a07136 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -1,94 +1,94 @@ ---- -title: Configure Client Computers (Windows 10) -description: Configure Client Computers -ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Configure Client Computers - -To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers: - -- An exception must be set in the client computer's firewall. -- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations. - -Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows. - -**Important**   -This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933). - -## Configuring the Windows Firewall to allow VAMT access - -Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: -1. Open Control Panel and double-click **System and Security**. -2. Click **Windows Firewall**. -3. Click **Allow a program or feature through Windows Firewall**. -4. Click the **Change settings** option. -5. Select the **Windows Management Instrumentation (WMI)** checkbox. -6. Click **OK**. - - **Warning**   - By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. - -## Configure Windows Firewall to allow VAMT access across multiple subnets - -Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: - -![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) - -1. Open the Control Panel and double-click **Administrative Tools**. -2. Click **Windows Firewall with Advanced Security**. -3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): - - Windows Management Instrumentation (ASync-In) - - Windows Management Instrumentation (DCOM-In) - - Windows Management Instrumentation (WMI-In) - -4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel. - -5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box. - - - On the **General** tab, select the **Allow the connection** checkbox. - - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. - - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). - -In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. -For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911). - -## Create a registry value for the VAMT to access workgroup-joined computer - -**Caution**   -This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912). - -On the client computer, create the following registry key using regedit.exe. - -1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` -2. Enter the following details: - **Value Name: LocalAccountTokenFilterPolicy** - **Type: DWORD** - **Value Data: 1** - **Note**   - To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client. - -## Deployment options - -There are several options for organizations to configure the WMI firewall exception for computers: -- **Image.** Add the configurations to the master Windows image deployed to all clients. -- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. -- **Script.** Execute a script using Microsoft System Center Configuration Manager or a third-party remote script execution facility. -- **Manual.** Configure the WMI firewall exception individually on each client. -The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. - -## Related topics - -- [Install and Configure VAMT](install-configure-vamt.md) - - +--- +title: Configure Client Computers (Windows 10) +description: Configure Client Computers +ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Configure Client Computers + +To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers: + +- An exception must be set in the client computer's firewall. +- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations. + +Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows. + +**Important**   +This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933). + +## Configuring the Windows Firewall to allow VAMT access + +Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: +1. Open Control Panel and double-click **System and Security**. +2. Click **Windows Firewall**. +3. Click **Allow a program or feature through Windows Firewall**. +4. Click the **Change settings** option. +5. Select the **Windows Management Instrumentation (WMI)** checkbox. +6. Click **OK**. + + **Warning**   + By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. + +## Configure Windows Firewall to allow VAMT access across multiple subnets + +Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: + +![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) + +1. Open the Control Panel and double-click **Administrative Tools**. +2. Click **Windows Firewall with Advanced Security**. +3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): + - Windows Management Instrumentation (ASync-In) + - Windows Management Instrumentation (DCOM-In) + - Windows Management Instrumentation (WMI-In) + +4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel. + +5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box. + + - On the **General** tab, select the **Allow the connection** checkbox. + - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. + - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). + +In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. +For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911). + +## Create a registry value for the VAMT to access workgroup-joined computer + +**Caution**   +This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912). + +On the client computer, create the following registry key using regedit.exe. + +1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` +2. Enter the following details: + **Value Name: LocalAccountTokenFilterPolicy** + **Type: DWORD** + **Value Data: 1** + **Note**   + To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client. + +## Deployment options + +There are several options for organizations to configure the WMI firewall exception for computers: +- **Image.** Add the configurations to the master Windows image deployed to all clients. +- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. +- **Script.** Execute a script using Microsoft System Center Configuration Manager or a third-party remote script execution facility. +- **Manual.** Configure the WMI firewall exception individually on each client. +The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. + +## Related topics + +- [Install and Configure VAMT](install-configure-vamt.md) + + diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 5bdfd8a7ce..5b77d96564 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -1,51 +1,51 @@ ---- -title: Import and Export VAMT Data (Windows 10) -description: Import and Export VAMT Data -ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Import and Export VAMT Data - -You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. -You can import data or export data during the following scenarios: -- Import and merge data from previous versions of VAMT. -- Export data to use to perform proxy activations. - -**Warning**   -Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported. - -## Import VAMT Data - -**To import data into VAMT** -1. Open VAMT. -2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box. -3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**. -4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully. - -## Export VAMT Data - -Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: -1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. -2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export. -3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box. -4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file. -5. Under **Export options**, select one of the following data-type options: - - Export products and product keys - - Export products only - - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked. -6. If you have selected products to export, select the **Export selected product rows only** check box. -7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. - -## Related topics - -- [Perform Proxy Activation](proxy-activation-vamt.md) +--- +title: Import and Export VAMT Data (Windows 10) +description: Import and Export VAMT Data +ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Import and Export VAMT Data + +You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. +You can import data or export data during the following scenarios: +- Import and merge data from previous versions of VAMT. +- Export data to use to perform proxy activations. + +**Warning**   +Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported. + +## Import VAMT Data + +**To import data into VAMT** +1. Open VAMT. +2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box. +3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**. +4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully. + +## Export VAMT Data + +Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: +1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. +2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export. +3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box. +4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file. +5. Under **Export options**, select one of the following data-type options: + - Export products and product keys + - Export products only + - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked. +6. If you have selected products to export, select the **Export selected product rows only** check box. +7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. + +## Related topics + +- [Perform Proxy Activation](proxy-activation-vamt.md) diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md index 5ac36425a9..dc1c9eaa35 100644 --- a/windows/deployment/volume-activation/install-configure-vamt.md +++ b/windows/deployment/volume-activation/install-configure-vamt.md @@ -1,34 +1,34 @@ ---- -title: Install and Configure VAMT (Windows 10) -description: Install and Configure VAMT -ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Install and Configure VAMT - -This section describes how to install and configure the Volume Activation Management Tool (VAMT). - -## In this Section - -|Topic |Description | -|------|------------| -|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. | -|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. | -|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. | - -## Related topics - -- [Introduction to VAMT](introduction-vamt.md) -  -  +--- +title: Install and Configure VAMT (Windows 10) +description: Install and Configure VAMT +ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Install and Configure VAMT + +This section describes how to install and configure the Volume Activation Management Tool (VAMT). + +## In this Section + +|Topic |Description | +|------|------------| +|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. | +|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. | +|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. | + +## Related topics + +- [Introduction to VAMT](introduction-vamt.md) +  +  diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md index 2674b655be..3fe43074c1 100644 --- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md +++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md @@ -1,43 +1,43 @@ ---- -title: Install a KMS Client Key (Windows 10) -description: Install a KMS Client Key -ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Install a KMS Client Key - -You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation. - -**Note**   -By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. - -**To install a KMS Client key** -1. Open VAMT. -2. In the left-side pane click **Products** to open the product list view in the center pane. -3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -7. The **Install Product Key** dialog box displays the keys that are available to be installed. -8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**. - - VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status is shown under the **Status of Last Action** column in the product list view in the center pane. - -## Related topics - -- [Perform KMS Activation](kms-activation-vamt.md) +--- +title: Install a KMS Client Key (Windows 10) +description: Install a KMS Client Key +ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Install a KMS Client Key + +You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation. + +**Note**   +By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. + +**To install a KMS Client key** +1. Open VAMT. +2. In the left-side pane click **Products** to open the product list view in the center pane. +3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. VAMT displays the filtered list in the center pane. +6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. +7. The **Install Product Key** dialog box displays the keys that are available to be installed. +8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**. + + VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status is shown under the **Status of Last Action** column in the product list view in the center pane. + +## Related topics + +- [Perform KMS Activation](kms-activation-vamt.md) diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index 3ca3caf3c4..96908f97d1 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -1,45 +1,45 @@ ---- -title: Install a Product Key (Windows 10) -description: Install a Product Key -ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Install a Product Key - -You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). - -**To install a Product key** -1. Open VAMT. -2. In the left-side pane, click the product that you want to install keys onto. -3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. -6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time. -9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status is shown under the **Status of Last Action** column in the product list view in the center pane. - - **Note**   - Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right - Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382). - -## Related topics - -- [Manage Product Keys](manage-product-keys-vamt.md) - - +--- +title: Install a Product Key (Windows 10) +description: Install a Product Key +ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Install a Product Key + +You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). + +**To install a Product key** +1. Open VAMT. +2. In the left-side pane, click the product that you want to install keys onto. +3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. +6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. +8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time. +9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status is shown under the **Status of Last Action** column in the product list view in the center pane. + + **Note**   + Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right + Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382). + +## Related topics + +- [Manage Product Keys](manage-product-keys-vamt.md) + + diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index cf26bea3e6..9a229185cc 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -1,74 +1,74 @@ ---- -title: Install VAMT (Windows 10) -description: Install VAMT -ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 03/11/2019 -ms.topic: article ---- - -# Install VAMT - -This topic describes how to install the Volume Activation Management Tool (VAMT). - -## Install VAMT - -You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. - ->[!IMPORTANT] ->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.  - ->[!NOTE] ->The VAMT Microsoft Management Console snap-in ships as an x86 package. - -### Requirements - -- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied -- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) -- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) - -### Install SQL Server 2017 Express - -1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. -2. Select **Basic**. -3. Accept the license terms. -4. Enter an install location or use the default path, and then select **Install**. -5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. - ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) - -### Install VAMT using the ADK - -1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package. -2. Enter an install location or use the default path, and then select **Next**. -3. Select a privacy setting, and then select **Next**. -4. Accept the license terms. -5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) -6. On the completion page, select **Close**. - -### Configure VAMT to connect to SQL Server 2017 Express - -1. Open **Volume Active Management Tool 3.1** from the Start menu. -2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example. - - ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) - - - - -## Uninstall VAMT - -To uninstall VAMT using the **Programs and Features** Control Panel: -1. Open **Control Panel** and select **Programs and Features**. -2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. - - - - +--- +title: Install VAMT (Windows 10) +description: Install VAMT +ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 03/11/2019 +ms.topic: article +--- + +# Install VAMT + +This topic describes how to install the Volume Activation Management Tool (VAMT). + +## Install VAMT + +You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. + +>[!IMPORTANT] +>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.  + +>[!NOTE] +>The VAMT Microsoft Management Console snap-in ships as an x86 package. + +### Requirements + +- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied +- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) +- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) + +### Install SQL Server 2017 Express + +1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. +2. Select **Basic**. +3. Accept the license terms. +4. Enter an install location or use the default path, and then select **Install**. +5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. + ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) + +### Install VAMT using the ADK + +1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package. +2. Enter an install location or use the default path, and then select **Next**. +3. Select a privacy setting, and then select **Next**. +4. Accept the license terms. +5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) +6. On the completion page, select **Close**. + +### Configure VAMT to connect to SQL Server 2017 Express + +1. Open **Volume Active Management Tool 3.1** from the Start menu. +2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example. + + ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) + + + + +## Uninstall VAMT + +To uninstall VAMT using the **Programs and Features** Control Panel: +1. Open **Control Panel** and select **Programs and Features**. +2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. + + + + diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 57f8ef18af..791d49e497 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -1,66 +1,66 @@ ---- -title: Introduction to VAMT (Windows 10) -description: Introduction to VAMT -ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Introduction to VAMT - -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012. - -**Note**   -VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. - -## In this Topic -- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) -- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) -- [Enterprise Environment](#bkmk-enterpriseenvironment) -- [VAMT User Interface](#bkmk-userinterface) - -## Managing Multiple Activation Key (MAK) and Retail Activation - -You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: -- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. - -## Managing Key Management Service (KMS) Activation - -In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010. -VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. - -## Enterprise Environment - -VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. - -![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) - -In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. -The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. - -## VAMT User Interface - -The following screenshot shows the VAMT graphical user interface. - -![VAMT user interface](images/vamtuserinterfaceupdated.jpg) - -VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: -- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. -- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. -- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. -- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. - -## Related topics -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) - - +--- +title: Introduction to VAMT (Windows 10) +description: Introduction to VAMT +ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Introduction to VAMT + +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012. + +**Note**   +VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. + +## In this Topic +- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) +- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) +- [Enterprise Environment](#bkmk-enterpriseenvironment) +- [VAMT User Interface](#bkmk-userinterface) + +## Managing Multiple Activation Key (MAK) and Retail Activation + +You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: +- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. +- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. + +## Managing Key Management Service (KMS) Activation + +In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010. +VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. + +## Enterprise Environment + +VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. + +![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) + +In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. +The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. + +## VAMT User Interface + +The following screenshot shows the VAMT graphical user interface. + +![VAMT user interface](images/vamtuserinterfaceupdated.jpg) + +VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: +- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. +- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. +- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. +- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. +- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. + +## Related topics +- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) + + diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md index a72215d2ee..d109d49ad1 100644 --- a/windows/deployment/volume-activation/kms-activation-vamt.md +++ b/windows/deployment/volume-activation/kms-activation-vamt.md @@ -1,49 +1,49 @@ ---- -title: Perform KMS Activation (Windows 10) -description: Perform KMS Activation -ms.assetid: 5a3ae8e6-083e-4153-837e-ab0a225c1d10 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Perform KMS Activation - -The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products. - -## Requirements - -Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements: -- KMS host is set up and enabled. -- KMS clients can access the KMS host. -- VAMT is installed on a central computer with network access to all client computers. -- The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md). -- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -## To configure devices for KMS activation - -**To configure devices for KMS activation** -1. Open VAMT. -2. If necessary, set up the KMS activation preferences. If you don’t need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2. -3. To set up the preferences, on the menu bar click **View**, then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. -4. Under **Key Management Services host selection**, select one of the following options: - - **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation. - - **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation. - - **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments which do not use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host. -5. Click **Apply**, and then click **OK** to close the **Volume Activation Management Tool Preferences** dialog box. -6. Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -7. Click **Filter**. VAMT displays the filtered list in the center pane. -8. In the right-side pane, click **Activate** in the **Selected Items** menu, and then click **Volume activate**. -9. Click a credential option. Choose **Alternate credentials** only if you are activating products that require administrator credentials different from the ones you are currently using. -10. If you are supplying alternate credentials, at the prompt, type the appropriate user name and password and click **OK**. -VAMT displays the **Volume Activation** dialog box until it completes the requested action. When the process is finished, the updated activation status of each product appears in the product list view in the center pane. -  +--- +title: Perform KMS Activation (Windows 10) +description: Perform KMS Activation +ms.assetid: 5a3ae8e6-083e-4153-837e-ab0a225c1d10 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Perform KMS Activation + +The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products. + +## Requirements + +Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements: +- KMS host is set up and enabled. +- KMS clients can access the KMS host. +- VAMT is installed on a central computer with network access to all client computers. +- The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md). +- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +## To configure devices for KMS activation + +**To configure devices for KMS activation** +1. Open VAMT. +2. If necessary, set up the KMS activation preferences. If you don’t need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2. +3. To set up the preferences, on the menu bar click **View**, then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. +4. Under **Key Management Services host selection**, select one of the following options: + - **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation. + - **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation. + - **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments which do not use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host. +5. Click **Apply**, and then click **OK** to close the **Volume Activation Management Tool Preferences** dialog box. +6. Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +7. Click **Filter**. VAMT displays the filtered list in the center pane. +8. In the right-side pane, click **Activate** in the **Selected Items** menu, and then click **Volume activate**. +9. Click a credential option. Choose **Alternate credentials** only if you are activating products that require administrator credentials different from the ones you are currently using. +10. If you are supplying alternate credentials, at the prompt, type the appropriate user name and password and click **OK**. +VAMT displays the **Volume Activation** dialog box until it completes the requested action. When the process is finished, the updated activation status of each product appears in the product list view in the center pane. +  diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md index 9b6d9f5afe..309dd5a702 100644 --- a/windows/deployment/volume-activation/local-reactivation-vamt.md +++ b/windows/deployment/volume-activation/local-reactivation-vamt.md @@ -1,47 +1,47 @@ ---- -title: Perform Local Reactivation (Windows 10) -description: Perform Local Reactivation -ms.assetid: aacd5ded-da11-4d27-a866-3f57332f5dec -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Perform Local Reactivation - -If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer. -Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key. - -**Note**   -During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft. - -## To Perform a Local Reactivation - -**To perform a local reactivation** -1. Open VAMT. Make sure that you are connected to the desired database. -2. In the left-side pane, click the product you want to reactivate to display the products list. -3. In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. In the right-side pane, click **Activate**, and then click **Apply Confirmation ID**. -7. Click a credential option. Choose **Alternate credentials** only if you are reactivating products that require administrator credentials different from the ones you are currently using. -8. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. - - VAMT displays the **Apply Confirmation ID** dialog box. - -10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID. -11. If you are activating a product that requires administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** check box. -12. Click **OK**. - -## Related topics - -- [Manage Activations](manage-activations-vamt.md) +--- +title: Perform Local Reactivation (Windows 10) +description: Perform Local Reactivation +ms.assetid: aacd5ded-da11-4d27-a866-3f57332f5dec +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Perform Local Reactivation + +If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer. +Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key. + +**Note**   +During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft. + +## To Perform a Local Reactivation + +**To perform a local reactivation** +1. Open VAMT. Make sure that you are connected to the desired database. +2. In the left-side pane, click the product you want to reactivate to display the products list. +3. In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. VAMT displays the filtered list in the center pane. +6. In the right-side pane, click **Activate**, and then click **Apply Confirmation ID**. +7. Click a credential option. Choose **Alternate credentials** only if you are reactivating products that require administrator credentials different from the ones you are currently using. +8. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. + + VAMT displays the **Apply Confirmation ID** dialog box. + +10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID. +11. If you are activating a product that requires administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** check box. +12. Click **OK**. + +## Related topics + +- [Manage Activations](manage-activations-vamt.md) diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 36a4814fd5..318cd0cb65 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -1,33 +1,33 @@ ---- -title: Manage Activations (Windows 10) -description: Manage Activations -ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Manage Activations - -This section describes how to activate a client computer, by using a variety of activation methods. - -## In this Section - -|Topic |Description | -|------|------------| -|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | -|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | -|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). | -|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | -|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | -|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | - - - +--- +title: Manage Activations (Windows 10) +description: Manage Activations +ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Manage Activations + +This section describes how to activate a client computer, by using a variety of activation methods. + +## In this Section + +|Topic |Description | +|------|------------| +|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | +|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | +|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). | +|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | +|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | +|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | + + + diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index 80fd4d4ff0..bedd50af8f 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -1,29 +1,29 @@ ---- -title: Manage Product Keys (Windows 10) -description: Manage Product Keys -ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Manage Product Keys - -This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database. -## In this Section - -|Topic |Description | -|------|------------| -|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. | -|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. | -|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. | - - - +--- +title: Manage Product Keys (Windows 10) +description: Manage Product Keys +ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Manage Product Keys + +This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database. +## In this Section + +|Topic |Description | +|------|------------| +|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. | +|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. | +|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. | + + + diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md index e647b8109a..7d068975cd 100644 --- a/windows/deployment/volume-activation/manage-vamt-data.md +++ b/windows/deployment/volume-activation/manage-vamt-data.md @@ -1,25 +1,25 @@ ---- -title: Manage VAMT Data (Windows 10) -description: Manage VAMT Data -ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Manage VAMT Data - -This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). - -## In this Section -|Topic |Description | -|------|------------| -|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. | -|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. | +--- +title: Manage VAMT Data (Windows 10) +description: Manage VAMT Data +ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Manage VAMT Data + +This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). + +## In this Section +|Topic |Description | +|------|------------| +|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. | +|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. | diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 91adf217f6..ea131b996d 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -1,45 +1,44 @@ ---- -title: Monitor activation (Windows 10) -ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 -ms.reviewer: -manager: laurawi -audience: itpro -ms.author: greglin -description: -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Monitor activation - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include: -- Using the Volume Licensing Service Center website to track use of MAK keys. -- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).) -- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) -- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290). -- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. -- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS). -- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. - -## See also - -[Volume Activation for Windows 10](volume-activation-windows-10.md) \ No newline at end of file +--- +title: Monitor activation (Windows 10) +ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 +ms.reviewer: +manager: laurawi +ms.author: greglin +description: +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Monitor activation + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include: +- Using the Volume Licensing Service Center website to track use of MAK keys. +- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).) +- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) +- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290). +- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. +- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS). +- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. + +## See also + +[Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md index d9a73bae46..45f237024f 100644 --- a/windows/deployment/volume-activation/online-activation-vamt.md +++ b/windows/deployment/volume-activation/online-activation-vamt.md @@ -1,55 +1,55 @@ ---- -title: Perform Online Activation (Windows 10) -description: Perform Online Activation -ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Perform Online Activation - -You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key. - -## Requirements - -Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: -- VAMT is installed on a central computer that has network access to all client computers. -- Both the VAMT host and client computers have Internet access. -- The products that you want to activate are added to VAMT. -- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking -**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. - -## To Perform an Online Activation - -**To perform an online activation** -1. Open VAMT. -2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button. -7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. -8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status is shown under the **Status of Last Action** column in the products list view in the center pane. - - **Note**   - Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation. - - **Note** - You can use online activation to select products that have different key types and activate the products at the same time. - -## Related topics -- [Manage Activations](manage-activations-vamt.md) +--- +title: Perform Online Activation (Windows 10) +description: Perform Online Activation +ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Perform Online Activation + +You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key. + +## Requirements + +Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: +- VAMT is installed on a central computer that has network access to all client computers. +- Both the VAMT host and client computers have Internet access. +- The products that you want to activate are added to VAMT. +- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking +**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. + +## To Perform an Online Activation + +**To perform an online activation** +1. Open VAMT. +2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +4. Click **Filter**. VAMT displays the filtered list in the center pane. +5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button. +7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. +8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status is shown under the **Status of Last Action** column in the products list view in the center pane. + + **Note**   + Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation. + + **Note** + You can use online activation to select products that have different key types and activate the products at the same time. + +## Related topics +- [Manage Activations](manage-activations-vamt.md) diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 92c3657316..c5c02eb7d8 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -1,232 +1,232 @@ ---- -title: Plan for volume activation (Windows 10) -description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer. -ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 09/27/2017 -ms.topic: article ---- - -# Plan for volume activation - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation. - -During the activation process, information about the specific installation is examined. In the case of online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization. - ->[!NOTE] ->The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets. - -## Distribution channels and activation - -In general, Microsoft software is obtained through three main channels: retail, original equipment manufacturer (OEM), and volume licensing agreements. Different activations methods are available through each channel. Because organizations are free to obtain software through multiple channels (for example, buying some at retail and others through a volume licensing program) most organizations choose to use a combination of activation methods. - -### Retail activations - -The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available. -Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys. - -### Original equipment manufacturer - -Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required. -OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled. - -### Volume licensing - -Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer: -- Have the license preinstalled through the OEM. -- Purchase a fully packaged retail product. - -The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised. -Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing. - -**Note**   -Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions. - -## Activation models - -For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps. - -With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose: -- Online activation -- Telephone activation -- VAMT proxy activation - -Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models: -- MAKs -- KMS -- Active Directory-based activation - -**Note**   -A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative. -Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607). - -### Multiple activation key - -A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also -allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS. - -To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation. -In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain. - -Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft. - -### Key Management Service - -With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services. - -Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user. - -The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*. - -Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely would more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide. - -### Active Directory-based activation - -Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device. - -Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company’s domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence. - -## Network and connectivity - -A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur. - -### Core network - -Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network. - -In the core network, a centralized KMS solution is usually recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8. - -A typical core network that includes a KMS host is shown in Figure 1. - -![Typical core network](../images/volumeactivationforwindows81-01.jpg) - -**Figure 1**. Typical core network - -### Isolated networks - -In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues. - -**Isolated for security** - -Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization. - -If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds. - -If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2. - -If the isolated network cannot communicate with the core network’s KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs. - -If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network. - -![New KMS host in an isolated network](../images/volumeactivationforwindows81-02.jpg) - -**Figure 2**. New KMS host in an isolated network - -**Branch offices and distant networks** -From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options: -- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain. -- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server. -- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server. -- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option. - -### Disconnected computers - -Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network. -If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet). - -### Test and development labs - -Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately. -If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide. -In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days. - -## Mapping your network to activation methods - -Now it’s time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination. - -**Table 1**. Criteria for activation methods - -|Criterion |Activation method | -|----------|------------------| -|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation | -|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days

          Note
          The core network must meet the KMS activation threshold. |KMS (central) | -|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) |MAM | -|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) | -|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) | -|Number of computers in isolated networks where the KMS activation threshold is not met |MAK | -|Number of computers in test and development labs that will not be activated |None| -|Number of computers that do not have a retail volume license |Retail (online or phone) | -|Number of computers that do not have an OEM volume license |OEM (at factory) | -|Total number of computer activations

          Note
          This total should match the total number of licensed computers in your organization. | - -## Choosing and acquiring keys - -When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways: -- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License. -- Contact your [Microsoft Activation Center](https://go.microsoft.com/fwlink/p/?LinkId=618264). - -### KMS host keys - -A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools. - -A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation. - -### Generic volume licensing keys - -When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys. - -Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. Note that the GLVK will not activate the software against Microsoft activation servers, only against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential. - -Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx). - -### Multiple activation keys - -You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT. - -## Selecting a KMS host - -The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers. -KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista. -A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure. - -The flow of KMS activation is shown in Figure 3, and it follows this sequence: - -1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key. -2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests. -3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.) -4. A client configured with a GVLK uses DNS to locate the KMS host. -5. The client sends one packet to the KMS host. -6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again. -7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host. -8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again. - -![KMS activation flow](../images/volumeactivationforwindows81-03.jpg) - -**Figure 3**. KMS activation flow - -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) - - +--- +title: Plan for volume activation (Windows 10) +description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer. +ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 09/27/2017 +ms.topic: article +--- + +# Plan for volume activation + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** + +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation. + +During the activation process, information about the specific installation is examined. In the case of online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization. + +>[!NOTE] +>The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets. + +## Distribution channels and activation + +In general, Microsoft software is obtained through three main channels: retail, original equipment manufacturer (OEM), and volume licensing agreements. Different activations methods are available through each channel. Because organizations are free to obtain software through multiple channels (for example, buying some at retail and others through a volume licensing program) most organizations choose to use a combination of activation methods. + +### Retail activations + +The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available. +Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys. + +### Original equipment manufacturer + +Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required. +OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled. + +### Volume licensing + +Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer: +- Have the license preinstalled through the OEM. +- Purchase a fully packaged retail product. + +The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised. +Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing. + +**Note**   +Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions. + +## Activation models + +For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps. + +With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose: +- Online activation +- Telephone activation +- VAMT proxy activation + +Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models: +- MAKs +- KMS +- Active Directory-based activation + +**Note**   +A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative. +Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607). + +### Multiple activation key + +A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also +allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS. + +To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation. +In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain. + +Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft. + +### Key Management Service + +With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services. + +Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user. + +The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*. + +Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely would more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide. + +### Active Directory-based activation + +Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device. + +Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company’s domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence. + +## Network and connectivity + +A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur. + +### Core network + +Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network. + +In the core network, a centralized KMS solution is usually recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8. + +A typical core network that includes a KMS host is shown in Figure 1. + +![Typical core network](../images/volumeactivationforwindows81-01.jpg) + +**Figure 1**. Typical core network + +### Isolated networks + +In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues. + +**Isolated for security** + +Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization. + +If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds. + +If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2. + +If the isolated network cannot communicate with the core network’s KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs. + +If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network. + +![New KMS host in an isolated network](../images/volumeactivationforwindows81-02.jpg) + +**Figure 2**. New KMS host in an isolated network + +**Branch offices and distant networks** +From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options: +- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain. +- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server. +- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server. +- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option. + +### Disconnected computers + +Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network. +If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet). + +### Test and development labs + +Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately. +If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide. +In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days. + +## Mapping your network to activation methods + +Now it’s time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination. + +**Table 1**. Criteria for activation methods + +|Criterion |Activation method | +|----------|------------------| +|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation | +|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days

          Note
          The core network must meet the KMS activation threshold. |KMS (central) | +|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) |MAM | +|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) | +|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) | +|Number of computers in isolated networks where the KMS activation threshold is not met |MAK | +|Number of computers in test and development labs that will not be activated |None| +|Number of computers that do not have a retail volume license |Retail (online or phone) | +|Number of computers that do not have an OEM volume license |OEM (at factory) | +|Total number of computer activations

          Note
          This total should match the total number of licensed computers in your organization. | + +## Choosing and acquiring keys + +When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways: +- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License. +- Contact your [Microsoft Activation Center](https://go.microsoft.com/fwlink/p/?LinkId=618264). + +### KMS host keys + +A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools. + +A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation. + +### Generic volume licensing keys + +When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys. + +Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. Note that the GLVK will not activate the software against Microsoft activation servers, only against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential. + +Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx). + +### Multiple activation keys + +You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT. + +## Selecting a KMS host + +The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers. +KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista. +A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure. + +The flow of KMS activation is shown in Figure 3, and it follows this sequence: + +1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key. +2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests. +3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.) +4. A client configured with a GVLK uses DNS to locate the KMS host. +5. The client sends one packet to the KMS host. +6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again. +7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host. +8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again. + +![KMS activation flow](../images/volumeactivationforwindows81-03.jpg) + +**Figure 3**. KMS activation flow + +## See also +- [Volume Activation for Windows 10](volume-activation-windows-10.md) + + diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md index 805b3dfd6c..ff4ab4c6f5 100644 --- a/windows/deployment/volume-activation/proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/proxy-activation-vamt.md @@ -1,58 +1,58 @@ ---- -title: Perform Proxy Activation (Windows 10) -description: Perform Proxy Activation -ms.assetid: 35a919ed-f1cc-4d10-9c88-9bd634549dc3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Perform Proxy Activation - -You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key. - -In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access. - -**Note**   -For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet.  - -## Requirements - -Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements: -- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup. -- The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products have not been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key. -- VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall. -- For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). -The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. - -## To Perform Proxy Activation - -**To perform proxy activation** - -1. Open VAMT. -2. If necessary, install product keys. For more information see: - - [Install a Product Key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK). - - [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys. -3. In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. In the right-side pane, click **Activate** and then click **Proxy activate** to open the **Proxy Activate** dialog box. -7. In the **Proxy Activate** dialog box click **Apply Confirmation ID, apply to selected machine(s) and activate**. -8. If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox. -9. Click **OK**. -10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials. - - **Note**   - You can use proxy activation to select products that have different key types and activate the products at the same time. - - - +--- +title: Perform Proxy Activation (Windows 10) +description: Perform Proxy Activation +ms.assetid: 35a919ed-f1cc-4d10-9c88-9bd634549dc3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Perform Proxy Activation + +You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key. + +In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access. + +**Note**   +For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet.  + +## Requirements + +Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements: +- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup. +- The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products have not been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key. +- VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall. +- For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). +The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. + +## To Perform Proxy Activation + +**To perform proxy activation** + +1. Open VAMT. +2. If necessary, install product keys. For more information see: + - [Install a Product Key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK). + - [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys. +3. In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. VAMT displays the filtered list in the center pane. +6. In the right-side pane, click **Activate** and then click **Proxy activate** to open the **Proxy Activate** dialog box. +7. In the **Proxy Activate** dialog box click **Apply Confirmation ID, apply to selected machine(s) and activate**. +8. If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox. +9. Click **OK**. +10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials. + + **Note**   + You can use proxy activation to select products that have different key types and activate the products at the same time. + + + diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md index 5869a5725e..65dd923d7e 100644 --- a/windows/deployment/volume-activation/remove-products-vamt.md +++ b/windows/deployment/volume-activation/remove-products-vamt.md @@ -1,35 +1,35 @@ ---- -title: Remove Products (Windows 10) -description: Remove Products -ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Remove Products - -To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane. - -**To delete one or more products** -1. Click a product node in the left-side pane. -2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. Select the products you want to delete. -6. Click **Delete** in the **Selected Items** menu in the right-side pane. -7. On the **Confirm Delete Selected Products** dialog box, click **OK**. - -## Related topics -- [Add and Manage Products](add-manage-products-vamt.md) -  -  +--- +title: Remove Products (Windows 10) +description: Remove Products +ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Remove Products + +To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane. + +**To delete one or more products** +1. Click a product node in the left-side pane. +2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +4. Click **Filter**. VAMT displays the filtered list in the center pane. +5. Select the products you want to delete. +6. Click **Delete** in the **Selected Items** menu in the right-side pane. +7. On the **Confirm Delete Selected Products** dialog box, click **OK**. + +## Related topics +- [Add and Manage Products](add-manage-products-vamt.md) +  +  diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md index 6fb201f1e4..34263037b3 100644 --- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md @@ -1,48 +1,48 @@ ---- -title: Scenario 3 KMS Client Activation (Windows 10) -description: Scenario 3 KMS Client Activation -ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Scenario 3: KMS Client Activation - -In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md). - -The procedure that is described below assumes the following: -- The KMS Service is enabled and available to all KMS clients. -- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information. - -## Activate KMS Clients - -1. Open VAMT. -2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. -3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options: - - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead. - - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain. - - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host. -4. In the left-side pane, in the **Products** node, click the product that you want to activate. -5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -7. Click **Filter**. VAMT displays the filtered list in the center pane. -8. Select the products that you want to activate. -9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. -10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - -The same status is shown under the **Status of Last Action** column in the products list view in the center pane. - -## Related topics -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) -  -  +--- +title: Scenario 3 KMS Client Activation (Windows 10) +description: Scenario 3 KMS Client Activation +ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Scenario 3: KMS Client Activation + +In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md). + +The procedure that is described below assumes the following: +- The KMS Service is enabled and available to all KMS clients. +- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information. + +## Activate KMS Clients + +1. Open VAMT. +2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. +3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options: + - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead. + - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain. + - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host. +4. In the left-side pane, in the **Products** node, click the product that you want to activate. +5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +7. Click **Filter**. VAMT displays the filtered list in the center pane. +8. Select the products that you want to activate. +9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. +10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + +The same status is shown under the **Status of Last Action** column in the products list view in the center pane. + +## Related topics +- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) +  +  diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 2e35cec348..865dbdf623 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -1,136 +1,136 @@ ---- -title: Scenario 1 Online Activation (Windows 10) -description: Scenario 1 Online Activation -ms.assetid: 94dba40e-383a-41e4-b74b-9e884facdfd3 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Scenario 1: Online Activation - -In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types: -- Multiple Activation Key (MAK) -- Windows Key Management Service (KMS) keys: - - KMS Host key (CSVLK) - - Generic Volume License Key (GVLK), or KMS client key -- Retail -The Secure Zone represents higher-security Core Network computers that have additional firewall protection. - -![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) - -## In This Topic -- [Install and start VAMT on a networked host computer](#bkmk-partone) -- [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo) -- [Connect to VAMT database](#bkmk-partthree) -- [Discover products](#bkmk-partfour) -- [Sort and filter the list of computers](#bkmk-partfive) -- [Collect status information from the computers in the list](#bkmk-partsix) -- [Add product keys and determine the remaining activation count](#bkmk-partseven) -- [Install the product keys](#bkmk-parteight) -- [Activate the client products](#bkmk-partnine) - -## Step 1: Install and start VAMT on a networked host computer - -1. Install VAMT on the host computer. -2. Click the VAMT icon in the **Start** menu to open VAMT. - -## Step 2: Configure the Windows Management Instrumentation firewall exception on target computers - -- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - - **Note**   - To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -## Step 3: Connect to a VAMT database - -1. If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located. -2. Click **Connect**. -3. If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md) - -## Step 4: Discover products - -1. In the left-side pane, in the **Products** node Products, click the product that you want to activate. -2. To open the **Discover Products** dialog box, click **Discover products** in the **Actions** menu in the right-side pane. -3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query: - - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a". - - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. - - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks. -4. Click **Search**. - - When the search is complete, the products that VAMT discovers appear in the product list view in the center pane. - -## Step 5: Sort and filter the list of computers - -You can sort the list of products so that it is easier to find the computers that require product keys to be activated: -1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**. -2. To sort the list further, you can click one of the column headings to sort by that column. -3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane. - -## Step 6: Collect status information from the computers in the list - -To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: -- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. -- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. - **To collect status information from the selected computers** -- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**. -- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. - - **Note** - If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. - -## Step 7: Add product keys and determine the remaining activation count - -1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. -2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys: - - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add Key(s)**. - - To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. - - The keys that you have added appear in the **Product Keys** list view in the center pane. - - **Important**   - If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. - -## Step 8: Install the product keys - -1. In the left-side pane, click the product that you want to install keys on to. -2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#bkmk-partfive). -3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time. -6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - - The same status appears under the **Status of Last Action** column in the product list view in the center pane. - **Note**   - - Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](https://go.microsoft.com/fwlink/p/?linkid=238382) - -## Step 9: Activate the client products - -1. Select the individual products that you want to activate in the list-view pane. -2. On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option. -3. If you are activating product keys using your current credential, click **Current credential** and continue to step 5. If you are activating products that require an administrator credential that is different from the one you are currently using, click the **Alternate credential** option. -4. Enter your alternate user name and password and click **OK**. -5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed. - - **Note**   - Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. - - RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM. - -## Related topics -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) - - +--- +title: Scenario 1 Online Activation (Windows 10) +description: Scenario 1 Online Activation +ms.assetid: 94dba40e-383a-41e4-b74b-9e884facdfd3 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Scenario 1: Online Activation + +In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types: +- Multiple Activation Key (MAK) +- Windows Key Management Service (KMS) keys: + - KMS Host key (CSVLK) + - Generic Volume License Key (GVLK), or KMS client key +- Retail +The Secure Zone represents higher-security Core Network computers that have additional firewall protection. + +![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) + +## In This Topic +- [Install and start VAMT on a networked host computer](#bkmk-partone) +- [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo) +- [Connect to VAMT database](#bkmk-partthree) +- [Discover products](#bkmk-partfour) +- [Sort and filter the list of computers](#bkmk-partfive) +- [Collect status information from the computers in the list](#bkmk-partsix) +- [Add product keys and determine the remaining activation count](#bkmk-partseven) +- [Install the product keys](#bkmk-parteight) +- [Activate the client products](#bkmk-partnine) + +## Step 1: Install and start VAMT on a networked host computer + +1. Install VAMT on the host computer. +2. Click the VAMT icon in the **Start** menu to open VAMT. + +## Step 2: Configure the Windows Management Instrumentation firewall exception on target computers + +- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + + **Note**   + To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +## Step 3: Connect to a VAMT database + +1. If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located. +2. Click **Connect**. +3. If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md) + +## Step 4: Discover products + +1. In the left-side pane, in the **Products** node Products, click the product that you want to activate. +2. To open the **Discover Products** dialog box, click **Discover products** in the **Actions** menu in the right-side pane. +3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query: + - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a". + - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. + - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks. +4. Click **Search**. + + When the search is complete, the products that VAMT discovers appear in the product list view in the center pane. + +## Step 5: Sort and filter the list of computers + +You can sort the list of products so that it is easier to find the computers that require product keys to be activated: +1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**. +2. To sort the list further, you can click one of the column headings to sort by that column. +3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + - To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. +5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane. + +## Step 6: Collect status information from the computers in the list + +To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: +- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. +- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. + **To collect status information from the selected computers** +- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**. +- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. + + **Note** + If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. + +## Step 7: Add product keys and determine the remaining activation count + +1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. +2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys: + - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add Key(s)**. + - To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. + + The keys that you have added appear in the **Product Keys** list view in the center pane. + + **Important**   + If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. + +## Step 8: Install the product keys + +1. In the left-side pane, click the product that you want to install keys on to. +2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#bkmk-partfive). +3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. +5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time. +6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + + The same status appears under the **Status of Last Action** column in the product list view in the center pane. + **Note**   + + Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](https://go.microsoft.com/fwlink/p/?linkid=238382) + +## Step 9: Activate the client products + +1. Select the individual products that you want to activate in the list-view pane. +2. On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option. +3. If you are activating product keys using your current credential, click **Current credential** and continue to step 5. If you are activating products that require an administrator credential that is different from the one you are currently using, click the **Alternate credential** option. +4. Enter your alternate user name and password and click **OK**. +5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed. + + **Note**   + Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. + + RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM. + +## Related topics +- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) + + diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index c06bae6554..3c52c27790 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -9,6 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation +audience: itpro author: greg-lindsay ms.date: 04/25/2017 ms.topic: article @@ -143,7 +144,7 @@ In this step, you export VAMT from the workgroup’s host computer and save it i 1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products. 2. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. - VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Sataus** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. The same status appears under the **Status of Last Action** column in the product list view in the center pane. ## Step 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index 35c36497d3..038839adb4 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -1,38 +1,38 @@ ---- -title: Update Product Status (Windows 10) -description: Update Product Status -ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Update Product Status - -After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database. -To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - -**Note**   -The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated. - -## Update the license status of a product - -1. Open VAMT. -2. In the **Products** list, select one or more products that need to have their status updated. -3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. -4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. - - VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. - - **Note**   - If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. - -## Related topics -- [Add and Manage Products](add-manage-products-vamt.md) +--- +title: Update Product Status (Windows 10) +description: Update Product Status +ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Update Product Status + +After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database. +To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +**Note**   +The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated. + +## Update the license status of a product + +1. Open VAMT. +2. In the **Products** list, select one or more products that need to have their status updated. +3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. +4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. + + VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. + + **Note**   + If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. + +## Related topics +- [Add and Manage Products](add-manage-products-vamt.md) diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index eac425c66b..39f4344b23 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -1,79 +1,79 @@ ---- -title: Use the Volume Activation Management Tool (Windows 10) -description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. -ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Use the Volume Activation Management Tool - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. - -By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be -installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. - -The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740). - -In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature. - -## Activating with the Volume Activation Management Tool - -You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios: -- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation. - By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations. - -## Tracking products and computers with the Volume Activation Management Tool - -The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. - -![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg) - -**Figure 18**. The VAMT showing the licensing status of multiple computers - -## Tracking key usage with the Volume Activation Management Tool - -The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. - -![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg) - -**Figure 19**. The VAMT showing key types and usage - -## Other Volume Activation Management Tool features - -The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as: -- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query. -- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers. -- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive. - -For more information, see: -- [Volume Activation Management Tool (VAMT) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618266) -- [VAMT Step-by-Step Scenarios](https://go.microsoft.com/fwlink/p/?LinkId=618267) - -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +--- +title: Use the Volume Activation Management Tool (Windows 10) +description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. +ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Use the Volume Activation Management Tool + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for retail activation?** +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. + +By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be +installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. + +The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740). + +In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature. + +## Activating with the Volume Activation Management Tool + +You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios: +- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. +- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation. + By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations. + +## Tracking products and computers with the Volume Activation Management Tool + +The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. + +![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg) + +**Figure 18**. The VAMT showing the licensing status of multiple computers + +## Tracking key usage with the Volume Activation Management Tool + +The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. + +![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg) + +**Figure 19**. The VAMT showing key types and usage + +## Other Volume Activation Management Tool features + +The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as: +- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query. +- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers. +- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive. + +For more information, see: +- [Volume Activation Management Tool (VAMT) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618266) +- [VAMT Step-by-Step Scenarios](https://go.microsoft.com/fwlink/p/?LinkId=618267) + +## See also +- [Volume Activation for Windows 10](volume-activation-windows-10.md) +  +  diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 034bbfc2c8..e54f6338f1 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -9,6 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation +audience: itpro author: greg-lindsay ms.date: 04/25/2017 ms.topic: article @@ -32,11 +33,11 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type: - ``` ps1 + ``` powershell cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0” ``` - Import the VAMT PowerShell module. To import the module, type the following at a command prompt: - ``` syntax + ``` powershell Import-Module .\VAMT.psd1 ``` Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`. @@ -44,11 +45,11 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p ## To Get Help for VAMT PowerShell cmdlets You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type: -``` ps1 +``` powershell get-help -all ``` For example, type: -``` ps1 +``` powershell get-help get-VamtProduct -all ``` @@ -58,18 +59,18 @@ The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view onl **To view VAMT PowerShell Help sections** 1. To get the syntax to use with a cmdlet, type the following at a command prompt: - ``` ps1 + ``` powershell get-help ``` For example, type: - ``` ps1 + ``` powershell get-help get-VamtProduct ``` 2. To see examples using a cmdlet, type: - ``` ps1 + ``` powershell get-help -examples ``` For example, type: - ``` ps1 + ``` powershell get-help get-VamtProduct -examples ``` diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index a8b0716151..70933d12f6 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -1,25 +1,25 @@ ---- -title: VAMT Known Issues (Windows 10) -description: VAMT Known Issues -ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# VAMT Known Issues - -The following list contains the current known issues with the Volume Activation Management Tool (VAMT) 3.0. -- The VAMT Windows Management Infrastructure (WMI) remote operations may take longer to execute if the target computer is in a sleep or standby state. -- Recovery of Non-Genuine computers is a two-step process. VAMT can be used to install a new product key and activate the computer. However, the computer itself must visit the [Windows Genuine Advantage](https://go.microsoft.com/fwlink/p/?linkid=182914) Web site to revalidate the computer's Genuine status. Upon successfully completing this step, the computer will be restored to full functionality. For more information on recovering Non-Genuine Windows computers, go to [Windows Volume Activation](https://go.microsoft.com/fwlink/p/?linkid=184668). -- When opening a Computer Information List (.cil file) saved in a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information. -- The remaining activation count can only be retrieved for MAKs. -  -  +--- +title: VAMT Known Issues (Windows 10) +description: VAMT Known Issues +ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# VAMT Known Issues + +The following list contains the current known issues with the Volume Activation Management Tool (VAMT) 3.0. +- The VAMT Windows Management Infrastructure (WMI) remote operations may take longer to execute if the target computer is in a sleep or standby state. +- Recovery of Non-Genuine computers is a two-step process. VAMT can be used to install a new product key and activate the computer. However, the computer itself must visit the [Windows Genuine Advantage](https://go.microsoft.com/fwlink/p/?linkid=182914) Web site to revalidate the computer's Genuine status. Upon successfully completing this step, the computer will be restored to full functionality. For more information on recovering Non-Genuine Windows computers, go to [Windows Volume Activation](https://go.microsoft.com/fwlink/p/?linkid=184668). +- When opening a Computer Information List (.cil file) saved in a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information. +- The remaining activation count can only be retrieved for MAKs. +  +  diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index db74ca8874..264ebca94c 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -1,47 +1,47 @@ ---- -title: VAMT Requirements (Windows 10) -description: VAMT Requirements -ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# VAMT Requirements - -This topic includes info about the product key and system requirements for VAMT. - -## Product Key Requirements - -The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys. - -|Product key type |Where to obtain | -|-----------------|----------------| -|

          • Multiple Activation Key (MAK)
          • Key Management Service (KMS) host key (CSVLK)
          • KMS client setup keys (GVLK)
          |Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). | -|Retail product keys |Obtained at time of product purchase. | - -## System Requirements - -The following table lists the system requirements for the VAMT host computer. - -|Item |Minimum system requirement | -|-----|---------------------------| -|Computer and Processor |1 GHz x86 or x64 processor | -|Memory |1 GB RAM for x86 or 2 GB RAM for x64 | -|Hard Disk |16 GB available hard disk space for x86 or 20 GB for x64 | -|External Drive|Removable media (Optional) | -|Display |1024x768 or higher resolution monitor | -|Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS | -|Operating System |Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. | -|Additional Requirements |
          • Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
          • PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and -Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
          • If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
          | - -## Related topics -- [Install and Configure VAMT](install-configure-vamt.md) +--- +title: VAMT Requirements (Windows 10) +description: VAMT Requirements +ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# VAMT Requirements + +This topic includes info about the product key and system requirements for VAMT. + +## Product Key Requirements + +The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys. + +|Product key type |Where to obtain | +|-----------------|----------------| +|
          • Multiple Activation Key (MAK)
          • Key Management Service (KMS) host key (CSVLK)
          • KMS client setup keys (GVLK)
          |Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). | +|Retail product keys |Obtained at time of product purchase. | + +## System Requirements + +The following table lists the system requirements for the VAMT host computer. + +|Item |Minimum system requirement | +|-----|---------------------------| +|Computer and Processor |1 GHz x86 or x64 processor | +|Memory |1 GB RAM for x86 or 2 GB RAM for x64 | +|Hard Disk |16 GB available hard disk space for x86 or 20 GB for x64 | +|External Drive|Removable media (Optional) | +|Display |1024x768 or higher resolution monitor | +|Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS | +|Operating System |Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. | +|Additional Requirements |
          • Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
          • PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and +Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
          • If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
          | + +## Related topics +- [Install and Configure VAMT](install-configure-vamt.md) diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index 396863340c..ae1576bb5f 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -1,32 +1,32 @@ ---- -title: VAMT Step-by-Step Scenarios (Windows 10) -description: VAMT Step-by-Step Scenarios -ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# VAMT Step-by-Step Scenarios - -This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started. - -## In this Section - -|Topic |Description | -|------|------------| -|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | -|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | -|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | - -## Related topics -- [Introduction to VAMT](introduction-vamt.md) -  -  +--- +title: VAMT Step-by-Step Scenarios (Windows 10) +description: VAMT Step-by-Step Scenarios +ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# VAMT Step-by-Step Scenarios + +This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started. + +## In this Section + +|Topic |Description | +|------|------------| +|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | +|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | +|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | + +## Related topics +- [Introduction to VAMT](introduction-vamt.md) +  +  diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index d8bb56ec77..b517ac9410 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -1,43 +1,43 @@ ---- -title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10) -description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. -ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.date: 04/25/2017 -ms.topic: article ---- - -# Volume Activation Management Tool (VAMT) Technical Reference - -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. -VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems: -- Windows® 7 or above -- Windows Server 2008 R2 or above - - -**Important**   -VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above). - -VAMT is only available in an EN-US (x86) package. - -## In this Section - -|Topic |Description | -|------|------------| -|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. | -|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. | -|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. | -|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. | -|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. | -|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. | -|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. | -|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. | -|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. | - +--- +title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10) +description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. +ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.date: 04/25/2017 +ms.topic: article +--- + +# Volume Activation Management Tool (VAMT) Technical Reference + +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. +VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems: +- Windows® 7 or above +- Windows Server 2008 R2 or above + + +**Important**   +VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above). + +VAMT is only available in an EN-US (x86) package. + +## In this Section + +|Topic |Description | +|------|------------| +|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. | +|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. | +|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. | +|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. | +|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. | +|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. | +|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. | +|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. | +|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. | + diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index 49204c7ae4..0d0a77909e 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -1,69 +1,69 @@ ---- -title: Volume Activation for Windows 10 (Windows 10) -description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. -ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: vamt, volume activation, activation, windows activation -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Volume Activation for Windows 10 - -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -**Looking for volume licensing information?** -- [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104) - -**Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - -This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. -*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as Open and Select) and to participants in programs such as the Microsoft Partner Program and MSDN Subscriptions. - -Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation. - -This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features that are available in Windows 10 and Windows Server 2012 R2 and the tools that are provided in these versions of Windows and Windows Server to manage volume activation. - -Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2Windows Server 2008 R2 operating systems. This guide -discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions. - -Volume activation—and the need for activation itself—is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](https://go.microsoft.com/fwlink/p/?LinkId=618209) in the TechNet Library. - -If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=618210). - -To successfully plan and implement a volume activation strategy, you must: -- Learn about and understand product activation. -- Review and evaluate the available activation types or models. -- Consider the connectivity of the clients to be activated. -- Choose the method or methods to be used with each type of client. -- Determine the types and number of product keys you will need. -- Determine the monitoring and reporting needs in your organization. -- Install and configure the tools required to support the methods selected. - -Keep in mind that the method of activation does not change an organization’s responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place. - -**In this guide:** -- [Plan for volume activation](plan-for-volume-activation-client.md) -- [Activate using Key Management Service](activate-using-key-management-service-vamt.md) -- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md) -- [Activate clients running Windows 10](activate-windows-10-clients-vamt.md) -- [Monitor activation](monitor-activation-client.md) -- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md) -- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md) -  +--- +title: Volume Activation for Windows 10 (Windows 10) +description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. +ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: vamt, volume activation, activation, windows activation +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro author: greg-lindsay +ms.localizationpriority: medium +ms.date: 07/27/2017 +ms.topic: article +--- + +# Volume Activation for Windows 10 + +**Applies to** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +**Looking for volume licensing information?** +- [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104) + +**Looking for retail activation?** +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. +*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as Open and Select) and to participants in programs such as the Microsoft Partner Program and MSDN Subscriptions. + +Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation. + +This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features that are available in Windows 10 and Windows Server 2012 R2 and the tools that are provided in these versions of Windows and Windows Server to manage volume activation. + +Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2Windows Server 2008 R2 operating systems. This guide +discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions. + +Volume activation—and the need for activation itself—is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](https://go.microsoft.com/fwlink/p/?LinkId=618209) in the TechNet Library. + +If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=618210). + +To successfully plan and implement a volume activation strategy, you must: +- Learn about and understand product activation. +- Review and evaluate the available activation types or models. +- Consider the connectivity of the clients to be activated. +- Choose the method or methods to be used with each type of client. +- Determine the types and number of product keys you will need. +- Determine the monitoring and reporting needs in your organization. +- Install and configure the tools required to support the methods selected. + +Keep in mind that the method of activation does not change an organization’s responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place. + +**In this guide:** +- [Plan for volume activation](plan-for-volume-activation-client.md) +- [Activate using Key Management Service](activate-using-key-management-service-vamt.md) +- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md) +- [Activate clients running Windows 10](activate-windows-10-clients-vamt.md) +- [Monitor activation](monitor-activation-client.md) +- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md) +- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md) +  diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index cf5dc081cf..26151664de 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -1,275 +1,275 @@ ---- -title: Windows 10 deployment scenarios (Windows 10) -description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. -ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -keywords: upgrade, in-place, configuration, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.date: 11/06/2018 -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 deployment scenarios - -**Applies to** -- Windows 10 - -To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. - -The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. -- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home). -- Dynamic deployment methods enable you to configure applications and settings for specific use cases. -- Traditional deployment methods use existing tools to deploy operating system images.
            - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          CategoryScenarioDescriptionMore information
          Modern - -[Windows Autopilot](#windows-autopilot) - Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - -Overview of Windows Autopilot -
          - -[In-place upgrade](#in-place-upgrade) - - - Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - -Perform an in-place upgrade to Windows 10 with MDT
          Perform an in-place upgrade to Windows 10 using Configuration Manager -
          - Dynamic - - -[Subscription Activation](#windows-10-subscription-activation) - - Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - -Windows 10 Subscription Activation -
          - - [AAD / MDM](#dynamic-provisioning) - - The device is automatically joined to AAD and configured by MDM. - -Azure Active Directory integration with MDM -
          - - [Provisioning packages](#dynamic-provisioning) - - Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - -Configure devices without MDM -
          - Traditional - - - [Bare metal](#new-computer) - - Deploy a new device, or wipe an existing device and deploy with a fresh image. - - Deploy a Windows 10 image using MDT
          Install a new version of Windows on a new computer with System Center Configuration Manager -
          - - [Refresh](#computer-refresh) - - Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - - Refresh a Windows 7 computer with Windows 10
          Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -
          - - [Replace](#computer-replace) - - Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - - Replace a Windows 7 computer with a Windows 10 computer
          Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -
          - -
            - - ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
          ->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. - -## Modern deployment methods - -Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. - -### Windows Autopilot - -Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. - -For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). - -### In-place upgrade - -For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. - -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. - -The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. - -Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) - -Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. - -- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. - -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) - -There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. - - -## Dynamic provisioning - -For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. - -The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: - -### Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation). - - -### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment - -In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm). - -### Provisioning package configuration - -Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). - -These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). - -While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. - -## Traditional deployment: - -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). - -With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. - -The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: - -- **New computer.** A bare-metal deployment of a new machine. - -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). - -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). - -### New computer - -Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). - -The deployment process for the new machine scenario is as follows: - -1. Start the setup from boot media (CD, USB, ISO, or PXE). - -2. Wipe the hard disk clean and create new volume(s). - -3. Install the operating system image. - -4. Install other applications (as part of the task sequence). - -After taking these steps, the computer is ready for use. - -### Computer refresh - -A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. - -The deployment process for the wipe-and-load scenario is as follows: - -1. Start the setup on a running operating system. - -2. Save the user state locally. - -3. Wipe the hard disk clean (except for the folder containing the backup). - -4. Install the operating system image. - -5. Install other applications. - -6. Restore the user state. - -After taking these steps, the machine is ready for use. - -### Computer replace - -A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. - -The deployment process for the replace scenario is as follows: - -1. Save the user state (data and settings) on the server through a backup job on the running operating system. - -2. Deploy the new computer as a bare-metal deployment. - - **Note**
          In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. - -## Related topics - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) -- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357) -- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358) -- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359) +--- +title: Windows 10 deployment scenarios (Windows 10) +description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. +ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.date: 11/06/2018 +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 deployment scenarios + +**Applies to** +- Windows 10 + +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. + +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home). +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use existing tools to deploy operating system images.
            + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          CategoryScenarioDescriptionMore information
          Modern + +[Windows Autopilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. + +Overview of Windows Autopilot +
          + +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. + +Perform an in-place upgrade to Windows 10 with MDT
          Perform an in-place upgrade to Windows 10 using Configuration Manager +
          + Dynamic + + +[Subscription Activation](#windows-10-subscription-activation) + + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. + +Windows 10 Subscription Activation +
          + + [AAD / MDM](#dynamic-provisioning) + + The device is automatically joined to AAD and configured by MDM. + +Azure Active Directory integration with MDM +
          + + [Provisioning packages](#dynamic-provisioning) + + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. + +Configure devices without MDM +
          + Traditional + + + [Bare metal](#new-computer) + + Deploy a new device, or wipe an existing device and deploy with a fresh image. + + Deploy a Windows 10 image using MDT
          Install a new version of Windows on a new computer with System Center Configuration Manager +
          + + [Refresh](#computer-refresh) + + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. + + Refresh a Windows 7 computer with Windows 10
          Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager +
          + + [Replace](#computer-replace) + + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. + + Replace a Windows 7 computer with a Windows 10 computer
          Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager +
          + +
            + + +>[!IMPORTANT] +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
          +>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows Autopilot + +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +### In-place upgrade + +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. + +The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process. + +Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) + +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + +There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: + +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + + +## Dynamic provisioning + +For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. + +The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: + +### Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation). + + +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment + +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm). + +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). + +While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. + +## Traditional deployment: + +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). + +With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. + +The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: + +- **New computer.** A bare-metal deployment of a new machine. + +- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). + +- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). + +### New computer + +Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). + +The deployment process for the new machine scenario is as follows: + +1. Start the setup from boot media (CD, USB, ISO, or PXE). + +2. Wipe the hard disk clean and create new volume(s). + +3. Install the operating system image. + +4. Install other applications (as part of the task sequence). + +After taking these steps, the computer is ready for use. + +### Computer refresh + +A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. + +The deployment process for the wipe-and-load scenario is as follows: + +1. Start the setup on a running operating system. + +2. Save the user state locally. + +3. Wipe the hard disk clean (except for the folder containing the backup). + +4. Install the operating system image. + +5. Install other applications. + +6. Restore the user state. + +After taking these steps, the machine is ready for use. + +### Computer replace + +A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. + +The deployment process for the replace scenario is as follows: + +1. Save the user state (data and settings) on the server through a backup job on the running operating system. + +2. Deploy the new computer as a bare-metal deployment. + + **Note**
          In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. + +## Related topics + +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) +- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357) +- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358) +- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359) diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md index 42bf08e5b8..46feb45c03 100644 --- a/windows/deployment/windows-10-deployment-tools-reference.md +++ b/windows/deployment/windows-10-deployment-tools-reference.md @@ -1,28 +1,28 @@ ---- -title: Windows 10 deployment tools (Windows 10) -description: Learn about the tools available to deploy Windows 10. -ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 07/12/2017 -ms.topic: article ---- - -# Windows 10 deployment tools - -Learn about the tools available to deploy Windows 10. - -|Topic |Description | -|------|------------| -|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. | -|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | -|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | -|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | -|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | -|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | -|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | +--- +title: Windows 10 deployment tools (Windows 10) +description: Learn about the tools available to deploy Windows 10. +ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 07/12/2017 +ms.topic: article +--- + +# Windows 10 deployment tools + +Learn about the tools available to deploy Windows 10. + +|Topic |Description | +|------|------------| +|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. | +|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | +|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | +|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | +|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | +|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | +|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md index e8473e6ea0..43fe3a68c7 100644 --- a/windows/deployment/windows-10-deployment-tools.md +++ b/windows/deployment/windows-10-deployment-tools.md @@ -1,28 +1,28 @@ ---- -title: Windows 10 deployment tools (Windows 10) -description: Learn about the tools available to deploy Windows 10. -ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 10/16/2017 -ms.topic: article ---- - -# Windows 10 deployment tools - -Learn about the tools available to deploy Windows 10. - -|Topic |Description | -|------|------------| -|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. | -|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | -|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | -|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | -|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | -|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | -|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | +--- +title: Windows 10 deployment tools (Windows 10) +description: Learn about the tools available to deploy Windows 10. +ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 10/16/2017 +ms.topic: article +--- + +# Windows 10 deployment tools + +Learn about the tools available to deploy Windows 10. + +|Topic |Description | +|------|------------| +|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. | +|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | +|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | +|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | +|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | +|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | +|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index f5421a4ffd..6b45127282 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -1,258 +1,258 @@ ---- -title: Windows 10 Enterprise E3 in CSP -description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -ms.date: 08/24/2017 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -author: greg-lindsay -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Windows 10 Enterprise E3 in CSP - -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: - -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded -- Azure Active Directory (Azure AD) available for identity management - -Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. - -Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. - -When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: - -- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). - -- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. - -- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. - -- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). - -- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. - -- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. - -How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? - -- [Microsoft Volume Licensing](https://www.microsoft.com/en-us/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. - -- [Software Assurance](https://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - - - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. - - In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. - -In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. - -## Compare Windows 10 Pro and Enterprise editions - -Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. - -*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          FeatureDescription

          Credential Guard

          This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

          -

          Credential Guard has the following features:

          -
            -

          • Hardware-level security.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.

            • -

          • Virtualization-based security.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.

            • -

          • Improved protection against persistent threats.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

            • -

          • Improved manageability.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

            • -
          -

          For more information, see Protect derived domain credentials with Credential Guard.

          -

          Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

          Device Guard

          This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

          -

          Device Guard does the following:

          -
            -

          • Helps protect against malware

            • -

          • Helps protect the Windows system core from vulnerability and zero-day exploits

            • -

          • Allows only trusted apps to run

            • -
          -

          For more information, see Introduction to Device Guard.

          AppLocker management

          This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

          -

          For more information, see AppLocker.

          Application Virtualization (App-V)

          This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

          -

          For more information, see Getting Started with App-V for Windows 10.

          User Experience Virtualization (UE-V)

          With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

          -

          UE-V provides the ability to do the following:

          -
            -

          • Specify which application and Windows settings synchronize across user devices

            • -

          • Deliver the settings anytime and anywhere users work throughout the enterprise

            • -

          • Create custom templates for your third-party or line-of-business applications

            • -

          • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

            • -
          -

          For more information, see User Experience Virtualization (UE-V) for Windows 10 overview.

          Managed User Experience

          This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:

          -
            -

          • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands

            • -

          • Removing Log Off (the User tile) from the Start menu

            • -

          • Removing frequent programs from the Start menu

            • -

          • Removing the All Programs list from the Start menu

            • -

          • Preventing users from customizing their Start screen

            • -

          • Forcing Start menu to be either full-screen size or menu size

            • -

          • Preventing changes to Taskbar and Start menu settings

            • -
          -
          - -## Deployment of Windows 10 Enterprise E3 licenses - -See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). - -## Deploy Windows 10 Enterprise features - -Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? - -The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. - -### Credential Guard\* - -You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: - -- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. - -- **Manual**. You can manually turn on Credential Guard by doing the following: - - - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). - - - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - - You can automate these manual steps by using a management tool such as System Center Configuration Manager. - -For more information about implementing Credential Guard, see the following resources: - -- [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard) -- [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx) -- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) - -\* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)* - -### Device Guard - -Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: - -1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. - -2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. - -3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. - -4. **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. - -5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. - -6. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. - -7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. - -For more information about implementing Device Guard, see: - -- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process) -- [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) - -### AppLocker management - -You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. - -For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-policies-deployment-guide). - -### App-V - -App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows: - -- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. - -- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. - -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. - -For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: - -- [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started) -- [Deploying the App-V server](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-server) -- [Deploying the App-V Sequencer and Configuring the Client](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client) - -### UE-V -UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include: - -- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. - -- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location. - -- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. - -- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications. - -- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications. - -For more information about deploying UE-V, see the following resources: - -- [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows) -- [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started) -- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment) - -### Managed User Experience - -The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. - -*Table 2. Managed User Experience features* - -| Feature | Description | -|------------------|-----------------| -| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
          For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | -| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
          For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | -| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
          For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | -| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
          For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | -| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
          For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | -| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
          For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | - -## Related topics - -[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) -
          [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/) -
          [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) -
          [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) +--- +title: Windows 10 Enterprise E3 in CSP +description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +ms.date: 08/24/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +audience: itpro author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Windows 10 Enterprise E3 in CSP + +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: + +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded +- Azure Active Directory (Azure AD) available for identity management + +Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. + +Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. + +When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: + +- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). + +- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. + +- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. + +- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). + +- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. + +- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. + +How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? + +- [Microsoft Volume Licensing](https://www.microsoft.com/en-us/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. + +- [Software Assurance](https://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: + + - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. + + - **Training**. These benefits include training vouchers, online e-learning, and a home use program. + + - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. + + - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. + + In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. + +In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. + +## Compare Windows 10 Pro and Enterprise editions + +Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. + +*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          FeatureDescription

          Credential Guard

          This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

          +

          Credential Guard has the following features:

          +
            +

          • Hardware-level security.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.

            • +

          • Virtualization-based security.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.

            • +

          • Improved protection against persistent threats.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

            • +

          • Improved manageability.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

            • +
          +

          For more information, see Protect derived domain credentials with Credential Guard.

          +

          Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

          Device Guard

          This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

          +

          Device Guard does the following:

          +
            +

          • Helps protect against malware

            • +

          • Helps protect the Windows system core from vulnerability and zero-day exploits

            • +

          • Allows only trusted apps to run

            • +
          +

          For more information, see Introduction to Device Guard.

          AppLocker management

          This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

          +

          For more information, see AppLocker.

          Application Virtualization (App-V)

          This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

          +

          For more information, see Getting Started with App-V for Windows 10.

          User Experience Virtualization (UE-V)

          With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

          +

          UE-V provides the ability to do the following:

          +
            +

          • Specify which application and Windows settings synchronize across user devices

            • +

          • Deliver the settings anytime and anywhere users work throughout the enterprise

            • +

          • Create custom templates for your third-party or line-of-business applications

            • +

          • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

            • +
          +

          For more information, see User Experience Virtualization (UE-V) for Windows 10 overview.

          Managed User Experience

          This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:

          +
            +

          • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands

            • +

          • Removing Log Off (the User tile) from the Start menu

            • +

          • Removing frequent programs from the Start menu

            • +

          • Removing the All Programs list from the Start menu

            • +

          • Preventing users from customizing their Start screen

            • +

          • Forcing Start menu to be either full-screen size or menu size

            • +

          • Preventing changes to Taskbar and Start menu settings

            • +
          +
          + +## Deployment of Windows 10 Enterprise E3 licenses + +See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). + +## Deploy Windows 10 Enterprise features + +Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? + +The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. + +### Credential Guard\* + +You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: + +- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. + +- **Manual**. You can manually turn on Credential Guard by doing the following: + + - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). + + - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + + You can automate these manual steps by using a management tool such as System Center Configuration Manager. + +For more information about implementing Credential Guard, see the following resources: + +- [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard) +- [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx) +- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) + +\* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)* + +### Device Guard + +Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: + +1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. + +2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. + +3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. + +4. **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. + +5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. + +6. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. + +7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. + +For more information about implementing Device Guard, see: + +- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process) +- [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) + +### AppLocker management + +You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. + +For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-policies-deployment-guide). + +### App-V + +App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows: + +- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. + +- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. + +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. + +For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: + +- [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started) +- [Deploying the App-V server](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-server) +- [Deploying the App-V Sequencer and Configuring the Client](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client) + +### UE-V +UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include: + +- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. + +- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location. + +- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. + +- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications. + +- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications. + +For more information about deploying UE-V, see the following resources: + +- [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows) +- [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started) +- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment) + +### Managed User Experience + +The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. + +*Table 2. Managed User Experience features* + +| Feature | Description | +|------------------|-----------------| +| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
          For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | +| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
          For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | +| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
          For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
          For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | +| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
          For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | +| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
          For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | + +## Related topics + +[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) +
          [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/) +
          [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) +
          [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index e7cb52cc30..66d5049d31 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -1,94 +1,94 @@ ---- -title: Windows 10 volume license media -description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. -keywords: deploy, upgrade, update, software, media -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.date: 10/20/2017 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.sitesec: library -author: greg-lindsay -ms.topic: article ---- - -# Windows 10 volume license media - - -**Applies to** - -- Windows 10 - -With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This topic provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10. - -## Windows 10 media - -To download Windows 10 installation media from the VLSC, use the product search filter to find “Windows 10.”  A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions. - -When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness). - ->If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). - -In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change. - -### Windows 10, version 1709 - -Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available. - -For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images: - -![Images](images/table01.png) - -When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. - -For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package: - -
          - -| Title | Classification | Description | -| --- | --- | --- | -| Feature update to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 10 Pro (VL), Windows 10 Enterprise, or Windows 10 Education to version 1709 | -| Windows 7 and 8.1 upgrade to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 7 Professional (VL), Windows 7 Enterprise, Windows 8.1 Professional (VL), or Windows 8.1 Enterprise to Windows 10 1709 | - -
          - -When you approve one of these packages, it applies to all of the editions. - -This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology.  For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](https://aka.ms/waas). - - -### Language packs - -- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads.  -- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages. - -See the following example for Windows 10, version 1709: - -![Windows 10, version 1709 lang pack](images/lang-pack-1709.png) - -### Features on demand - -[Features on demand](https://blogs.technet.microsoft.com/mniehaus/2015/08/31/adding-features-including-net-3-5-to-windows-10/) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above. - -Features on demand is a method for adding features to your Windows 10 image that aren’t included in the base operating system image. - - -## Related topics - -[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/en-us/download/details.aspx?id=10585) -
          [Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10) -
          [Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client) -
          [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150) -
          [Download and burn an ISO file on the volume licensing site (VLSC)](https://support.microsoft.com/help/2472143/download-and-burn-an-iso-file-on-the-volume-licensing-site-vlsc) - - -  - -  - - - - - +--- +title: Windows 10 volume license media +description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. +keywords: deploy, upgrade, update, software, media +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.date: 10/20/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Windows 10 volume license media + + +**Applies to** + +- Windows 10 + +With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This topic provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10. + +## Windows 10 media + +To download Windows 10 installation media from the VLSC, use the product search filter to find “Windows 10.”  A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions. + +When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness). + +>If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). + +In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change. + +### Windows 10, version 1709 + +Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available. + +For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images: + +![Images](images/table01.png) + +When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. + +For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package: + +
          + +| Title | Classification | Description | +| --- | --- | --- | +| Feature update to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 10 Pro (VL), Windows 10 Enterprise, or Windows 10 Education to version 1709 | +| Windows 7 and 8.1 upgrade to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 7 Professional (VL), Windows 7 Enterprise, Windows 8.1 Professional (VL), or Windows 8.1 Enterprise to Windows 10 1709 | + +
          + +When you approve one of these packages, it applies to all of the editions. + +This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology.  For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](https://aka.ms/waas). + + +### Language packs + +- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads.  +- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages. + +See the following example for Windows 10, version 1709: + +![Windows 10, version 1709 lang pack](images/lang-pack-1709.png) + +### Features on demand + +[Features on demand](https://blogs.technet.microsoft.com/mniehaus/2015/08/31/adding-features-including-net-3-5-to-windows-10/) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above. + +Features on demand is a method for adding features to your Windows 10 image that aren’t included in the base operating system image. + + +## Related topics + +[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/en-us/download/details.aspx?id=10585) +
          [Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10) +
          [Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client) +
          [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150) +
          [Download and burn an ISO file on the volume licensing site (VLSC)](https://support.microsoft.com/help/2472143/download-and-burn-an-iso-file-on-the-volume-licensing-site-vlsc) + + +  + +  + + + + + diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 6844500378..dfa95cf6e1 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -1,103 +1,103 @@ ---- -title: How to install fonts missing after upgrading to Windows 10 -description: Some of the fonts are missing from the system after you upgrade to Windows 10. -keywords: deploy, upgrade, FoD, optional feature -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 10/31/2017 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# How to install fonts that are missing after upgrading to Windows 10 - -> Applies to: Windows 10 - -When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system. - -If you have documents created using the missing fonts, these documents might display differently on Windows 10. - -For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing: - -- Gautami -- Meiryo -- Narkism/Batang -- BatangChe -- Dotum -- DotumChe -- Gulim -- GulimChe -- Gungsuh -- GungsuhChe - -If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases. - -## Installing language-associated features via language settings: - -If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app. - -For example, here are the steps to install the fonts associated with the Hebrew language: - -1. Click **Start > Settings**. -2. In Settings, click **Time & language**, and then click **Region & language**. -3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language. -4. Find Hebrew, and then click it to add it to your language list. - -Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes. - -> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work. - -## Install optional fonts manually without changing language settings: - -If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings. - -For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences: - -1. Click **Start > Settings**. -2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**. - -3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature. -4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**. - -> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. - -## Fonts included in optional font features - -Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles. - -- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting -- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda -- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia -- Cherokee Supplemental Fonts: Plantagenet Cherokee -- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei -- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU -- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah -- Ethiopic Supplemental Fonts: Nyala -- Gujarati Supplemental Fonts: Shruti -- Gurmukhi Supplemental Fonts: Raavi -- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod -- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho -- Kannada Supplemental Fonts: Tunga -- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran -- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe -- Lao Supplemental Fonts: DokChampa, Lao UI -- Malayalam Supplemental Fonts: Karthika -- Odia Supplemental Fonts: Kalinga -- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro -- Sinhala Supplemental Fonts: Iskoola Pota -- Syriac Supplemental Fonts: Estrangelo Edessa -- Tamil Supplemental Fonts: Latha, Vijaya -- Telugu Supplemental Fonts: Gautami, Vani -- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC - -## Related Topics - -[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx) - -[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics) - -[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) +--- +title: How to install fonts missing after upgrading to Windows 10 +description: Some of the fonts are missing from the system after you upgrade to Windows 10. +keywords: deploy, upgrade, FoD, optional feature +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro author: greg-lindsay +ms.audience: itpro author: greg-lindsay +ms.date: 10/31/2017 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# How to install fonts that are missing after upgrading to Windows 10 + +> Applies to: Windows 10 + +When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system. + +If you have documents created using the missing fonts, these documents might display differently on Windows 10. + +For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing: + +- Gautami +- Meiryo +- Narkism/Batang +- BatangChe +- Dotum +- DotumChe +- Gulim +- GulimChe +- Gungsuh +- GungsuhChe + +If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases. + +## Installing language-associated features via language settings: + +If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app. + +For example, here are the steps to install the fonts associated with the Hebrew language: + +1. Click **Start > Settings**. +2. In Settings, click **Time & language**, and then click **Region & language**. +3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language. +4. Find Hebrew, and then click it to add it to your language list. + +Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes. + +> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work. + +## Install optional fonts manually without changing language settings: + +If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings. + +For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences: + +1. Click **Start > Settings**. +2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**. + +3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature. +4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**. + +> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. + +## Fonts included in optional font features + +Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles. + +- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting +- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda +- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia +- Cherokee Supplemental Fonts: Plantagenet Cherokee +- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei +- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU +- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah +- Ethiopic Supplemental Fonts: Nyala +- Gujarati Supplemental Fonts: Shruti +- Gurmukhi Supplemental Fonts: Raavi +- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod +- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho +- Kannada Supplemental Fonts: Tunga +- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran +- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe +- Lao Supplemental Fonts: DokChampa, Lao UI +- Malayalam Supplemental Fonts: Karthika +- Odia Supplemental Fonts: Kalinga +- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro +- Sinhala Supplemental Fonts: Iskoola Pota +- Syriac Supplemental Fonts: Estrangelo Edessa +- Tamil Supplemental Fonts: Latha, Vijaya +- Telugu Supplemental Fonts: Gautami, Vani +- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC + +## Related Topics + +[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx) + +[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics) + +[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 9a04b8b7af..ddb22cbbbb 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -1,655 +1,655 @@ ---- -title: Step by step - Deploy Windows 10 in a test lab using MDT -description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT) -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt -ms.localizationpriority: medium -ms.date: 10/11/2017 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -author: greg-lindsay -ms.topic: article ---- - - -# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: -- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) - -Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: -- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. - ->This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - -## In this guide - -This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
          - -
          - - -
          TopicDescriptionTime - -
          About MDTA high-level overview of the Microsoft Deployment Toolkit (MDT).Informational -
          Install MDTDownload and install MDT.40 minutes -
          Create a deployment share and reference imageA reference image is created to serve as the template for deploying new images.90 minutes -
          Deploy a Windows 10 image using MDTThe reference image is deployed in the PoC environment.60 minutes -
          Refresh a computer with Windows 10Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.60 minutes -
          Replace a computer with Windows 10Back up an existing client computer, then restore this backup to a new computer.60 minutes -
          Troubleshooting logs, events, and utilitiesLog locations and troubleshooting hints.Informational -
          - -
          - -## About MDT - -MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. -- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. -- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. -- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager. - -## Install MDT - -1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: - - ``` - $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 - Stop-Process -Name Explorer - ``` -2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/en-us/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443. - -3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. - -3. If desired, re-enable IE Enhanced Security Configuration: - - ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 - Stop-Process -Name Explorer - ``` - -## Create a deployment share and reference image - -A reference image serves as the foundation for Windows 10 devices in your organization. - -1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso - ``` -2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. - -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. - -4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**. - -5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -6. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTBuildLab**
          - - Share name: **MDTBuildLab$**
          - - Deployment share description: **MDT build lab**
          - - Options: click **Next** to accept the default
          - - Summary: click **Next**
          - - Progress: settings will be applied
          - - Confirmation: click **Finish** - - -7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -10. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
          - - Source: **D:\\**
          - - Destination: **W10Ent_x64**
          - - Summary: click **Next** - - Progress: wait for files to be copied - - Confirmation: click **Finish** - - >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. - -11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
          - - Task sequence name: **Windows 10 Enterprise x64 Default Image**
          - - Task sequence comments: **Reference Build**
          - - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - - -12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. - -14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. - -15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -18. Click **OK** to complete editing the task sequence. - -19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. - -20. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=NO - ``` - -21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -22. Click **OK** to complete the configuration of the deployment share. - -23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - -
          - 
          -
-    New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
-    Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
-    Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
-    Start-VM REFW10X64-001
-    vmconnect localhost REFW10X64-001
-
          -
          - - The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. - -27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. - -28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine.

          - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. - -## Deploy a Windows 10 image using MDT - -This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. - -1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: - - **Deployment share path**: C:\MDTProd - - **Share name**: MDTProd$ - - **Deployment share description**: MDT Production - - **Options**: accept the default - - -2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. - -3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. - -4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -5. On the **OS Type** page, choose **Custom image file** and then click **Next**. - -6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. - -7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. - -8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. - -9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. - -10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: - - ![custom image](images/image.png) - - -### Create the deployment task sequence - -1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. - -2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-001 - - Task sequence name: Windows 10 Enterprise x64 Custom Image - - Task sequence comments: Production Image - - Select Template: Standard Client Task Sequence - - Select OS: Windows 10 Enterprise x64 Custom Image - - Specify Product Key: Do not specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: http://www.contoso.com - - Admin Password: pass@word1 - -### Configure the MDT production deployment share - -1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - ``` - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force - ``` -2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. - -3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - AdminPassword=pass@word1 - JoinDomain=contoso.com - DomainAdmin=administrator - DomainAdminDomain=CONTOSO - DomainAdminPassword=pass@word1 - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - EventService=http://SRV1:9800 - ``` - **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. - - >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. - - If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): - - ``` - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - ``` - - For example, to migrate **all** users on the computer, replace this line with the following: - - ``` - ScanStateArgs=/all - ``` - - For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). - -4. Click **Edit Bootstap.ini** and replace text in the file with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTProd$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` -5. Click **OK** when finished. - -### Update the deployment share - -1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. - -2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. - -3. Click **Finish** when the update is complete. - -### Enable deployment monitoring - -1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. - -2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). - -4. Close Internet Explorer. - -### Configure Windows Deployment Services - -1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All - ``` - -2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. - -3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. - -4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. - -### Deploy the client image - -1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. - - >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** - - Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - >Wait until the disable-netadapter command completes before proceeding. - - -2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 - ``` - - >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. - -3. Start the new VM and connect to it: - - ``` - Start-VM PC2 - vmconnect localhost PC2 - ``` -4. When prompted, hit ENTER to start the network boot process. - -5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. -8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. - - ![finish](images/deploy-finish.png) - - -This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. - -## Refresh a computer with Windows 10 - -This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). - -1. If the PC1 VM is not already running, then start and connect to it: - - ``` - Start-VM PC1 - vmconnect localhost PC1 - ``` - -2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -3. Sign on to PC1 using the CONTOSO\Administrator account. - - >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. - -4. Open an elevated command prompt on PC1 and type the following: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` - - **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. - -5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -6. Choose **Do not back up the existing computer** and click **Next**. - - **Note**: The USMT will still back up the computer. - -7. Lite Touch Installation will perform the following actions: - - Back up user settings and data using USMT. - - Install the Windows 10 Enterprise X64 operating system. - - Update the operating system via Windows Update. - - Restore user settings and data using USMT. - - You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. - -8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). - -9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName RefreshState - ``` - -10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false - Start-VM PC1 - vmconnect localhost PC1 - ``` - -11. Sign in to PC1 using the contoso\administrator account. - -## Replace a computer with Windows 10 - -At a high level, the computer replace process consists of:
          -- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
          -- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. - -### Create a backup-only task sequence - -1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. -2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. -3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -Path C:\MigData -ItemType directory - New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE - icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' - ``` -4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. -5. Name the new folder **Other**, and complete the wizard using default options. -6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: - - **Task sequence ID**: REPLACE-001 - - **Task sequence name**: Backup Only Task Sequence - - **Task sequence comments**: Run USMT to back up user data and settings - - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) -7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. -8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. - -### Run the backup-only task sequence - -1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: - - ``` - whoami - ``` -2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: - - ``` - Remove-Item c:\minint -recurse - Remove-Item c:\_SMSTaskSequence -recurse - Restart-Computer - ``` -3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` -4. Complete the deployment wizard using the following: - - **Task Sequence**: Backup Only Task Sequence - - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - - **Computer Backup**: Do not back up the existing computer. -5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. -6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. -7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - - ``` - PS C:\> dir C:\MigData\PC1\USMT - - Directory: C:\MigData\PC1\USMT - - Mode LastWriteTime Length Name - ---- ------------- ------ ---- - -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG - ``` - ### Deploy PC3 - -8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - ``` -9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. - - -10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Start-VM PC3 - vmconnect localhost PC3 - ``` - -11. When prompted, press ENTER for network boot. - -12. On PC3, use the following settings for the Windows Deployment Wizard: - - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - - **Move Data and Settings**: Do not move user data and settings - - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** - -13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. - -15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. - -16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. - -17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. - -## Troubleshooting logs, events, and utilities - -Deployment logs are available on the client computer in the following locations: -- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS -- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS -- After deployment: %WINDIR%\TEMP\DeploymentLogs - -You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. - -Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012) - -Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. - -## Related Topics - -[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
          -[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) - - - - - - - +--- +title: Step by step - Deploy Windows 10 in a test lab using MDT +description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT) +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt +ms.localizationpriority: medium +ms.date: 10/11/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +audience: itpro author: greg-lindsay +ms.topic: article +--- + + +# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: +- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) + +Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: +- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. + +>This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +## In this guide + +This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
          + +
          + + +
          TopicDescriptionTime + +
          About MDTA high-level overview of the Microsoft Deployment Toolkit (MDT).Informational +
          Install MDTDownload and install MDT.40 minutes +
          Create a deployment share and reference imageA reference image is created to serve as the template for deploying new images.90 minutes +
          Deploy a Windows 10 image using MDTThe reference image is deployed in the PoC environment.60 minutes +
          Refresh a computer with Windows 10Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.60 minutes +
          Replace a computer with Windows 10Back up an existing client computer, then restore this backup to a new computer.60 minutes +
          Troubleshooting logs, events, and utilitiesLog locations and troubleshooting hints.Informational +
          + +
          + +## About MDT + +MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. +- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. +- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. +- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager. + +## Install MDT + +1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: + + ``` + $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Stop-Process -Name Explorer + ``` +2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/en-us/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443. + +3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. + +3. If desired, re-enable IE Enhanced Security Configuration: + + ``` + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Stop-Process -Name Explorer + ``` + +## Create a deployment share and reference image + +A reference image serves as the foundation for Windows 10 devices in your organization. + +1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso + ``` +2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. + +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. + +4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**. + +5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + +6. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTBuildLab**
          + - Share name: **MDTBuildLab$**
          + - Deployment share description: **MDT build lab**
          + - Options: click **Next** to accept the default
          + - Summary: click **Next**
          + - Progress: settings will be applied
          + - Confirmation: click **Finish** + + +7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +10. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
          + - Source: **D:\\**
          + - Destination: **W10Ent_x64**
          + - Summary: click **Next** + - Progress: wait for files to be copied + - Confirmation: click **Finish** + + >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. + +11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
          + - Task sequence name: **Windows 10 Enterprise x64 Default Image**
          + - Task sequence comments: **Reference Build**
          + - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + + +12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. + +14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. + +15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +18. Click **OK** to complete editing the task sequence. + +19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. + +20. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +22. Click **OK** to complete the configuration of the deployment share. + +23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + +
          + 
          +
+    New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
+    Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
+    Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
+    Start-VM REFW10X64-001
+    vmconnect localhost REFW10X64-001
+
          +
          + + The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. + +27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine.

          + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. + +## Deploy a Windows 10 image using MDT + +This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. + +1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: + - **Deployment share path**: C:\MDTProd + - **Share name**: MDTProd$ + - **Deployment share description**: MDT Production + - **Options**: accept the default + + +2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. + +3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. + +4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +5. On the **OS Type** page, choose **Custom image file** and then click **Next**. + +6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. + +7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. + +8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. + +9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. + +10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: + + ![custom image](images/image.png) + + +### Create the deployment task sequence + +1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. + +2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 + - Task sequence name: Windows 10 Enterprise x64 Custom Image + - Task sequence comments: Production Image + - Select Template: Standard Client Task Sequence + - Select OS: Windows 10 Enterprise x64 Custom Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: http://www.contoso.com + - Admin Password: pass@word1 + +### Configure the MDT production deployment share + +1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + ``` + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force + ``` +2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. + +3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + AdminPassword=pass@word1 + JoinDomain=contoso.com + DomainAdmin=administrator + DomainAdminDomain=CONTOSO + DomainAdminPassword=pass@word1 + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + EventService=http://SRV1:9800 + ``` + **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. + + >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. + + If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): + + ``` + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + ``` + + For example, to migrate **all** users on the computer, replace this line with the following: + + ``` + ScanStateArgs=/all + ``` + + For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). + +4. Click **Edit Bootstap.ini** and replace text in the file with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTProd$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` +5. Click **OK** when finished. + +### Update the deployment share + +1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. + +2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. + +3. Click **Finish** when the update is complete. + +### Enable deployment monitoring + +1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. + +2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). + +4. Close Internet Explorer. + +### Configure Windows Deployment Services + +1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" + WDSUTIL /Set-Server /AnswerClients:All + ``` + +2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. + +3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. + +4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. + +### Deploy the client image + +1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. + + >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** + + Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + + >Wait until the disable-netadapter command completes before proceeding. + + +2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 + ``` + + >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. + +3. Start the new VM and connect to it: + + ``` + Start-VM PC2 + vmconnect localhost PC2 + ``` +4. When prompted, hit ENTER to start the network boot process. + +5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. +8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. + + ![finish](images/deploy-finish.png) + + +This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. + +## Refresh a computer with Windows 10 + +This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). + +1. If the PC1 VM is not already running, then start and connect to it: + + ``` + Start-VM PC1 + vmconnect localhost PC1 + ``` + +2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +3. Sign on to PC1 using the CONTOSO\Administrator account. + + >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. + +4. Open an elevated command prompt on PC1 and type the following: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` + + **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. + +5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. Choose **Do not back up the existing computer** and click **Next**. + + **Note**: The USMT will still back up the computer. + +7. Lite Touch Installation will perform the following actions: + - Back up user settings and data using USMT. + - Install the Windows 10 Enterprise X64 operating system. + - Update the operating system via Windows Update. + - Restore user settings and data using USMT. + + You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. + +8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). + +9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName RefreshState + ``` + +10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false + Start-VM PC1 + vmconnect localhost PC1 + ``` + +11. Sign in to PC1 using the contoso\administrator account. + +## Replace a computer with Windows 10 + +At a high level, the computer replace process consists of:
          +- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
          +- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. + +### Create a backup-only task sequence + +1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. +2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. +3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -Path C:\MigData -ItemType directory + New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE + icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' + ``` +4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. +5. Name the new folder **Other**, and complete the wizard using default options. +6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: + - **Task sequence ID**: REPLACE-001 + - **Task sequence name**: Backup Only Task Sequence + - **Task sequence comments**: Run USMT to back up user data and settings + - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) +7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. +8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. + +### Run the backup-only task sequence + +1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: + + ``` + whoami + ``` +2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: + + ``` + Remove-Item c:\minint -recurse + Remove-Item c:\_SMSTaskSequence -recurse + Restart-Computer + ``` +3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` +4. Complete the deployment wizard using the following: + - **Task Sequence**: Backup Only Task Sequence + - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** + - **Computer Backup**: Do not back up the existing computer. +5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. +6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: + + ``` + PS C:\> dir C:\MigData\PC1\USMT + + Directory: C:\MigData\PC1\USMT + + Mode LastWriteTime Length Name + ---- ------------- ------ ---- + -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG + ``` + ### Deploy PC3 + +8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + ``` +9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + + >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. + + +10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Start-VM PC3 + vmconnect localhost PC3 + ``` + +11. When prompted, press ENTER for network boot. + +12. On PC3, use the following settings for the Windows Deployment Wizard: + - **Task Sequence**: Windows 10 Enterprise x64 Custom Image + - **Move Data and Settings**: Do not move user data and settings + - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** + +13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. + +15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. + +16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. + +17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. + +## Troubleshooting logs, events, and utilities + +Deployment logs are available on the client computer in the following locations: +- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS +- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS +- After deployment: %WINDIR%\TEMP\DeploymentLogs + +You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. + +Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012) + +Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. + +## Related Topics + +[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
          +[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) + + + + + + + diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 1473adef20..d9a32a74be 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -1,1081 +1,1081 @@ ---- -title: Step by step - Deploy Windows 10 using System Center Configuration Manager -description: Deploy Windows 10 in a test lab using System Center Configuration Manager -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, sccm -ms.localizationpriority: medium -ms.date: 10/11/2017 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 in a test lab using System Center Configuration Manager - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: -- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) -- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) - -Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. -This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - ->Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. - -## In this guide - -This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
          - -
          - -
          TopicDescriptionTime - -
          Install prerequisitesInstall prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.60 minutes -
          Install System Center Configuration ManagerDownload System Center Configuration Manager, configure prerequisites, and install the package.45 minutes -
          Download MDOP and install DaRTDownload the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.15 minutes -
          Prepare for Zero Touch installationPrerequisite procedures to support Zero Touch installation.60 minutes -
          Create a boot image for Configuration ManagerUse the MDT wizard to create the boot image in Configuration Manager.20 minutes -
          Create a Windows 10 reference imageThis procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.0-60 minutes -
          Add a Windows 10 operating system imageAdd a Windows 10 operating system image and distribute it.10 minutes
          Create a task sequenceCreate a Configuration Manager task sequence with MDT integration using the MDT wizard15 minutes -
          Finalize the operating system configurationEnable monitoring, configure rules, and distribute content.30 minutes -
          Deploy Windows 10 using PXE and Configuration ManagerDeploy Windows 10 using Configuration Manager deployment packages and task sequences.60 minutes -
          Replace a client with Windows 10 using Configuration ManagerReplace a client computer with Windows 10 using Configuration Manager.90 minutes -
          Refresh a client with Windows 10 using Configuration ManagerUse a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT90 minutes - -
          - -
          - -## Install prerequisites -1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ - ``` - - >If the request to add features fails, retry the installation by typing the command again. - -2. Download [SQL Server 2014 SP2](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. -3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso - ``` - - This command mounts the .ISO file to drive D on SRV1. - -4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: - - ``` - D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms - ``` - Installation will take several minutes. When installation is complete, the following output will be displayed: - - ``` - Microsoft (R) SQL Server 2014 12.00.5000.00 - Copyright (c) Microsoft Corporation. All rights reserved. - - Microsoft (R) .NET Framework CasPol 2.0.50727.7905 - Copyright (c) Microsoft Corporation. All rights reserved. - - Success - Microsoft (R) .NET Framework CasPol 2.0.50727.7905 - Copyright (c) Microsoft Corporation. All rights reserved. - - Success - One or more affected files have operations pending. - You should restart your computer to complete this process. - PS C:\> - ``` -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow - New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow - New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow - ``` - -7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. - -## Install System Center Configuration Manager - -1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: - - ``` - $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 - Stop-Process -Name Explorer - ``` - -2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. - -3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: - - ``` - Get-Service Winmgmt - - Status Name DisplayName - ------ ---- ----------- - Running Winmgmt Windows Management Instrumentation - - Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed - - ComputerName : 192.168.0.2 - RemoteAddress : 192.168.0.2 - RemotePort : 135 - AllNameResolutionResults : - MatchingIPsecRules : - NetworkIsolationContext : Internet - InterfaceAlias : Ethernet - SourceAddress : 192.168.0.2 - NetRoute (NextHop) : 0.0.0.0 - PingSucceeded : True - PingReplyDetails (RTT) : 0 ms - TcpTestSucceeded : True - ``` - You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**. - - If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. - -4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: - - ``` - cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe - ``` - -5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: - - ``` - adsiedit.msc - ``` - -6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. -7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. -8. Click **container** and then click **Next**. -9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. -10. Right-click **CN=system Management** and then click **Properties**. -11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**. -12. Under **Enter the object names to select**, type **SRV1** and click **OK**. -13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. -14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**. -15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times. -16. Close the ADSI Edit console and switch back to SRV1. -17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe - ``` -18. Provide the following in the System Center Configuration Manager Setup Wizard: - - **Before You Begin**: Read the text and click *Next*. - - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. - - Click **Yes** in response to the popup window. - - **Product Key**: Choose **Install the evaluation edition of this Product**. - - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox. - - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page. - - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**. - - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**. - - use default settings for all other options - - **Usage Data**: Read the text and click **Next**. - - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use). - - **Settings Summary**: Review settings and click **Next**. - - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. - - >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. - - Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. - -19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: - - ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 - Stop-Process -Name Explorer - ``` - -## Download MDOP and install DaRT - ->[!IMPORTANT] ->This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). ->If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/). - -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. - -2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso - ``` -3. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" - ``` -4. Install DaRT 10 using default settings. -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" - Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86" - ``` - -## Prepare for Zero Touch installation - -This section contains several procedures to support Zero Touch installation with System Center Configuration Manager. - -### Create a folder structure - -1. Type the following commands at a Windows PowerShell prompt on SRV1: - - ``` - New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" - New-Item -ItemType Directory -Path "C:\Sources\OSD\OS" - New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings" - New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding" - New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT" - New-Item -ItemType Directory -Path "C:\Logs" - New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE - New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE - ``` - -### Enable MDT ConfigMgr integration - -1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**. -2. Type **PS1** next to **Site code**, and then click **Next**. -3. Verify **The process completed successfully** is displayed, and then click **Finish**. - -### Configure client settings - -1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**. -2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar. -3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab. -4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**. -5. In the display pane, double-click **Default Client Settings**. -6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**. - -### Configure the network access account - -1. In the Administration workspace, expand **Site Configuration** and click **Sites**. -2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**. -3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. -4. Click the yellow starburst and then click **New Account**. -5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. -6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice. - -### Configure a boundary group - -1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**. -2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**. -3. Choose **Default-First-Site-Name** and then click **OK** twice. -4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**. -5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**. -6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox. -7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice. - -### Add the state migration point role - -1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**. -2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. -3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**. -4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. -5. Click **Next** twice and then click **Close**. - -### Enable PXE on the distribution point - ->[!IMPORTANT] ->Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1: - -``` -WDSUTIL /Set-Server /AnswerClients:None -``` - -1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - (Get-NetAdapter "Ethernet").MacAddress - ``` - >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. - -2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. -3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. -4. On the PXE tab, select the following settings: - - **Enable PXE support for clients**. Click **Yes** in the popup that appears. - - **Allow this distribution point to respond to incoming PXE requests** - - **Enable unknown computer support**. Click **OK** in the popup that appears. - - **Require a password when computers use PXE** - - **Password** and **Confirm password**: pass@word1 - - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. - - See the following example: - - Config Mgr PXE - -5. Click **OK**. -6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: - - ``` - cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 - - abortpxe.com - bootmgfw.efi - bootmgr.exe - pxeboot.com - pxeboot.n12 - wdsmgfw.efi - wdsnbp.com - ``` - >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. - >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: - - ``` - Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' - ``` - - The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: - - Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall" - - Once the files are present in the REMINST share location, you can close the cmtrace tool. - -### Create a branding image file - -1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image. -2. Type the following command at an elevated Windows PowerShell prompt: - - ``` - copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp" - ``` - >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. - - -### Create a boot image for Configuration Manager - -1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. -2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. - - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later. -3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**. -4. On the Options page, under **Platform** choose **x64**, and click **Next**. -5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**. -6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image. -7. Click **Finish**. -8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**. -9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**. -10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' - ``` - - In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: - - ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) - ``` - -11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. -12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. -13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. -14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: - - ``` - cmd /c dir /s /b C:\RemoteInstall\SMSImages - - C:\RemoteInstall\SMSImages\PS100004 - C:\RemoteInstall\SMSImages\PS100005 - C:\RemoteInstall\SMSImages\PS100006 - C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim - C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim - C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim - ``` - - >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. - -### Create a Windows 10 reference image - -If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section. - -1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso - ``` -2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. - -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. - -4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -5. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTBuildLab**
          - - Share name: **MDTBuildLab$**
          - - Deployment share description: **MDT build lab**
          - - Options: click **Next** to accept the default
          - - Summary: click **Next**
          - - Progress: settings will be applied
          - - Confirmation: click **Finish** - -6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -8. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
          - - Source: **D:\\**
          - - Destination: **W10Ent_x64**
          - - Summary: click **Next** - - Confirmation: click **Finish** - -9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. - -10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
          - - Task sequence name: **Windows 10 Enterprise x64 Default Image**
          - - Task sequence comments: **Reference Build**
          - - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - -11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. - -13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. - -14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -17. Click **OK** to complete editing the task sequence. - -18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. - -19. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard TimeZoneName - OSDComputername=#Left("PC-%SerialNumber%",7)# - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=NO - ``` - -20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -21. Click **OK** to complete the configuration of the deployment share. - -22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - - ``` - New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB - Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 - Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso - Start-VM REFW10X64-001 - vmconnect localhost REFW10X64-001 - ``` -26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. - -27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine. - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. - -### Add a Windows 10 operating system image - -1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" - cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" - ``` - -2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. - -3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. - -4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. - -5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. - -6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. - - >If content distribution is not successful, verify that sufficient disk space is available. - -### Create a task sequence - ->Complete this section slowly. There are a large number of similar settings from which to choose. - -1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. - -2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. - -3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. - -4. On the Details page, enter the following settings: - - Join a domain: **contoso.com** - - Account: click **Set** - - User name: **contoso\CM_JD** - - Password: pass@word1 - - Confirm password: pass@word1 - - Click **OK** - - Windows Settings - - User name: **Contoso** - - Organization name: **Contoso** - - Product key: \ - - Administrator Account: **Enable the account and specify the local administrator password** - - Password: pass@word1 - - Confirm password: pass@word1 - - Click **Next** - -5. On the Capture Settings page, accept the default settings and click **Next**. - -6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**. - -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**. - -8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**. - -9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**. - -10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. - -11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**. - -12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**. - -13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. - -14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. - -15. On the Sysprep Package page, click **Next** twice. - -16. On the Confirmation page, click **Finish**. - -### Edit the task sequence - -1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**. - -2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action. - -3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**. - -4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. - -5. Configure the **Request State Store** action that was just added with the following settings:
          - - Request state storage location to: **Restore state from another computer**
          - - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
          - - Options tab: Select the **Continue on error** checkbox.
          - - Add Condition: **Task Sequence Variable**:
          - - Variable: **USMTLOCAL**
          - - Condition: **not equals**
          - - Value: **True**
          - - Click **OK**.
          - - Click **Apply**
          . - -6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. - -7. Configure the **Release State Store** action that was just added with the following settings:
          - - Options tab: Select the **Continue on error** checkbox.
          - - Add Condition: **Task Sequence Variable**:
          - - Variable: **USMTLOCAL**
          - - Condition: **not equals**
          - - Value: **True**
          - - Click **OK**.
          - - Click **OK**
          . - - -### Finalize the operating system configuration - ->If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. - -1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. - -2. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTProduction**
          - - Share name: **MDTProduction$**
          - - Deployment share description: **MDT Production**
          - - Options: click **Next** to accept the default
          - - Summary: click **Next**
          - - Progress: settings will be applied
          - - Confirmation: click **Finish** - -3. Right-click the **MDT Production** deployment share, and click **Properties**. - -4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -5. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" - ``` -6. Replace the contents of the file with the following text, and then save the file: - - ``` - [Settings] - Priority=Default - Properties=OSDMigrateConfigFiles,OSDMigrateMode - - [Default] - DoCapture=NO - ComputerBackupLocation=NONE - OSDMigrateMode=Advanced - OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* - OSDMigrateConfigFiles=Miguser.xml,Migapp.xml - SLSHARE=\\SRV1\Logs$ - EventService=http://SRV1:9800 - ApplyGPOPack=NO - ``` - - >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: - - ``` - OSDMigrateAdditionalCaptureOptions=/all - ``` - - -7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. - -8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. - -9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. - -### Create a deployment for the task sequence - -1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. - -2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. - -3. On the Deployment Settings page, use the following settings:
          - - Purpose: **Available**
          - - Make available to the following: **Only media and PXE**
          - - Click **Next**.
          -4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. - -5. Click **Close**. - -## Deploy Windows 10 using PXE and Configuration Manager - -In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. - -1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - Start-VM PC4 - vmconnect localhost PC4 - ``` - -2. Press ENTER when prompted to start the network boot service. - -3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**. - -4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. - -5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. - -6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. - - x:\smstslog\smsts.log after disks are formatted. - - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\smsts.log when the task sequence is complete. - - Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. - -7. In the explorer window, click **Tools** and then click **Map Network Drive**. - -8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. - -9. Close the Map Network Drive window, the Explorer window, and the command prompt. - -10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. - -11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: - - Install Windows 10 - - Install the Configuration Manager client and hotfix - - Join the computer to the contoso.com domain - - Install any applications that were specified in the reference image - - -12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. - -13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. - -14. Shut down the PC4 VM. - ->Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete. - -## Replace a client with Windows 10 using Configuration Manager - ->Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. - -![contoso.com\Computers](images/poc-computers.png) - -In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. - -### Create a replace task sequence - -1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. - -2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. - -3. On the General page, type the following: - - Task sequence name: **Replace Task Sequence** - - Task sequence comments: **USMT backup only** - -4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. -5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. -6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. -7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. -8. On the Summary page, review the details and then click **Next**. -9. On the Confirmation page, click **Finish**. - ->If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. - -### Deploy PC4 - -Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - -``` -New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 -Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20 -Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF -``` - ->Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. - -### Install the Configuration Manager client on PC1 - -1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). - -2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**. -4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. -5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. -6. When a popup dialog box asks if you want to run full discovery, click **Yes**. -7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): - - ![assets](images/sccm-assets.png) - - >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. - - The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. - -8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: - - ``` - sc stop ccmsetup - "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall - ``` - >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). - -9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: - - ``` - net stop wuauserv - net stop BITS - ``` - - Verify that both services were stopped successfully, then type the following at an elevated command prompt: - - ``` - del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" - net start BITS - bitsadmin /list /allusers - ``` - - Verify that BITSAdmin displays 0 jobs. - -10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: - - ``` - "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 - ``` -11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. -12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: - - ``` - Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait - ``` - - Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. - -13. On PC1, open the Configuration Manager control panel applet by typing the following command: - - ``` - control smscfgrc - ``` - -14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: - - ![site](images/sccm-site.png) - - If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. - -15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. - -16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: - - ![client](images/sccm-client.png) - - >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. - -### Create a device collection and deployment - -1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. - -2. Use the following settings in the **Create Device Collection Wizard**: - - General > Name: **Install Windows 10 Enterprise x64**
          - - General > Limiting collection: **All Systems**
          - - Membership Rules > Add Rule: **Direct Rule**
          - - The **Create Direct Membership Rule Wizard** opens, click **Next**
          - - Search for Resources > Resource class: **System Resource**
          - - Search for Resources > Attribute name: **Name**
          - - Search for Resources > Value: **%**
          - - Select Resources > Value: Select the computername associated with the PC1 VM
          - - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close) - -3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. - -4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. - -5. Use the following settings in the Deploy Software wizard: - - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
          - - Deployment Settings > Purpose: **Available**
          - - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
          - - Scheduling > Click **Next**
          - - User Experience > Click **Next**
          - - Alerts > Click **Next**
          - - Distribution Points > Click **Next**
          - - Summary > Click **Next**
          - - Verify that the wizard completed successfully and then click **Close** - - -### Associate PC4 with PC1 - -1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. - -2. On the Select Source page, choose **Import single computer** and click **Next**. - -3. On the Single Computer page, use the following settings: - - Computer Name: **PC4** - - MAC Address: **00:15:5D:83:26:FF** - - Source Computer: \ - -4. Click **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then click the yellow starburst next to **User accounts to migrate**. - -5. Click **Browse** and then under Enter the object name to select type **user1** and click OK twice. - -6. Click the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. - -7. Click **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, click **Browse**, choose **Install Windows 10 Enterprise x64**, click **OK**, click **Next** twice, and then click **Close**. - -8. In the Assets and Compliance workspace, click **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. - -9. Right-click the association in the display pane and then click **Specify User Accounts**. You can add or remove user account here. Click **OK**. - -10. Right-click the association in the display pane and then click **View Recovery Information**. Note that a recovery key has been assigned, but a user state store location has not. Click **Close**. - -11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: - - ![collection](images/sccm-collection.png) - -### Create a device collection for PC1 - -1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. - -2. Use the following settings in the **Create Device Collection Wizard**: - - General > Name: **USMT Backup (Replace)**
          - - General > Limiting collection: **All Systems**
          - - Membership Rules > Add Rule: **Direct Rule**
          - - The **Create Direct Membership Rule Wizard** opens, click **Next**
          - - Search for Resources > Resource class: **System Resource**
          - - Search for Resources > Attribute name: **Name**
          - - Search for Resources > Value: **%**
          - - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
          - - Click **Next** twice and then click **Close** in both windows. - -3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. - -### Create a new deployment - -In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: -- General > Collection: **USMT Backup (Replace)**
          -- Deployment Settings > Purpose: **Available**
          -- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
          -- Scheduling: Click **Next**
          -- User Experience: Click **Next**
          -- Alerts: Click **Next**
          -- Distribution Points: Click **Next**
          -- Click **Next** and then click **Close**. - -### Verify the backup - -1. On PC1, open the Configuration Manager control panel applet by typing the following command: - - ``` - control smscfgrc - ``` -2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. - -3. Type the following at an elevated command prompt to open the Software Center: - - ``` - C:\Windows\CCM\SCClient.exe - ``` - -4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: - - ![software](images/sccm-software-cntr.png) - - >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. - -5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**. -6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. - -### Deploy the new computer - -1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: - - ``` - Start-VM PC4 - vmconnect localhost PC4 - ``` -2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**. -3. Choose the **Windows 10 Enterprise X64** image. -4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. -5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. - - To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name DC1 -SnapshotName cm-refresh - Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh - Checkpoint-VM -Name PC1 -SnapshotName cm-refresh - ``` - -## Refresh a client with Windows 10 using Configuration Manager - - -### Initiate the computer refresh - -1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. -2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. -3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. -4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: - - ![installOS](images/sccm-install-os.png) - - The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: - - ![asset](images/sccm-asset.png) - - You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. - - When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. - - ![post-refresh](images/sccm-post-refresh.png) - - - -## Related Topics - -[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) - - - - - - - +--- +title: Step by step - Deploy Windows 10 using System Center Configuration Manager +description: Deploy Windows 10 in a test lab using System Center Configuration Manager +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, sccm +ms.localizationpriority: medium +ms.date: 10/11/2017 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 in a test lab using System Center Configuration Manager + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: +- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) +- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) + +Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. +This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. + +## In this guide + +This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
          + +
          + +
          TopicDescriptionTime + +
          Install prerequisitesInstall prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.60 minutes +
          Install System Center Configuration ManagerDownload System Center Configuration Manager, configure prerequisites, and install the package.45 minutes +
          Download MDOP and install DaRTDownload the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.15 minutes +
          Prepare for Zero Touch installationPrerequisite procedures to support Zero Touch installation.60 minutes +
          Create a boot image for Configuration ManagerUse the MDT wizard to create the boot image in Configuration Manager.20 minutes +
          Create a Windows 10 reference imageThis procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.0-60 minutes +
          Add a Windows 10 operating system imageAdd a Windows 10 operating system image and distribute it.10 minutes
          Create a task sequenceCreate a Configuration Manager task sequence with MDT integration using the MDT wizard15 minutes +
          Finalize the operating system configurationEnable monitoring, configure rules, and distribute content.30 minutes +
          Deploy Windows 10 using PXE and Configuration ManagerDeploy Windows 10 using Configuration Manager deployment packages and task sequences.60 minutes +
          Replace a client with Windows 10 using Configuration ManagerReplace a client computer with Windows 10 using Configuration Manager.90 minutes +
          Refresh a client with Windows 10 using Configuration ManagerUse a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT90 minutes + +
          + +
          + +## Install prerequisites +1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ + ``` + + >If the request to add features fails, retry the installation by typing the command again. + +2. Download [SQL Server 2014 SP2](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. +3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso + ``` + + This command mounts the .ISO file to drive D on SRV1. + +4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: + + ``` + D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms + ``` + Installation will take several minutes. When installation is complete, the following output will be displayed: + + ``` + Microsoft (R) SQL Server 2014 12.00.5000.00 + Copyright (c) Microsoft Corporation. All rights reserved. + + Microsoft (R) .NET Framework CasPol 2.0.50727.7905 + Copyright (c) Microsoft Corporation. All rights reserved. + + Success + Microsoft (R) .NET Framework CasPol 2.0.50727.7905 + Copyright (c) Microsoft Corporation. All rights reserved. + + Success + One or more affected files have operations pending. + You should restart your computer to complete this process. + PS C:\> + ``` +5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow + New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow + New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow + ``` + +7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. + +## Install System Center Configuration Manager + +1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: + + ``` + $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Stop-Process -Name Explorer + ``` + +2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. + +3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: + + ``` + Get-Service Winmgmt + + Status Name DisplayName + ------ ---- ----------- + Running Winmgmt Windows Management Instrumentation + + Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed + + ComputerName : 192.168.0.2 + RemoteAddress : 192.168.0.2 + RemotePort : 135 + AllNameResolutionResults : + MatchingIPsecRules : + NetworkIsolationContext : Internet + InterfaceAlias : Ethernet + SourceAddress : 192.168.0.2 + NetRoute (NextHop) : 0.0.0.0 + PingSucceeded : True + PingReplyDetails (RTT) : 0 ms + TcpTestSucceeded : True + ``` + You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**. + + If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. + +4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: + + ``` + cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe + ``` + +5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: + + ``` + adsiedit.msc + ``` + +6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. +7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. +8. Click **container** and then click **Next**. +9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. +10. Right-click **CN=system Management** and then click **Properties**. +11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**. +12. Under **Enter the object names to select**, type **SRV1** and click **OK**. +13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. +14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**. +15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times. +16. Close the ADSI Edit console and switch back to SRV1. +17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe + ``` +18. Provide the following in the System Center Configuration Manager Setup Wizard: + - **Before You Begin**: Read the text and click *Next*. + - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. + - Click **Yes** in response to the popup window. + - **Product Key**: Choose **Install the evaluation edition of this Product**. + - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox. + - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page. + - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**. + - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**. + - use default settings for all other options + - **Usage Data**: Read the text and click **Next**. + - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use). + - **Settings Summary**: Review settings and click **Next**. + - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. + + >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. + + Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. + +19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: + + ``` + Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Stop-Process -Name Explorer + ``` + +## Download MDOP and install DaRT + +>[!IMPORTANT] +>This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). +>If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/). + +1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. + +2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso + ``` +3. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" + ``` +4. Install DaRT 10 using default settings. +5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" + Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86" + ``` + +## Prepare for Zero Touch installation + +This section contains several procedures to support Zero Touch installation with System Center Configuration Manager. + +### Create a folder structure + +1. Type the following commands at a Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" + New-Item -ItemType Directory -Path "C:\Sources\OSD\OS" + New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings" + New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding" + New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT" + New-Item -ItemType Directory -Path "C:\Logs" + New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE + New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE + ``` + +### Enable MDT ConfigMgr integration + +1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**. +2. Type **PS1** next to **Site code**, and then click **Next**. +3. Verify **The process completed successfully** is displayed, and then click **Finish**. + +### Configure client settings + +1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**. +2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar. +3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab. +4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**. +5. In the display pane, double-click **Default Client Settings**. +6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**. + +### Configure the network access account + +1. In the Administration workspace, expand **Site Configuration** and click **Sites**. +2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**. +3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. +4. Click the yellow starburst and then click **New Account**. +5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. +6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice. + +### Configure a boundary group + +1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**. +2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**. +3. Choose **Default-First-Site-Name** and then click **OK** twice. +4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**. +5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**. +6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox. +7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice. + +### Add the state migration point role + +1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**. +2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. +3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**. +4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. +5. Click **Next** twice and then click **Close**. + +### Enable PXE on the distribution point + +>[!IMPORTANT] +>Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1: + +``` +WDSUTIL /Set-Server /AnswerClients:None +``` + +1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + (Get-NetAdapter "Ethernet").MacAddress + ``` + >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. + +2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. +3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. +4. On the PXE tab, select the following settings: + - **Enable PXE support for clients**. Click **Yes** in the popup that appears. + - **Allow this distribution point to respond to incoming PXE requests** + - **Enable unknown computer support**. Click **OK** in the popup that appears. + - **Require a password when computers use PXE** + - **Password** and **Confirm password**: pass@word1 + - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. + + See the following example: + + Config Mgr PXE + +5. Click **OK**. +6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: + + ``` + cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 + + abortpxe.com + bootmgfw.efi + bootmgr.exe + pxeboot.com + pxeboot.n12 + wdsmgfw.efi + wdsnbp.com + ``` + >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. + >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: + + ``` + Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + ``` + + The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: + + Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall" + + Once the files are present in the REMINST share location, you can close the cmtrace tool. + +### Create a branding image file + +1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image. +2. Type the following command at an elevated Windows PowerShell prompt: + + ``` + copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp" + ``` + >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. + + +### Create a boot image for Configuration Manager + +1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. +2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. + - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later. +3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**. +4. On the Options page, under **Platform** choose **x64**, and click **Next**. +5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**. +6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image. +7. Click **Finish**. +8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**. +9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**. +10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + ``` + + In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: + + ``` + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) + ``` + +11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. +12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. +13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. +14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: + + ``` + cmd /c dir /s /b C:\RemoteInstall\SMSImages + + C:\RemoteInstall\SMSImages\PS100004 + C:\RemoteInstall\SMSImages\PS100005 + C:\RemoteInstall\SMSImages\PS100006 + C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim + C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim + C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim + ``` + + >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. + +### Create a Windows 10 reference image + +If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section. + +1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso + ``` +2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. + +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. + +4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + +5. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTBuildLab**
          + - Share name: **MDTBuildLab$**
          + - Deployment share description: **MDT build lab**
          + - Options: click **Next** to accept the default
          + - Summary: click **Next**
          + - Progress: settings will be applied
          + - Confirmation: click **Finish** + +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +8. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
          + - Source: **D:\\**
          + - Destination: **W10Ent_x64**
          + - Summary: click **Next** + - Confirmation: click **Finish** + +9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. + +10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
          + - Task sequence name: **Windows 10 Enterprise x64 Default Image**
          + - Task sequence comments: **Reference Build**
          + - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + +11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. + +13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. + +14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +17. Click **OK** to complete editing the task sequence. + +18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. + +19. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard TimeZoneName + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +21. Click **OK** to complete the configuration of the deployment share. + +22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + + ``` + New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 + ``` +26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine. + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. + +### Add a Windows 10 operating system image + +1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + ``` + +2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. + +3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. + +4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. + +5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. + +6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. + + >If content distribution is not successful, verify that sufficient disk space is available. + +### Create a task sequence + +>Complete this section slowly. There are a large number of similar settings from which to choose. + +1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. + +3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. + +4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** + - Account: click **Set** + - User name: **contoso\CM_JD** + - Password: pass@word1 + - Confirm password: pass@word1 + - Click **OK** + - Windows Settings + - User name: **Contoso** + - Organization name: **Contoso** + - Product key: \ + - Administrator Account: **Enable the account and specify the local administrator password** + - Password: pass@word1 + - Confirm password: pass@word1 + - Click **Next** + +5. On the Capture Settings page, accept the default settings and click **Next**. + +6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**. + +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**. + +8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**. + +9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**. + +10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. + +11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**. + +12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**. + +13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. + +14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. + +15. On the Sysprep Package page, click **Next** twice. + +16. On the Confirmation page, click **Finish**. + +### Edit the task sequence + +1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**. + +2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action. + +3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**. + +4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. + +5. Configure the **Request State Store** action that was just added with the following settings:
          + - Request state storage location to: **Restore state from another computer**
          + - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
          + - Options tab: Select the **Continue on error** checkbox.
          + - Add Condition: **Task Sequence Variable**:
          + - Variable: **USMTLOCAL**
          + - Condition: **not equals**
          + - Value: **True**
          + - Click **OK**.
          + - Click **Apply**
          . + +6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. + +7. Configure the **Release State Store** action that was just added with the following settings:
          + - Options tab: Select the **Continue on error** checkbox.
          + - Add Condition: **Task Sequence Variable**:
          + - Variable: **USMTLOCAL**
          + - Condition: **not equals**
          + - Value: **True**
          + - Click **OK**.
          + - Click **OK**
          . + + +### Finalize the operating system configuration + +>If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. + +1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. + +2. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTProduction**
          + - Share name: **MDTProduction$**
          + - Deployment share description: **MDT Production**
          + - Options: click **Next** to accept the default
          + - Summary: click **Next**
          + - Progress: settings will be applied
          + - Confirmation: click **Finish** + +3. Right-click the **MDT Production** deployment share, and click **Properties**. + +4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +5. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" + ``` +6. Replace the contents of the file with the following text, and then save the file: + + ``` + [Settings] + Priority=Default + Properties=OSDMigrateConfigFiles,OSDMigrateMode + + [Default] + DoCapture=NO + ComputerBackupLocation=NONE + OSDMigrateMode=Advanced + OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* + OSDMigrateConfigFiles=Miguser.xml,Migapp.xml + SLSHARE=\\SRV1\Logs$ + EventService=http://SRV1:9800 + ApplyGPOPack=NO + ``` + + >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + + ``` + OSDMigrateAdditionalCaptureOptions=/all + ``` + + +7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. + +8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. + +9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. + +### Create a deployment for the task sequence + +1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. + +2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. + +3. On the Deployment Settings page, use the following settings:
          + - Purpose: **Available**
          + - Make available to the following: **Only media and PXE**
          + - Click **Next**.
          +4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. + +5. Click **Close**. + +## Deploy Windows 10 using PXE and Configuration Manager + +In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. + +1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + Start-VM PC4 + vmconnect localhost PC4 + ``` + +2. Press ENTER when prompted to start the network boot service. + +3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**. + +4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. + +5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. + +6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: + - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. + - x:\smstslog\smsts.log after disks are formatted. + - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\smsts.log when the task sequence is complete. + + Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. + +7. In the explorer window, click **Tools** and then click **Map Network Drive**. + +8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. + +9. Close the Map Network Drive window, the Explorer window, and the command prompt. + +10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. + +11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: + - Install Windows 10 + - Install the Configuration Manager client and hotfix + - Join the computer to the contoso.com domain + - Install any applications that were specified in the reference image + + +12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. + +13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. + +14. Shut down the PC4 VM. + +>Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete. + +## Replace a client with Windows 10 using Configuration Manager + +>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. + +![contoso.com\Computers](images/poc-computers.png) + +In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. + +### Create a replace task sequence + +1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. + +3. On the General page, type the following: + - Task sequence name: **Replace Task Sequence** + - Task sequence comments: **USMT backup only** + +4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. +6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. +7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. +8. On the Summary page, review the details and then click **Next**. +9. On the Confirmation page, click **Finish**. + +>If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. + +### Deploy PC4 + +Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +``` +New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 +Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20 +Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF +``` + +>Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. + +### Install the Configuration Manager client on PC1 + +1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). + +2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**. +4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. +5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. +6. When a popup dialog box asks if you want to run full discovery, click **Yes**. +7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): + + ![assets](images/sccm-assets.png) + + >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. + + The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. + +8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: + + ``` + sc stop ccmsetup + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall + ``` + >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). + +9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: + + ``` + net stop wuauserv + net stop BITS + ``` + + Verify that both services were stopped successfully, then type the following at an elevated command prompt: + + ``` + del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + net start BITS + bitsadmin /list /allusers + ``` + + Verify that BITSAdmin displays 0 jobs. + +10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: + + ``` + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 + ``` +11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. +12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: + + ``` + Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait + ``` + + Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. + +13. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` + +14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: + + ![site](images/sccm-site.png) + + If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. + +15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. + +16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: + + ![client](images/sccm-client.png) + + >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. + +### Create a device collection and deployment + +1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. + +2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **Install Windows 10 Enterprise x64**
          + - General > Limiting collection: **All Systems**
          + - Membership Rules > Add Rule: **Direct Rule**
          + - The **Create Direct Membership Rule Wizard** opens, click **Next**
          + - Search for Resources > Resource class: **System Resource**
          + - Search for Resources > Attribute name: **Name**
          + - Search for Resources > Value: **%**
          + - Select Resources > Value: Select the computername associated with the PC1 VM
          + - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close) + +3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. + +4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. + +5. Use the following settings in the Deploy Software wizard: + - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
          + - Deployment Settings > Purpose: **Available**
          + - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
          + - Scheduling > Click **Next**
          + - User Experience > Click **Next**
          + - Alerts > Click **Next**
          + - Distribution Points > Click **Next**
          + - Summary > Click **Next**
          + - Verify that the wizard completed successfully and then click **Close** + + +### Associate PC4 with PC1 + +1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. + +2. On the Select Source page, choose **Import single computer** and click **Next**. + +3. On the Single Computer page, use the following settings: + - Computer Name: **PC4** + - MAC Address: **00:15:5D:83:26:FF** + - Source Computer: \ + +4. Click **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then click the yellow starburst next to **User accounts to migrate**. + +5. Click **Browse** and then under Enter the object name to select type **user1** and click OK twice. + +6. Click the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. + +7. Click **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, click **Browse**, choose **Install Windows 10 Enterprise x64**, click **OK**, click **Next** twice, and then click **Close**. + +8. In the Assets and Compliance workspace, click **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. + +9. Right-click the association in the display pane and then click **Specify User Accounts**. You can add or remove user account here. Click **OK**. + +10. Right-click the association in the display pane and then click **View Recovery Information**. Note that a recovery key has been assigned, but a user state store location has not. Click **Close**. + +11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: + + ![collection](images/sccm-collection.png) + +### Create a device collection for PC1 + +1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. + +2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **USMT Backup (Replace)**
          + - General > Limiting collection: **All Systems**
          + - Membership Rules > Add Rule: **Direct Rule**
          + - The **Create Direct Membership Rule Wizard** opens, click **Next**
          + - Search for Resources > Resource class: **System Resource**
          + - Search for Resources > Attribute name: **Name**
          + - Search for Resources > Value: **%**
          + - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
          + - Click **Next** twice and then click **Close** in both windows. + +3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. + +### Create a new deployment + +In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: +- General > Collection: **USMT Backup (Replace)**
          +- Deployment Settings > Purpose: **Available**
          +- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
          +- Scheduling: Click **Next**
          +- User Experience: Click **Next**
          +- Alerts: Click **Next**
          +- Distribution Points: Click **Next**
          +- Click **Next** and then click **Close**. + +### Verify the backup + +1. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` +2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. + +3. Type the following at an elevated command prompt to open the Software Center: + + ``` + C:\Windows\CCM\SCClient.exe + ``` + +4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: + + ![software](images/sccm-software-cntr.png) + + >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. + +5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**. +6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. + +### Deploy the new computer + +1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: + + ``` + Start-VM PC4 + vmconnect localhost PC4 + ``` +2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**. +3. Choose the **Windows 10 Enterprise X64** image. +4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. +5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. + + To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name DC1 -SnapshotName cm-refresh + Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh + Checkpoint-VM -Name PC1 -SnapshotName cm-refresh + ``` + +## Refresh a client with Windows 10 using Configuration Manager + + +### Initiate the computer refresh + +1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. +3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. +4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: + + ![installOS](images/sccm-install-os.png) + + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: + + ![asset](images/sccm-asset.png) + + You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. + + When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. + + ![post-refresh](images/sccm-post-refresh.png) + + + +## Related Topics + +[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) + + + + + + + diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 422cae51ba..b12b80110d 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -1,1106 +1,1106 @@ ---- -title: Configure a test lab to deploy Windows 10 -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt, sccm -ms.localizationpriority: medium -author: greg-lindsay -ms.topic: article ---- - -# Step by step guide: Configure a test lab to deploy Windows 10 - -**Applies to** - -- Windows 10 - -This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: - -- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
          -- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
          - -The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. - -Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. - -Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. - -> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. -> -> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. - -Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. - -## In this guide - -This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. - -After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
          - -
          - - - -
          TopicDescriptionTime
          Hardware and software requirementsPrerequisites to complete this guide.Informational -
          Lab setupA description and diagram of the PoC environment.Informational -
          Configure the PoC environmentParent topic for procedures.Informational -
          Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes -
          Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes -
          Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes -
          Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes -
          Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes -
          Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes -
          Configure VMsStart virtual machines and configure all services and settings.60 minutes -
          Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes -
          Appendix B: Terminology in this guideTerms used in this guide.Informational -
          -
          - -## Hardware and software requirements - -One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. - -- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. -- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. - -Harware requirements are displayed below: - -
          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Computer 1 (required)Computer 2 (recommended)
          RoleHyper-V hostClient computer
          DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
          OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
          EditionEnterprise, Professional, or EducationAny
          Architecture64-bitAny
          Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
          RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT. -
          16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.          		Any
          Disk200 GB available hard disk space, any format.Any size, MBR formatted.
          CPUSLAT-Capable CPUAny
          NetworkInternet connectionAny
          - - -\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. -
          -
          The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. - -
          - -## Lab setup - -The lab architecture is summarized in the following diagram: - -![PoC](images/poc.png) - -- Computer 1 is configured to host four VMs on a private, PoC network. - - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. - - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. - ->If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide. - -The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. - -## Configure the PoC environment - ->**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**. - -### Procedures in this section - -[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
          -[Download VHD and ISO files](#download-vhd-and-iso-files)
          -[Convert PC to VM](#convert-pc-to-vm)
          -[Resize VHD](#resize-vhd)
          -[Configure Hyper-V](#configure-hyper-v)
          -[Configure VMs](#configure-vms)
          - -### Verify support and install Hyper-V - -Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. - -1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - - 
          -    C:\>systeminfo
-
-    ...
-    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
-                               Virtualization Enabled In Firmware: Yes
-                               Second Level Address Translation: Yes
-                               Data Execution Prevention Available: Yes
-
          - - In this example, the computer supports SLAT and Hyper-V. - - If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - - You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: - - 
          -    C:\>coreinfo -v
-
-    Coreinfo v3.31 - Dump information on system CPU and memory topology
-    Copyright (C) 2008-2014 Mark Russinovich
-    Sysinternals - www.sysinternals.com
-
-    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-    Microcode signature: 0000001B
-    HYPERVISOR      -       Hypervisor is present
-    VMX             *       Supports Intel hardware-assisted virtualization
-    EPT             *       Supports Intel extended page tables (SLAT)
-
          - - Note: A 64-bit operating system is required to run Hyper-V. - -2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: - - 
          Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
          - - This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: - - 
          Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
          - - When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. - - >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - - ![hyper-v feature](images/hyper-v-feature.png) - - ![hyper-v](images/svr_mgr2.png) - -

          If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. - -### Download VHD and ISO files - -When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account. - -1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. - - **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. - - After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. - - - -
          VHD
          - -2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. -3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. -4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. - - >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. - -5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. - -After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. - -The following displays the procedures described in this section, both before and after downloading files: - -

          -C:>mkdir VHD
-C:>cd VHD
-C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
-C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
-   1 file(s) copied.
-C:\VHD ren *.iso w10-enterprise.iso
-C:\VHD>dir /B
-2012R2-poc-1.vhd
-2012R2-poc-2.vhd
-w10-enterprise.iso
-
          - -### Convert PC to VM - ->Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. - -
          -If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM: -
          -
            -
          1. Open the Download virtual machines page. -
          2. Under Virtual machine, choose IE11 on Win7. -
          3. Under Select platform choose HyperV (Windows). -
          4. Click Download .zip. The download is 3.31 GB. -
          5. Extract the zip file. Three directories are created. -
          6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory. -
          7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx). -
          8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd. -
          -
          - -If you have a PC available to convert to VM (computer 2): - -1. Sign in on computer 2 using an account with Administrator privileges. - ->Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network. - -2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. -3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). - -#### Determine the VM generation and partition type - -When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs. - -
          - - - - - - - - - - - - - - - - - - - - -
          ArchitectureOperating systemPartition style
          Generation 132-bit or 64-bitWindows 7 or laterMBR
          Generation 264-bitWindows 8 or laterMBR or GPT
          - -
          - -If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. - -- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. -- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: - -
          -Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
          - -If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: - -
          -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                           Caption                                 Type
-----------                           -------                                 ----
-USER-PC1                             Disk #0, Partition #0                   GPT: System
-USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
-
          - -On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: - -
          -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                            Caption                               Type
-----------                            -------                               ----
-PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
-PC-X1                                 Disk #0, Partition #1                 GPT: System
-PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
-
-PS C:> Get-Disk
-
-Number Friendly Name                  OperationalStatus                     Total Size Partition Style
------- -------------                  -----------------                     ---------- ---------------
-0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
-
          - - - -**Choosing a VM generation** - -The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. - -
          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          OSPartition styleArchitectureVM generationProcedure
          Windows 7MBR321Prepare a generation 1 VM
          641Prepare a generation 1 VM
          GPT32N/AN/A
          641Prepare a generation 1 VM from a GPT disk
          Windows 8 or laterMBR321Prepare a generation 1 VM
          641, 2Prepare a generation 1 VM
          GPT321Prepare a generation 1 VM from a GPT disk
          642Prepare a generation 2 VM
          - -
          - -Notes:
          -
            -
          • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk. -
          • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM. -
          • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM. -
          - -#### Prepare a generation 1 VM - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). -4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
          -    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHDX
-
          - -#### Prepare a generation 2 VM - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, open an elevated command prompt and type the following command: - - 
          mountvol s: /s
          - - This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). - -3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. - - **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. - -5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd-gen2.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
          -    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    PC1.VHDX
-
          - -#### Prepare a generation 1 VM from a GPT disk - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. -4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd4.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
          -    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHD
-
          - - >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. - -### Resize VHD - -
          -Enhanced session mode - -**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. - -To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - -
          Set-VMhost -EnableEnhancedSessionMode $TRUE
          - ->If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. - -
          - -The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. - -1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - 
          -    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
-    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
-    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
-
          - -2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: - - 
          -    Get-Volume -DriveLetter $x
-    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
          - -### Configure Hyper-V - -1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": - - >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
          -    A) Remove the existing external virtual switch, then add the poc-external switch
          -    B) Rename the existing external switch to "poc-external"
          -    C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
          - If you choose B) or C), then do not run the second command below. - - 
          -    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
-    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
-
          - - **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host. - - >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" - -2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: - - 
          -    (Get-VMHostNumaNode).MemoryAvailable
-
          - - This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. - -3. Determine the available memory for VMs by dividing the available RAM by 4. For example: - - 
          -    (Get-VMHostNumaNode).MemoryAvailable/4
-    2775.5
-
          - - In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. - -4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. - >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. - - 
          -    $maxRAM = 2700MB
-    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
-    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
-    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
-    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
-    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
-
          - - **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. - -5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. - - To create a generation 1 VM (using c:\vhd\w7.vhdx): - - 
          -    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
          - - To create a generation 2 VM (using c:\vhd\PC1.vhdx): - - 
          -    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
          - - To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): - - >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. - - First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: - - 
          -    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
-    Mount-VHD -Passthru |
-    Get-Disk -Number {$_.DiskNumber} |
-    Initialize-Disk -PartitionStyle MBR -PassThru |
-    New-Partition -UseMaximumSize |
-    Format-Volume -Confirm:$false -FileSystem NTFS -force
-    Dismount-VHD -Path c:\vhd\d.vhd
-
          - - Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt): - - 
          -    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
-    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
-    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-    Start-VM PC1
-    vmconnect localhost PC1
-
          - - The VM will automatically boot into Windows Setup. In the PC1 window: - - 1. Click **Next**. - 2. Click **Repair your computer**. - 3. Click **Troubleshoot**. - 4. Click **Command Prompt**. - 5. Type the following command to save an image of the OS drive: - - 
          -      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
-
          - - 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: - - 
          -      diskpart
-      select disk 0
-      clean
-      convert MBR
-      create partition primary size=100
-      format fs=ntfs quick
-      active
-      create partition primary
-      format fs=ntfs quick label=OS
-      assign letter=c
-      exit
-
          - - 7. Type the following commands to restore the OS image and boot files: - - 
          -      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
-      bcdboot c:\windows
-      exit
-
          - - 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). - 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. - 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: - - 
          -       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
-       Set-VMDvdDrive -VMName PC1 -Path $null
-
          - -### Configure VMs - -1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: - - 
          -    Start-VM DC1
-    vmconnect localhost DC1
-
          - -2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**. -3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. -4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. -5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: - - 
          -    Rename-Computer DC1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-
          - - > The default gateway at 192.168.0.2 will be configured later in this guide. - > - > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. - -6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: - - 
          -    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
-
          - -7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: - - 
          -    Restart-Computer
-
          - -8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: - - 
          -    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
-
          - - Ignore any warnings that are displayed. The computer will automatically reboot upon completion. - -9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert: - - 
          -    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
-    Add-WindowsFeature -Name DHCP -IncludeManagementTools
-    netsh dhcp add securitygroups
-    Restart-Service DHCPServer
-    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
-    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
-
          - -10. Next, add a DHCP scope and set option values: - - 
          -    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
-    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
-
          - - >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. - -11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: - - 
          -    Get-DnsServerForwarder
-
          - - The following output should be displayed: - - 
          -    UseRootHint        : True
-    Timeout(s)         : 3
-    EnableReordering   : True
-    IPAddress          : 192.168.0.2
-    ReorderedIPAddress : 192.168.0.2
-
          - - If this output is not displayed, you can use the following command to add SRV1 as a forwarder: - - 
          -    Add-DnsServerForwarder -IPAddress 192.168.0.2
-
          - - **Configure service and user accounts** - - Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. - - >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - - On DC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
          -    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
-    Set-ADUser -Identity user1 -PasswordNeverExpires $true
-    Set-ADUser -Identity administrator -PasswordNeverExpires $true
-    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-
          - -12. Minimize the DC1 VM window but **do not stop** the VM. - - Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. - -13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: - - 
          -    Start-VM PC1
-    vmconnect localhost PC1
-
          - -14. Sign in to PC1 using an account that has local administrator rights. - - >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. - -15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. - - ![PoC](images/installing-drivers.png) - - >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. - -16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. - -17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. - - To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: - - ``` - ipconfig - - Windows IP Configuration - - Ethernet adapter Local Area Connection 3: - Connection-specific DNS Suffix . : contoso.com - Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 - Ipv4 Address. . . . . . . . . . . : 192.168.0.101 - Subnet Mask . . . . . . . . . . . : 255.255.255.0 - Default Gateway . . . . . . . . . : 192.168.0.2 - - ping dc1.contoso.com - - Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - - nltest /dsgetdc:contoso.com - DC: \\DC1 - Address: \\192.168.0.1 - Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 - Dom Name: CONTOSO - Forest Name: contoso.com - Dc Site Name: Default-First-Site-Name - Our Site Name: Default-First-Site-Name - Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 - ``` - - >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. - -18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: - - 
          -    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
-    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-
          - - >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. - - See the following example: - - ![ISE](images/ISE.png) - -19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. -20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: - - 
          -    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
-    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
-
          - - >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. - - If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. - -21. On PC1, type the following commands at an elevated Windows PowerShell prompt: - - 
          -    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
-
          - - >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. - -22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. - >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. -23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. -24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: - - 
          -    Start-VM SRV1
-    vmconnect localhost SRV1
-
          - -25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. -26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. -27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: - - 
          -    Rename-Computer SRV1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-    Restart-Computer
-
          - - >[!IMPORTANT] - >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name. - -28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: - - 
          -    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-
          - -29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: - - 
          -    Install-WindowsFeature -Name DNS -IncludeManagementTools
-    Install-WindowsFeature -Name WDS -IncludeManagementTools
-    Install-WindowsFeature -Name Routing -IncludeManagementTools
-
          - -30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. - - To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: - - 
          -    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
-
-    IPAddress                                                                  InterfaceAlias
-    ---------                                                                  --------------
-    10.137.130.118                                                             Ethernet 2
-    192.168.0.2                                                                Ethernet
-
          - - In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings. - - >[!TIP] - >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. - - -31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: - - 
          -    Install-RemoteAccess -VpnType Vpn
-    cmd /c netsh routing ip nat install
-    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
-    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
-    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
-
          - -32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - 
          -    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
-
          - -33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: - - 
          -    ping www.microsoft.com
-
          - - If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. - - **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: - - 
          -    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
-
          - -34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): - - 
          -    PS C:\> ping www.microsoft.com
-
-    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
-    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
-
-    Ping statistics for 23.222.146.170:
-        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
-    Approximate round trip times in milli-seconds:
-        Minimum = 1ms, Maximum = 3ms, Average = 2ms
-
          - -35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. -36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: - - 
          -    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
-    Restart-Computer
-
          - -This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. - -## Appendix A: Verify the configuration - -Use the following procedures to verify that the PoC environment is configured properly and working as expected. - -1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
          -    Get-Service NTDS,DNS,DHCP
-    DCDiag -a
-    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    Get-DhcpServerInDC
-    Get-DhcpServerv4Statistics
-    ipconfig /all
-
          - - **Get-Service** displays a status of "Running" for all three services.
          - **DCDiag** displays "passed test" for all tests.
          - **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
          - **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
          - **Resolve-DnsName** displays public IP address results for www.microsoft.com.
          - **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
          - **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
          - **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. - -2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - 
          -    Get-Service DNS,RemoteAccess
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    ipconfig /all
-    netsh int ipv4 show address
-
          - - **Get-Service** displays a status of "Running" for both services.
          - **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
          - **Resolve-DnsName** displays public IP address results for www.microsoft.com.
          - **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
          - **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. - -3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
          -    whoami
-    hostname
-    nslookup www.microsoft.com
-    ping -n 1 dc1.contoso.com
-    tracert www.microsoft.com
-
          - - **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
          - **hostname** displays the name of the local computer, for example W7PC-001.
          - **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
          - **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
          - **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. - - -## Appendix B: Terminology used in this guide - -

            - -

          - - -
          TermDefinition -
          GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. -
          Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. -
          Hyper-V hostThe computer where Hyper-V is installed. -
          Hyper-V ManagerThe user-interface console used to view and configure Hyper-V. -
          MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. -
          Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. -
          Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. -
          Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host. -
          Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. -
          VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. -
          - -
          - -## Related Topics - - -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) - - - - - - - - +--- +title: Configure a test lab to deploy Windows 10 +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt, sccm +ms.localizationpriority: medium +audience: itpro author: greg-lindsay +ms.topic: article +--- + +# Step by step guide: Configure a test lab to deploy Windows 10 + +**Applies to** + +- Windows 10 + +This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: + +- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
          +- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
          + +The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. + +Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. + +Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. + +> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. +> +> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. + +Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. + +## In this guide + +This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. + +After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
          + +
          + + + +
          TopicDescriptionTime
          Hardware and software requirementsPrerequisites to complete this guide.Informational +
          Lab setupA description and diagram of the PoC environment.Informational +
          Configure the PoC environmentParent topic for procedures.Informational +
          Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes +
          Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes +
          Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes +
          Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes +
          Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes +
          Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes +
          Configure VMsStart virtual machines and configure all services and settings.60 minutes +
          Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes +
          Appendix B: Terminology in this guideTerms used in this guide.Informational +
          +
          + +## Hardware and software requirements + +One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. + +- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. +- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. + +Harware requirements are displayed below: + +
          + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Computer 1 (required)Computer 2 (recommended)
          RoleHyper-V hostClient computer
          DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
          OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
          EditionEnterprise, Professional, or EducationAny
          Architecture64-bitAny
          Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
          RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT. +
          16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.          		Any
          Disk200 GB available hard disk space, any format.Any size, MBR formatted.
          CPUSLAT-Capable CPUAny
          NetworkInternet connectionAny
          + + +\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. +
          +
          The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. + +
          + +## Lab setup + +The lab architecture is summarized in the following diagram: + +![PoC](images/poc.png) + +- Computer 1 is configured to host four VMs on a private, PoC network. + - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. + - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. + +>If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide. + +The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. + +## Configure the PoC environment + +>**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**. + +### Procedures in this section + +[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
          +[Download VHD and ISO files](#download-vhd-and-iso-files)
          +[Convert PC to VM](#convert-pc-to-vm)
          +[Resize VHD](#resize-vhd)
          +[Configure Hyper-V](#configure-hyper-v)
          +[Configure VMs](#configure-vms)
          + +### Verify support and install Hyper-V + +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. + +1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: + + 
          +    C:\>systeminfo
+
+    ...
+    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
+                               Virtualization Enabled In Firmware: Yes
+                               Second Level Address Translation: Yes
+                               Data Execution Prevention Available: Yes
+
          + + In this example, the computer supports SLAT and Hyper-V. + + If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + + You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: + + 
          +    C:\>coreinfo -v
+
+    Coreinfo v3.31 - Dump information on system CPU and memory topology
+    Copyright (C) 2008-2014 Mark Russinovich
+    Sysinternals - www.sysinternals.com
+
+    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+    Microcode signature: 0000001B
+    HYPERVISOR      -       Hypervisor is present
+    VMX             *       Supports Intel hardware-assisted virtualization
+    EPT             *       Supports Intel extended page tables (SLAT)
+
          + + Note: A 64-bit operating system is required to run Hyper-V. + +2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: + + 
          Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
          + + This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: + + 
          Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
          + + When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. + + >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + + ![hyper-v feature](images/hyper-v-feature.png) + + ![hyper-v](images/svr_mgr2.png) + +

          If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. + +### Download VHD and ISO files + +When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account. + +1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. + + **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. + + After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. + + + +
          VHD
          + +2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. +3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. +4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. + + >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. + +5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. + +After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. + +The following displays the procedures described in this section, both before and after downloading files: + +

          +C:>mkdir VHD
+C:>cd VHD
+C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
+C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
+   1 file(s) copied.
+C:\VHD ren *.iso w10-enterprise.iso
+C:\VHD>dir /B
+2012R2-poc-1.vhd
+2012R2-poc-2.vhd
+w10-enterprise.iso
+
          + +### Convert PC to VM + +>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. + +
          +If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM: +
          +
            +
          1. Open the Download virtual machines page. +
          2. Under Virtual machine, choose IE11 on Win7. +
          3. Under Select platform choose HyperV (Windows). +
          4. Click Download .zip. The download is 3.31 GB. +
          5. Extract the zip file. Three directories are created. +
          6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory. +
          7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx). +
          8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd. +
          +
          + +If you have a PC available to convert to VM (computer 2): + +1. Sign in on computer 2 using an account with Administrator privileges. + +>Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network. + +2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. +3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). + +#### Determine the VM generation and partition type + +When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs. + +
          + + + + + + + + + + + + + + + + + + + + +
          ArchitectureOperating systemPartition style
          Generation 132-bit or 64-bitWindows 7 or laterMBR
          Generation 264-bitWindows 8 or laterMBR or GPT
          + +
          + +If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. + +- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. +- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: + +
          +Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
          + +If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: + +
          +PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                           Caption                                 Type
+----------                           -------                                 ----
+USER-PC1                             Disk #0, Partition #0                   GPT: System
+USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
+
          + +On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: + +
          +PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                            Caption                               Type
+----------                            -------                               ----
+PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
+PC-X1                                 Disk #0, Partition #1                 GPT: System
+PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
+
+PS C:> Get-Disk
+
+Number Friendly Name                  OperationalStatus                     Total Size Partition Style
+------ -------------                  -----------------                     ---------- ---------------
+0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
+
          + + + +**Choosing a VM generation** + +The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. + +
          + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          OSPartition styleArchitectureVM generationProcedure
          Windows 7MBR321Prepare a generation 1 VM
          641Prepare a generation 1 VM
          GPT32N/AN/A
          641Prepare a generation 1 VM from a GPT disk
          Windows 8 or laterMBR321Prepare a generation 1 VM
          641, 2Prepare a generation 1 VM
          GPT321Prepare a generation 1 VM from a GPT disk
          642Prepare a generation 2 VM
          + +
          + +Notes:
          +
            +
          • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk. +
          • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM. +
          • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM. +
          + +#### Prepare a generation 1 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). +4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
          +    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHDX
+
          + +#### Prepare a generation 2 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, open an elevated command prompt and type the following command: + + 
          mountvol s: /s
          + + This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). + +3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. + + **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. + +5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd-gen2.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
          +    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    PC1.VHDX
+
          + +#### Prepare a generation 1 VM from a GPT disk + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. +4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd4.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
          +    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHD
+
          + + >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. + +### Resize VHD + +
          +Enhanced session mode + +**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. + +To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + +
          Set-VMhost -EnableEnhancedSessionMode $TRUE
          + +>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. + +
          + +The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. + +1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + 
          +    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
+    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
+    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
+
          + +2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: + + 
          +    Get-Volume -DriveLetter $x
+    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
          + +### Configure Hyper-V + +1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": + + >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
          +    A) Remove the existing external virtual switch, then add the poc-external switch
          +    B) Rename the existing external switch to "poc-external"
          +    C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
          + If you choose B) or C), then do not run the second command below. + + 
          +    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
+    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
+
          + + **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host. + + >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" + +2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: + + 
          +    (Get-VMHostNumaNode).MemoryAvailable
+
          + + This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. + +3. Determine the available memory for VMs by dividing the available RAM by 4. For example: + + 
          +    (Get-VMHostNumaNode).MemoryAvailable/4
+    2775.5
+
          + + In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. + +4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. + >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. + + 
          +    $maxRAM = 2700MB
+    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
+    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
+    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
+    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
+    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
+
          + + **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. + +5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. + + To create a generation 1 VM (using c:\vhd\w7.vhdx): + + 
          +    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
          + + To create a generation 2 VM (using c:\vhd\PC1.vhdx): + + 
          +    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
          + + To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): + + >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. + + First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: + + 
          +    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
+    Mount-VHD -Passthru |
+    Get-Disk -Number {$_.DiskNumber} |
+    Initialize-Disk -PartitionStyle MBR -PassThru |
+    New-Partition -UseMaximumSize |
+    Format-Volume -Confirm:$false -FileSystem NTFS -force
+    Dismount-VHD -Path c:\vhd\d.vhd
+
          + + Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt): + + 
          +    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
+    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
+    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+    Start-VM PC1
+    vmconnect localhost PC1
+
          + + The VM will automatically boot into Windows Setup. In the PC1 window: + + 1. Click **Next**. + 2. Click **Repair your computer**. + 3. Click **Troubleshoot**. + 4. Click **Command Prompt**. + 5. Type the following command to save an image of the OS drive: + + 
          +      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+
          + + 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: + + 
          +      diskpart
+      select disk 0
+      clean
+      convert MBR
+      create partition primary size=100
+      format fs=ntfs quick
+      active
+      create partition primary
+      format fs=ntfs quick label=OS
+      assign letter=c
+      exit
+
          + + 7. Type the following commands to restore the OS image and boot files: + + 
          +      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+      bcdboot c:\windows
+      exit
+
          + + 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). + 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. + 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: + + 
          +       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
+       Set-VMDvdDrive -VMName PC1 -Path $null
+
          + +### Configure VMs + +1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: + + 
          +    Start-VM DC1
+    vmconnect localhost DC1
+
          + +2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**. +3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. +4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. +5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: + + 
          +    Rename-Computer DC1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+
          + + > The default gateway at 192.168.0.2 will be configured later in this guide. + > + > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. + +6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: + + 
          +    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+
          + +7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: + + 
          +    Restart-Computer
+
          + +8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: + + 
          +    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
+
          + + Ignore any warnings that are displayed. The computer will automatically reboot upon completion. + +9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert: + + 
          +    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
+    Add-WindowsFeature -Name DHCP -IncludeManagementTools
+    netsh dhcp add securitygroups
+    Restart-Service DHCPServer
+    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
+    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
+
          + +10. Next, add a DHCP scope and set option values: + + 
          +    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
+    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
+
          + + >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. + +11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: + + 
          +    Get-DnsServerForwarder
+
          + + The following output should be displayed: + + 
          +    UseRootHint        : True
+    Timeout(s)         : 3
+    EnableReordering   : True
+    IPAddress          : 192.168.0.2
+    ReorderedIPAddress : 192.168.0.2
+
          + + If this output is not displayed, you can use the following command to add SRV1 as a forwarder: + + 
          +    Add-DnsServerForwarder -IPAddress 192.168.0.2
+
          + + **Configure service and user accounts** + + Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + + >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + + On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
          +    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+    Set-ADUser -Identity user1 -PasswordNeverExpires $true
+    Set-ADUser -Identity administrator -PasswordNeverExpires $true
+    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+
          + +12. Minimize the DC1 VM window but **do not stop** the VM. + + Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. + +13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: + + 
          +    Start-VM PC1
+    vmconnect localhost PC1
+
          + +14. Sign in to PC1 using an account that has local administrator rights. + + >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. + +15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. + + ![PoC](images/installing-drivers.png) + + >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. + +16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. + +17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. + + To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: + + ``` + ipconfig + + Windows IP Configuration + + Ethernet adapter Local Area Connection 3: + Connection-specific DNS Suffix . : contoso.com + Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 + Ipv4 Address. . . . . . . . . . . : 192.168.0.101 + Subnet Mask . . . . . . . . . . . : 255.255.255.0 + Default Gateway . . . . . . . . . : 192.168.0.2 + + ping dc1.contoso.com + + Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + + nltest /dsgetdc:contoso.com + DC: \\DC1 + Address: \\192.168.0.1 + Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 + Dom Name: CONTOSO + Forest Name: contoso.com + Dc Site Name: Default-First-Site-Name + Our Site Name: Default-First-Site-Name + Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 + ``` + + >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. + +18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: + + 
          +    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
+    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+
          + + >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. + + See the following example: + + ![ISE](images/ISE.png) + +19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. +20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: + + 
          +    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
+    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
+
          + + >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. + + If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. + +21. On PC1, type the following commands at an elevated Windows PowerShell prompt: + + 
          +    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
+
          + + >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. + +22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. + >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. +23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. +24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: + + 
          +    Start-VM SRV1
+    vmconnect localhost SRV1
+
          + +25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. +26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. +27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: + + 
          +    Rename-Computer SRV1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+    Restart-Computer
+
          + + >[!IMPORTANT] + >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name. + +28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: + + 
          +    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+
          + +29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: + + 
          +    Install-WindowsFeature -Name DNS -IncludeManagementTools
+    Install-WindowsFeature -Name WDS -IncludeManagementTools
+    Install-WindowsFeature -Name Routing -IncludeManagementTools
+
          + +30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. + + To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: + + 
          +    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
+
+    IPAddress                                                                  InterfaceAlias
+    ---------                                                                  --------------
+    10.137.130.118                                                             Ethernet 2
+    192.168.0.2                                                                Ethernet
+
          + + In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings. + + >[!TIP] + >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. + + +31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: + + 
          +    Install-RemoteAccess -VpnType Vpn
+    cmd /c netsh routing ip nat install
+    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
+    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
+    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
+
          + +32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + 
          +    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
+
          + +33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: + + 
          +    ping www.microsoft.com
+
          + + If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. + + **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: + + 
          +    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
+
          + +34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): + + 
          +    PS C:\> ping www.microsoft.com
+
+    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
+    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
+
+    Ping statistics for 23.222.146.170:
+        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
+    Approximate round trip times in milli-seconds:
+        Minimum = 1ms, Maximum = 3ms, Average = 2ms
+
          + +35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. +36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: + + 
          +    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
+    Restart-Computer
+
          + +This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. + +## Appendix A: Verify the configuration + +Use the following procedures to verify that the PoC environment is configured properly and working as expected. + +1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
          +    Get-Service NTDS,DNS,DHCP
+    DCDiag -a
+    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    Get-DhcpServerInDC
+    Get-DhcpServerv4Statistics
+    ipconfig /all
+
          + + **Get-Service** displays a status of "Running" for all three services.
          + **DCDiag** displays "passed test" for all tests.
          + **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
          + **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
          + **Resolve-DnsName** displays public IP address results for www.microsoft.com.
          + **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
          + **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
          + **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. + +2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + 
          +    Get-Service DNS,RemoteAccess
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    ipconfig /all
+    netsh int ipv4 show address
+
          + + **Get-Service** displays a status of "Running" for both services.
          + **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
          + **Resolve-DnsName** displays public IP address results for www.microsoft.com.
          + **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
          + **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. + +3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
          +    whoami
+    hostname
+    nslookup www.microsoft.com
+    ping -n 1 dc1.contoso.com
+    tracert www.microsoft.com
+
          + + **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
          + **hostname** displays the name of the local computer, for example W7PC-001.
          + **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
          + **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
          + **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. + + +## Appendix B: Terminology used in this guide + +

            + +

          + + +
          TermDefinition +
          GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. +
          Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. +
          Hyper-V hostThe computer where Hyper-V is installed. +
          Hyper-V ManagerThe user-interface console used to view and configure Hyper-V. +
          MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. +
          Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. +
          Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. +
          Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host. +
          Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. +
          VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. +
          + +
          + +## Related Topics + + +[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) + + + + + + + + diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index e38607bd29..412dceea4f 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -1,90 +1,90 @@ ---- -title: Switch to Windows 10 Pro/Enterprise from S mode -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional. -keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.prod: w10 -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Switch to Windows 10 Pro or Enterprise from S mode - -We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. - - -A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means: - - - - -| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | | -|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------| -| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) | -| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method | -| | Pro | Pro EDU | Not by any method | Not by any method | -| | Home | Not by any method | Not by any method | Not by any method | -| | | | | | -| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method | -| | Pro | Pro EDU | Not by any method | Not by any method | -| | Home in S mode | Not by any method | Home | Not by this method | -| | Home | Not by any method | Not by any method | Not by any method | -| | | | | | -| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro | -| | Pro | Pro EDU | Not by any method | Not by any method | -| | Home in S mode | Not by any method | Home | Home | -| | Home | Not by any method | Not by any method | Not by any method | - - -Use the following information to switch to Windows 10 Pro through the Microsoft Store. -> [!IMPORTANT] -> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. - -## Switch one device through the Microsoft Store -Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device. - -Note these differences affecting switching modes in various releases of Windows 10: - -- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible. -- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. -- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. - - -1. Sign into the Microsoft Store using your Microsoft account. -2. Search for "S mode". -3. In the offer, select **Buy**, **Get**, or **Learn more.** - -You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro. - -## Switch one or more devices by using Microsoft Intune - -Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle. - -1. Start Microsoft Intune. -2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**. -3. Follow the instructions to complete the switch. - - -## Block users from switching - -You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. -To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. - -## S mode management with CSPs - -In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode). - - -## Related topics - -[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
          -[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
          -[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
          -[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune) +--- +title: Switch to Windows 10 Pro/Enterprise from S mode +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional. +keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.prod: w10 +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Switch to Windows 10 Pro or Enterprise from S mode + +We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. + + +A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means: + + + + +| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | | +|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------| +| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) | +| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method | +| | Pro | Pro EDU | Not by any method | Not by any method | +| | Home | Not by any method | Not by any method | Not by any method | +| | | | | | +| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method | +| | Pro | Pro EDU | Not by any method | Not by any method | +| | Home in S mode | Not by any method | Home | Not by this method | +| | Home | Not by any method | Not by any method | Not by any method | +| | | | | | +| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro | +| | Pro | Pro EDU | Not by any method | Not by any method | +| | Home in S mode | Not by any method | Home | Home | +| | Home | Not by any method | Not by any method | Not by any method | + + +Use the following information to switch to Windows 10 Pro through the Microsoft Store. +> [!IMPORTANT] +> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. + +## Switch one device through the Microsoft Store +Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device. + +Note these differences affecting switching modes in various releases of Windows 10: + +- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible. +- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. +- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. + + +1. Sign into the Microsoft Store using your Microsoft account. +2. Search for "S mode". +3. In the offer, select **Buy**, **Get**, or **Learn more.** + +You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro. + +## Switch one or more devices by using Microsoft Intune + +Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle. + +1. Start Microsoft Intune. +2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**. +3. Follow the instructions to complete the switch. + + +## Block users from switching + +You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. +To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. + +## S mode management with CSPs + +In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode). + + +## Related topics + +[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
          +[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
          +[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
          +[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index cb36507a31..198a7e9aa2 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -1,226 +1,226 @@ ---- -title: Windows 10 Subscription Activation -description: How to dynamically enable Windows 10 Enterprise or Educations subscriptions -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -author: greg-lindsay -manager: laurawi -ms.collection: M365-modern-desktop -search.appverid: -- MET150 -ms.topic: article ---- - -# Windows 10 Subscription Activation - -Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. - -With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**. - -The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. - -## Subscription Activation for Windows 10 Enterprise - -With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots. - - If you are running Windows 10, version 1703 or later: - -- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise. -- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions. - -Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-whatis). - -## Subscription Activation for Windows 10 Education - -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. - -## In this article - -- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. -- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. -- [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model. -- [Benefits](#benefits): Advantages of Windows 10 subscription-based licensing. -- [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. - -For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). - -## Inherited Activation - -Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. - -When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. - -To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. - -## The evolution of deployment - ->The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/). - -The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. - -![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png) - -- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
          -- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
          -- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
          -- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
          -- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
          -- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
          -- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
          -- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. - -## Requirements - -### Windows 10 Enterprise requirements - -For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: - -- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. -- Azure Active Directory (Azure AD) available for identity management. -- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. - - >[!NOTE] - >An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue, the user must either sign in with an Azure Active Directory account, or you must disable MFA for this user during the 30-day polling period and renewal. - -For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). - -If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) - -### Windows 10 Education requirements - -1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security> Activation. -3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. -4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. - ->If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. - - -## Benefits - -With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: - -- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare) -- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing) - -You can benefit by moving to Windows as an online service in the following ways: - -1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. -2. User logon triggers a silent edition upgrade, with no reboot required -3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. -4. Compliance support via seat assignment. -5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. - -## How it works - -The device is AAD joined from Settings > Accounts > Access work or school. - -The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. - -![Windows 10 Enterprise](images/ent.png) - -When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. - -Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. - -The following figures summarize how the Subscription Activation model works: - -Before Windows 10, version 1903:
          -![1703](images/before.png) - -After Windows 10, version 1903:
          -![1903](images/after.png) - -Note: -1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). -2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). - -### Scenarios - -**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). - -All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. - -**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). - -To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: - -
          -cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
          - -The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. - -**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. - -In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. - -If you’re running Windows 7, it can be more work.  A wipe-and-load approach works, but it is likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This is a supported path, and completes the move in one step.  This method also works if you are running Windows 8.1 Pro. - -### Licenses - -The following policies apply to acquisition and renewal of licenses on devices: -- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. -- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. -- If a device the meets requirements and a licensed user signs in on that device, it will be upgraded. - -Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. - -When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal). - -### Existing Enterprise deployments - -If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. - -If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. - -If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: - -
          -@echo off
-FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  ( 
-SET "ProductKey=%%A"
-goto InstallKey
-)
-
-:InstallKey
-IF [%ProductKey%]==[] (
-echo No key present
-) ELSE (
-echo Installing %ProductKey%
-changepk.exe /ProductKey %ProductKey%
-)
-
          - -### Obtaining an Azure AD license - -Enterprise Agreement/Software Assurance (EA/SA): -- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). -- The license administrator can assign seats to Azure AD users with the same process that is used for O365. -- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. - -Microsoft Products & Services Agreements (MPSA): -- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions. -- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. -- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method. - -### Deploying licenses - -See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). - -## Virtual Desktop Access (VDA) - -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). - -Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). - -## Related topics - -[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
          -[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
          -[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
          +--- +title: Windows 10 Subscription Activation +description: How to dynamically enable Windows 10 Enterprise or Educations subscriptions +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro author: greg-lindsay +manager: laurawi +ms.collection: M365-modern-desktop +search.appverid: +- MET150 +ms.topic: article +--- + +# Windows 10 Subscription Activation + +Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. + +With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**. + +The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. + +## Subscription Activation for Windows 10 Enterprise + +With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots. + + If you are running Windows 10, version 1703 or later: + +- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise. +- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions. + +Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-whatis). + +## Subscription Activation for Windows 10 Education + +Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. + +## In this article + +- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. +- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. +- [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model. +- [Benefits](#benefits): Advantages of Windows 10 subscription-based licensing. +- [How it works](#how-it-works): A summary of the subscription-based licensing option. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. + +For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). + +## Inherited Activation + +Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. + +When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. + +To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. + +## The evolution of deployment + +>The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/). + +The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. + +![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png) + +- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
          +- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
          +- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
          +- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
          +- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
          +- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
          +- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
          +- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. + +## Requirements + +### Windows 10 Enterprise requirements + +For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: + +- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. +- Azure Active Directory (Azure AD) available for identity management. +- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. + + >[!NOTE] + >An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue, the user must either sign in with an Azure Active Directory account, or you must disable MFA for this user during the 30-day polling period and renewal. + +For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). + +If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) + +### Windows 10 Education requirements + +1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. +2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security> Activation. +3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. +4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. + +>If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. + + +## Benefits + +With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: + +- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare) +- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing) + +You can benefit by moving to Windows as an online service in the following ways: + +1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. +2. User logon triggers a silent edition upgrade, with no reboot required +3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. +4. Compliance support via seat assignment. +5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. + +## How it works + +The device is AAD joined from Settings > Accounts > Access work or school. + +The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. + +![Windows 10 Enterprise](images/ent.png) + +When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. + +Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. + +The following figures summarize how the Subscription Activation model works: + +Before Windows 10, version 1903:
          +![1703](images/before.png) + +After Windows 10, version 1903:
          +![1903](images/after.png) + +Note: +1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). +2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). + +### Scenarios + +**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). + +All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. + +**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). + +To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: + +
          +cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
          + +The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. + +**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. + +In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. + +If you’re running Windows 7, it can be more work.  A wipe-and-load approach works, but it is likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This is a supported path, and completes the move in one step.  This method also works if you are running Windows 8.1 Pro. + +### Licenses + +The following policies apply to acquisition and renewal of licenses on devices: +- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. +- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. +- Up to five devices can be upgraded for each user license. +- If a device the meets requirements and a licensed user signs in on that device, it will be upgraded. + +Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. + +When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal). + +### Existing Enterprise deployments + +If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. + +If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. + +If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: + +
          +@echo off
+FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  ( 
+SET "ProductKey=%%A"
+goto InstallKey
+)
+
+:InstallKey
+IF [%ProductKey%]==[] (
+echo No key present
+) ELSE (
+echo Installing %ProductKey%
+changepk.exe /ProductKey %ProductKey%
+)
+
          + +### Obtaining an Azure AD license + +Enterprise Agreement/Software Assurance (EA/SA): +- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). +- The license administrator can assign seats to Azure AD users with the same process that is used for O365. +- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. + +Microsoft Products & Services Agreements (MPSA): +- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions. +- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. +- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method. + +### Deploying licenses + +See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). + +## Virtual Desktop Access (VDA) + +Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). + +Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). + +## Related topics + +[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
          +[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
          +[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
          diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index 01d42ef15d..861ef1b1ad 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -1,97 +1,97 @@ ---- -title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10) -description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. -ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B -ms.reviewer: -manager: laurawi -ms.author: greg-lindsay -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.date: 07/27/2017 -ms.topic: article ---- - -# Windows ADK for Windows 10 scenarios for IT Pros - - -The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx). - -In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx). - -Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center. - -### Create a Windows image using command-line tools - -[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images. - -Here are some things you can do with DISM: - -- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx) -- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx) -- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx) -- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx) -- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx) -- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx) -- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx) - -[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation. - -Here are some things you can do with Sysprep: - -- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx) -- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx) -- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx) - -[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system. - -Here are ways you can create a WinPE image: - -- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx) -- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx) - -[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems. - -Here are some things you can do with Windows RE: - -- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx) -- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx) - -[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation. - -Here are some things you can do with Windows SIM: - -- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) -- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx) -- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx) -- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx) - -For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center. - -### Create a Windows image using Windows ICD - -Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image. - -Here are some things you can do with Windows ICD: - -- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx) -- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx) -- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx) - -### IT Pro Windows deployment tools - -There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet: - -- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) - -  - -  - - - - - +--- +title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10) +description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. +ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B +ms.reviewer: +manager: laurawi +ms.audience: itpro author: greg-lindsay +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.date: 07/27/2017 +ms.topic: article +--- + +# Windows ADK for Windows 10 scenarios for IT Pros + + +The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx). + +In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx). + +Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center. + +### Create a Windows image using command-line tools + +[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images. + +Here are some things you can do with DISM: + +- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx) +- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx) +- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx) +- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx) +- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx) +- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx) +- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx) + +[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation. + +Here are some things you can do with Sysprep: + +- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx) +- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx) +- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx) + +[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system. + +Here are ways you can create a WinPE image: + +- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx) +- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx) + +[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems. + +Here are some things you can do with Windows RE: + +- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx) +- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx) + +[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation. + +Here are some things you can do with Windows SIM: + +- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) +- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx) +- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx) +- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx) + +For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center. + +### Create a Windows image using Windows ICD + +Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image. + +Here are some things you can do with Windows ICD: + +- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx) +- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx) +- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx) + +### IT Pro Windows deployment tools + +There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet: + +- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) +- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) + +  + +  + + + + + diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 5d487c958c..73b9410bf7 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -26,4 +26,4 @@ ## [Contacts](autopilot-support.md) ## [Registration authorization](registration-auth.md) ## [Device guidelines](autopilot-device-guidelines.md) -## [Motherboard replacement](autopilot-mbr.md) \ No newline at end of file +## [Motherboard replacement](autopilot-mbr.md) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 73f7445a6c..a8090d1812 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -1,162 +1,162 @@ ---- -title: Adding devices -ms.reviewer: -manager: laurawi -description: How to add devices to Windows Autopilot -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Adding devices to Windows Autopilot - -**Applies to** - -- Windows 10 - -Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. - -## OEM registration - -When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot). - -Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). - -## Reseller, distributor, or partner registration - -Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer. - -As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. - -Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. - -## Automatic registration of existing devices - -If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. - -For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. - -Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. - -## Manual registration - -To perform manual registration of a device, you must first capture its hardware ID (also known as a hardware hash). Once this process has completed, the resulting hardware ID can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows 10 in order to obtain the hardware ID, this is intended primarily for testing and evaluation scenarios. - -## Device identification - -To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. - -The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device. - -Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded. - -### Collecting the hardware ID from existing devices using System Center Configuration Manager - -Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. - -### Collecting the hardware ID from existing devices using PowerShell - -The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). - -To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: - -```powershell -md c:\\HWID -Set-Location c:\\HWID -Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Install-Script -Name Get-WindowsAutoPilotInfo -Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv -``` - -The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. - ->[!IMPORTANT] ->Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
          ->After Intune reports the profile ready to go, only then should the device be connected to the Internet. - ->[!NOTE] ->If OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
          ->**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
          ->To ensure OOBE has not been restarted too many times, you can change this value to 1. - -## Registering devices - - - - -Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism. - -- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers. -- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. -- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. -- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. - -A summary of each platform's capabilities is provided below. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Platform/Portal -Register devices? -Create/Assign profile -Acceptable DeviceID -
          OEM Direct APIYES - 1000 at a time maxNOTuple or PKID
          Partner CenterYES - 1000 at a time maxYESTuple or PKID or 4K HH
          IntuneYES - 500 at a time max\*YES\*4K HH
          Microsoft Store for BusinessYES - 1000 at a time maxYES4K HH
          Microsoft Business 365YES - 1000 at a time maxYES4K HH
          - ->*Microsoft recommended platform to use - -## Summary - -When deploying new devices using Windows Autopilot, the following steps are required: - -1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. -2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented. -3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. - -## Other configuration settings - -- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started. - +--- +title: Adding devices +ms.reviewer: +manager: laurawi +description: How to add devices to Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Adding devices to Windows Autopilot + +**Applies to** + +- Windows 10 + +Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. + +## OEM registration + +When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot). + +Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). + +## Reseller, distributor, or partner registration + +Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer. + +As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. + +Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. + +## Automatic registration of existing devices + +If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. + +For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. + +Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. + +## Manual registration + +To perform manual registration of a device, you must first capture its hardware ID (also known as a hardware hash). Once this process has completed, the resulting hardware ID can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows 10 in order to obtain the hardware ID, this is intended primarily for testing and evaluation scenarios. + +## Device identification + +To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. + +The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device. + +Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded. + +### Collecting the hardware ID from existing devices using System Center Configuration Manager + +Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. + +### Collecting the hardware ID from existing devices using PowerShell + +The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). + +To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: + +```powershell +md c:\\HWID +Set-Location c:\\HWID +Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted +Install-Script -Name Get-WindowsAutoPilotInfo +Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv +``` + +The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. + +>[!IMPORTANT] +>Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
          +>After Intune reports the profile ready to go, only then should the device be connected to the Internet. + +>[!NOTE] +>If OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
          +>**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
          +>To ensure OOBE has not been restarted too many times, you can change this value to 1. + +## Registering devices + + + + +Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism. + +- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers. +- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. +- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. +- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. + +A summary of each platform's capabilities is provided below. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Platform/Portal +Register devices? +Create/Assign profile +Acceptable DeviceID +
          OEM Direct APIYES - 1000 at a time maxNOTuple or PKID
          Partner CenterYES - 1000 at a time maxYESTuple or PKID or 4K HH
          IntuneYES - 500 at a time max\*YES\*4K HH
          Microsoft Store for BusinessYES - 1000 at a time maxYES4K HH
          Microsoft Business 365YES - 1000 at a time maxYES4K HH
          + +>*Microsoft recommended platform to use + +## Summary + +When deploying new devices using Windows Autopilot, the following steps are required: + +1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. +2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented. +3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. + +## Other configuration settings + +- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started. + diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md index d379b288a9..563e086966 100644 --- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md +++ b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md @@ -4,12 +4,12 @@ ms.reviewer: manager: laurawi description: Windows Autopilot deployment keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -audience: itpro ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index 935565887e..01cdb3ef63 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -1,164 +1,164 @@ ---- -title: Windows Autopilot support -ms.reviewer: -manager: laurawi -description: Support information for Windows Autopilot -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot FAQ - -**Applies to: Windows 10** - -This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot. - -A [glossary](#glossary) of abbreviations used in this topic is provided at the end. - - -## Microsoft Partner Center - -| Question | Answer | -| --- | --- | -| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is this needed to allow the business customer to access their devices in MSfB? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. | -| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed. | -| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). | -| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | -| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).| -| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

          Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. | -| Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | -| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:

          1. Direct CSP: Gets direct authorization from the customer to register devices.

          2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

          3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | - -## Manufacturing - -| Question | Answer | -| --- | --- | -| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. | -| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K Hardware Hash. | -| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (i.e., registration) completed on their behalf. | -| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). | -| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment, otherwise no impacts. | -| Will there be any change to the existing CBR with 4k Hardware Hash? | No. | -| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID via a CSV file into Microsoft Partner Center, or use the OEM Direct API. | -| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. | - -## CSV schema - -| Question | Answer | -| --- | --- | -| Can a comma be used in the CSV file? | No. | -| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the “In Microsoft Store for Business” section of this guide. | -| Is there a limit to the number of devices that can be listed in the CSV file? | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files. | -| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | Microsoft recommends encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). | - - -## Hardware hash - -| Question | Answer | -| --- | --- | -| Must every Hardware Hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit Hardware Hashes which meet the outlined requirement. | -| What is the reason for needing the SMBIOS UUID, MAC Address and Disk Serial Number in the Hardware Hash details? | For creating the Hardware Hash, these are the fields that are needed to identify a device, as parts of the device are added/removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device. | -| What is difference between OA3 Hardware Hash, 4K Hardware Hash, and Windows Autopilot Hardware Hash? | None. They’re different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. | -| What is the thought around parts replacement and/or repair for the NIC (network interface controller) and/or Disk? Will the Hardware Hash become invalid? | Yes. If you replace parts, you need to gather the new Hardware Hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device – you MUST have new Hardware Hash. If you replace one network card, it’s probably not a new device, and the device will function with the old Hardware Hash. However, as a best practice, you should assume the old Hardware Hash is invalid and get a new Hardware Hash after any hardware changes – this is Microsoft’s strong recommendation any time you replace parts. | - -## Motherboard replacement - -| Question | Answer | -| --- | --- | -| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.

          To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).

          **Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.| - -## SMBIOS - -| Question | Answer | -| --- | --- | -| Any specific requirement to SMBIOS UUID? | It must be unique as specified in the Windows 10 hardware requirements. | -| What is the requirement on the SMBIOS table to meet the Windows Autopilot Hardware Hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). | -| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the Hardware Hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub | - -## Technical interface - -| Question | Answer | -| --- | --- | -| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the exact mechanisms/”interface” for doing this operation varies depending on the exact scenario being discussed. | -| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be extra specific usage rules. The System disk serial number is more important than any other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, both will be used. | - -## The end user experience - -|Question|Answer| -|----|-----| -|How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.| -|Windows Autopilot didn’t work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). | -| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.| -|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.| -|What may be a reason why I did not receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.| -|What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? |The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.| -|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.| - -## MDM - -| Question | Answer | -| --- | --- | -| Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. | -| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. | -| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premise configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. | -| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. | - - -## Features - -| Question | Answer | -| --- | --- | -| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (e.g., shared devices, or KIOSK devices). | -| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premise Active Directory domain controller (in addition to being Azure AD joined). | -| Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. | -| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The company’s logo can be included | -| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. | - - - -## General - -|Question|Answer -|------------------|-----------------| -|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.| -|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.| -|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

          Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.

          **Key Take-Aways**: When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. | -|What is the impact of not updating to 7B?|See the detailed scenario described directly above.| -|Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.| -|Does Windows Autopilot work after MBR or image re-installation?|Yes.| -| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not “infinite.”) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.| -|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.| -|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.| -|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.| -|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering:

          1. OEM Direct API (only available to TVOs)
          2. MPC via the MPC API (must be a CSP)
          3. MPC via manual upload of CSV file in the UI (must be a CSP)
          4. MSfB via CSV file upload
          5. Intune via CSV file upload
          6. Microsoft 365 Business portal via CSV file upload| -|How many ways are there to create a Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile:

          1. Through MPC (must be a CSP)
          2. Through MSfB
          3. Through Intune (or another MDM)
          4. Microsoft 365 Business portal

          Microsoft recommends creation and assignment of profiles through Intune. | -| What are some common causes of registration failures? |1. Bad or missing Hardware hash entries can lead to faulty registration attempts
          2. Hidden special characters in CSV files.

          To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.| -| Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.| -| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below:
          - Azure Germany
          - Azure China
          - Azure Government
          So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.| - -## Glossary - -| Term | Meaning | -| --- | --- | -| CSV | Comma Separated Values (File type similar to Excel spreadsheet) | -| MPC | Microsoft Partner Center | -| MDM | Mobile Device Management | -| OEM | Original Equipment Manufacturer | -| CSP | Cloud Solution Provider | -| MSfB | Microsoft Store for Business | -| AAD | Azure Active Directory | -| 4K HH | 4K Hardware Hash | -| CBR | Computer Build Report | -| EC | Enterprise Commerce | -| DDS | Device Directory Service | -| OOBE | Out of the Box Experience | -| UUID | Universally Unique Identifier | +--- +title: Windows Autopilot support +ms.reviewer: +manager: laurawi +description: Support information for Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot FAQ + +**Applies to: Windows 10** + +This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot. + +A [glossary](#glossary) of abbreviations used in this topic is provided at the end. + + +## Microsoft Partner Center + +| Question | Answer | +| --- | --- | +| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is this needed to allow the business customer to access their devices in MSfB? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. | +| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed. | +| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). | +| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | +| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).| +| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

          Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. | +| Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | +| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:

          1. Direct CSP: Gets direct authorization from the customer to register devices.

          2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

          3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | + +## Manufacturing + +| Question | Answer | +| --- | --- | +| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. | +| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K Hardware Hash. | +| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (i.e., registration) completed on their behalf. | +| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). | +| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment, otherwise no impacts. | +| Will there be any change to the existing CBR with 4k Hardware Hash? | No. | +| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID via a CSV file into Microsoft Partner Center, or use the OEM Direct API. | +| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. | + +## CSV schema + +| Question | Answer | +| --- | --- | +| Can a comma be used in the CSV file? | No. | +| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the “In Microsoft Store for Business” section of this guide. | +| Is there a limit to the number of devices that can be listed in the CSV file? | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files. | +| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | Microsoft recommends encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). | + + +## Hardware hash + +| Question | Answer | +| --- | --- | +| Must every Hardware Hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit Hardware Hashes which meet the outlined requirement. | +| What is the reason for needing the SMBIOS UUID, MAC Address and Disk Serial Number in the Hardware Hash details? | For creating the Hardware Hash, these are the fields that are needed to identify a device, as parts of the device are added/removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device. | +| What is difference between OA3 Hardware Hash, 4K Hardware Hash, and Windows Autopilot Hardware Hash? | None. They’re different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. | +| What is the thought around parts replacement and/or repair for the NIC (network interface controller) and/or Disk? Will the Hardware Hash become invalid? | Yes. If you replace parts, you need to gather the new Hardware Hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device – you MUST have new Hardware Hash. If you replace one network card, it’s probably not a new device, and the device will function with the old Hardware Hash. However, as a best practice, you should assume the old Hardware Hash is invalid and get a new Hardware Hash after any hardware changes – this is Microsoft’s strong recommendation any time you replace parts. | + +## Motherboard replacement + +| Question | Answer | +| --- | --- | +| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.

          To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).

          **Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.| + +## SMBIOS + +| Question | Answer | +| --- | --- | +| Any specific requirement to SMBIOS UUID? | It must be unique as specified in the Windows 10 hardware requirements. | +| What is the requirement on the SMBIOS table to meet the Windows Autopilot Hardware Hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). | +| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the Hardware Hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub | + +## Technical interface + +| Question | Answer | +| --- | --- | +| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the exact mechanisms/”interface” for doing this operation varies depending on the exact scenario being discussed. | +| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be extra specific usage rules. The System disk serial number is more important than any other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, both will be used. | + +## The end user experience + +|Question|Answer| +|----|-----| +|How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.| +|Windows Autopilot didn’t work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). | +| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.| +|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.| +|What may be a reason why I did not receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.| +|What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? |The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.| +|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.| + +## MDM + +| Question | Answer | +| --- | --- | +| Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. | +| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. | +| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premise configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. | +| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. | + + +## Features + +| Question | Answer | +| --- | --- | +| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (e.g., shared devices, or KIOSK devices). | +| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premise Active Directory domain controller (in addition to being Azure AD joined). | +| Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. | +| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The company’s logo can be included | +| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. | + + + +## General + +|Question|Answer +|------------------|-----------------| +|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.| +|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.| +|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

          Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.

          **Key Take-Aways**: When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. | +|What is the impact of not updating to 7B?|See the detailed scenario described directly above.| +|Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.| +|Does Windows Autopilot work after MBR or image re-installation?|Yes.| +| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not “infinite.”) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.| +|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.| +|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.| +|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.| +|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering:

          1. OEM Direct API (only available to TVOs)
          2. MPC via the MPC API (must be a CSP)
          3. MPC via manual upload of CSV file in the UI (must be a CSP)
          4. MSfB via CSV file upload
          5. Intune via CSV file upload
          6. Microsoft 365 Business portal via CSV file upload| +|How many ways are there to create a Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile:

          1. Through MPC (must be a CSP)
          2. Through MSfB
          3. Through Intune (or another MDM)
          4. Microsoft 365 Business portal

          Microsoft recommends creation and assignment of profiles through Intune. | +| What are some common causes of registration failures? |1. Bad or missing Hardware hash entries can lead to faulty registration attempts
          2. Hidden special characters in CSV files.

          To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.| +| Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.| +| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below:
          - Azure Germany
          - Azure China
          - Azure Government
          So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.| + +## Glossary + +| Term | Meaning | +| --- | --- | +| CSV | Comma Separated Values (File type similar to Excel spreadsheet) | +| MPC | Microsoft Partner Center | +| MDM | Mobile Device Management | +| OEM | Original Equipment Manufacturer | +| CSP | Cloud Solution Provider | +| MSfB | Microsoft Store for Business | +| AAD | Azure Active Directory | +| 4K HH | 4K Hardware Hash | +| CBR | Computer Build Report | +| EC | Enterprise Commerce | +| DDS | Device Directory Service | +| OOBE | Out of the Box Experience | +| UUID | Universally Unique Identifier | diff --git a/windows/deployment/windows-autopilot/autopilot-mbr.md b/windows/deployment/windows-autopilot/autopilot-mbr.md index d83600279e..f103766d0d 100644 --- a/windows/deployment/windows-autopilot/autopilot-mbr.md +++ b/windows/deployment/windows-autopilot/autopilot-mbr.md @@ -1,421 +1,420 @@ ---- -title: Windows Autopilot motherboard replacement -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment MBR scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -audience: itpro -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot motherboard replacement scenario guidance - -**Applies to** - -- Windows 10 - -This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios. - -Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM’s require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios. - -**Motherboard Replacement (MBR)** - -If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended: - -1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot -2. [Replace the motherboard](#replace-the-motherboard) -3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device) -4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot -5. [Reset the device](#reset-the-device) -6. [Return the device](#return-the-repaired-device-to-the-customer) - -Each of these steps is described below. - -## Deregister the Autopilot device from the Autopilot program - -Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admin’s Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC. - -**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves. - -**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didn’t register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune. - -### Deregister from Intune - -To deregister an Autopilot device from Intune, an IT Admin would: - -1. Sign in to their Intune account -2. Navigate to Intune > Groups > All groups -3. Remove the desired device from its group -4. Navigate to Intune > Devices > All devices -5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu -6. Navigate to Intune > Devices > Azure AD devices -7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu -8. Navigate to Intune > Device enrollment > Windows enrollment > Devices -9. Select the checkbox next to the device you want to deregister -10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user” -11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored -12. With the unassigned device still selected, click the Delete button along the top menu to remove this device - -**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance. - -The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present. - -More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group). - -### Deregister from MPC - -To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would: - -1. Log into MPC -2. Navigate to Customer > Devices -3. Select the device to be deregistered and click the “Delete device” button - -![devices](images/devices.png) - -**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section. - -Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call. - -Because the repair facility will not have access to the user’s login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair: -1. Copy all important data off the device. -2. Let the repair facility know which version of Windows they should reinstall after the repair. -3. If applicable, let the repair facility know which version of Office they should reinstall after the repair. - -## Replace the motherboard - -Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected. - -Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after a MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum: - -- DiskSerialNumber -- SmbiosSystemSerialNumber -- SmbiosSystemManufacturer -- SmbiosSystemProductName -- SmbiosUuid -- TPM EKPub -- MacAddress -- ProductKeyID -- OSType - -**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in a MBR, such as: -- Verify that the device is still functional -- Disable BitLocker* -- Repair the Boot Configuration Data (BCD) -- Repair and verify the network driver operation - -*BitLocker can be suspended rather than disbled if the technician has the ability to resume it after the repair. - -## Capture a new Autopilot device ID (4K HH) from the device - -Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customer’s login credentials, they will have to reimage the device in order to gain access, per the following steps: - -1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition). -2. The repair technician boots the device to WinPE. -3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images). - - **NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example. - -4. The repair technician boots the device into the new Windows image. -5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below. - -Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH). - -Alternatively, the [WindowsAutoPilotInfo Powershell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps: - -1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below). -2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example. - - ```powershell - md c:\HWID - Set-Location c:\HWID - Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force - Install-Script -Name Get-WindowsAutopilotInfo -Force - Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv - ``` - ->If you are prompted to install the NuGet package, choose **Yes**.
          ->If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.
          ->If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**. - -The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually. - -**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device. - - -## Reregister the repaired device using the new device ID - -If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below. - -### Reregister from Intune - -To reregister an Autopilot device from Intune, an IT Admin would: -1. Sign in to Intune. -2. Navigate to Device enrollment > Windows enrollment > Devices > Import. -3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document). - -The following video provides a good overview of how to (re)register devices via MSfB.
          - -> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0] - -### Reregister from MPC - -To reregister an Autopilot device from MPC, an OEM or CSP would: - -1. Sign in to MPC. -2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file. - -![device](images/device2.png)
          -![device](images/device3.png) - -In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple were used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID. - -**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below: - -![hash](images/hh.png) - -## Reset the device - -Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows: - -On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset. - -![reset](images/reset.png) - -However, it’s likely the repair facility won’t have access to Windows because they lack the user credentials to login, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image). - -## Return the repaired device to the customer - -After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE. - -**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., there’s no way to log into the device because it’s been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves. - -**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isn’t actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step. - -## Specific repair scenarios - -This section covers the most common repair scenarios, and their impact on Autopilot enablement. - -NOTES ON TEST RESULTS: - -- Scenarios below were tested using Intune only (no other MDMs were tested). -- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled. -- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to backup data (if possible) prior to repair. -- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot. -- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID) - -In the following table:
          -- Supported = **Yes**: the device can be reenabled for Autopilot -- Supported = **No**: the device cannot be reenabled for Autopilot - - -
          ScenarioSupportedMicrosoft Recommendation -
          Motherboard Replacement (MBR) in generalYesThe recommended course of action for MBR scenarios is: - -1. Autopilot device is deregistered from the Autopilot program -2. The motherboard is replace -3. The device is reimaged (with BIOS info and DPK reinjected)* -4. A new Autopilot device ID (4K HH) is captured off the device -5. The repaired device is reregistered for the Autopilot program using the new device ID -6. The repaired device is reset to boot to OOBE -7. The repaired device is shipped back to the customer - -*It’s not necessary to reimage the device if the repair technician has access to the customer’s login credentials. It’s technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes. - -
          MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)Yes - -1. Deregister damaged device -2. Replace motherboard -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write device info into BIOS -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboardNoThis scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution. -
          MBR where the NIC card, HDD, and WLAN all remain the same after the repairYes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write old device info into BIOS (same s/n, model, etc.)* -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device - -
          MBR where the NIC card remains the same, but the HDD and WLAN are replacedYes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Insert new HDD and WLAN -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          MBR where the NIC card and WLAN remains the same, but the HDD is replacedYes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Insert new HDD -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.Yes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.Yes - -1. Deregister old device from which MB will be taken -2. Deregister damaged device (that you want to repair) -3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS) -4. Reimage device (to gain access), unless have access to customers’ login credentials -5. Write old device info into BIOS (same s/n, model, etc.) -6. Capture new 4K HH -7. Reregister repaired device -8. Reset device back to OOBE -9. Go through Autopilot OOBE (customer) -10. Autopilot successfully enabled - -NOTE: The repaired device can also be used successfully as a normal, non-Autopilot device. - -
          BIOS info excluded from MBR deviceNoRepair facility does not have BIOS tool to write device info into BIOS after MBR. - -1. Deregister damaged device -2. Replace motherboard (BIOS does NOT contain device info) -3. Reimage and write DPK into image -4. Capture new 4K HH -5. Reregister repaired device -6. Create Autopilot profile for device -7. Go through Autopilot OOBE (customer) -8. Autopilot FAILS to recognize repaired device - -
          MBR when there is no TPM chipYesThough we do not recommend enabling an Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot devices in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would: - -1. Deregister damaged device -2. Replace motherboard -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
          New DPK written into image on repaired Autopilot device with a new MBYesRepair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR. - -1. Deregister damaged device -2. Replace motherboard – BIOS does NOT contain DPK info -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reset or reimage device to pre-OOBE and write DPK into image -7. Reregister repaired device -8. Go through Autopilot OOBE -9. Autopilot successfully enabled - -
          New Repair Product Key (RDPK)YesUsing a MB with a new RDPK preinjected results in a successful Autopilot refurbishment scenario. - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Reimage or rest image to pre-OOBE -4. Write device info into BIOS -5. Capture new 4K HH -6. Reregister repaired device -7. Reimage or reset image to pre-OOBE -8. Go through Autopilot OOBE -9. Autopilot successfully enabled - -
          No Repair Product Key (RDPK) injectedNoThis scenario violates Microsoft policy and breaks the Windows Autopilot experience. -
          Reimage damaged Autopilot device that was not deregistered prior to repairYes, but the device will still be associated with previous tenant ID, so should only be returned to same customer - -1. Reimage damaged device -2. Write DPK into image -3. Go through Autopilot OOBE -4. Autopilot successfully enabled (to previous tenant ID) - -
          Disk replacement from a non-Autopilot device to an Autopilot deviceYes - -1. Do not deregister damaged device prior to repair -2. Replace HDD on damaged device -3. Reimage or reset image back to OOBE -4. Go through Autopilot OOBE (customer) -5. Autopilot successfully enabled (repaired device recognized as its previous self) - -
          Disk replacement from one Autopilot device to another Autopilot deviceMaybeIf the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience. - -Assuming the used HDD was previously deregistered (before being used in this repair): - -1. Deregister damaged device -2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device -3. Reimage or rest the repaired device back to a pre-OOBE state -4. Go through Autopilot OOBE (customer) -5. Autopilot successfully enabled - -
          Third party network card replacement NoWhether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended. -
          A device repaired more than 3 timesNoAutopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future. -
          Memory replacementYesReplacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory. -
          GPU replacementYesReplacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU. -
          - ->When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two. - -**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps: -- Memory (RAM or ROM) -- Power Supply -- Video Card -- Card Reader -- Sound card -- Expansion card -- Microphone -- Webcam -- Fan -- Heat sink -- CMOS battery - -Other repair scenarios not yet tested and verified include: -- Daughterboard replacement -- CPU replacement -- Wifi replacement -- Ethernet replacement - -## FAQ - -| Question | Answer | -| --- | --- | -| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. | -| What if only some components are replaced rather than the full motherboard? | While it’s true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. | -| How does a repair technician gain access to a broken device if they don’t have the customer’s login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. | - -## Related topics - -[Device guidelines](autopilot-device-guidelines.md)
          +--- +title: Windows Autopilot motherboard replacement +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment MBR scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot motherboard replacement scenario guidance + +**Applies to** + +- Windows 10 + +This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios. + +Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM’s require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios. + +**Motherboard Replacement (MBR)** + +If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended: + +1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot +2. [Replace the motherboard](#replace-the-motherboard) +3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device) +4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot +5. [Reset the device](#reset-the-device) +6. [Return the device](#return-the-repaired-device-to-the-customer) + +Each of these steps is described below. + +## Deregister the Autopilot device from the Autopilot program + +Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admin’s Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC. + +**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves. + +**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didn’t register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune. + +### Deregister from Intune + +To deregister an Autopilot device from Intune, an IT Admin would: + +1. Sign in to their Intune account +2. Navigate to Intune > Groups > All groups +3. Remove the desired device from its group +4. Navigate to Intune > Devices > All devices +5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu +6. Navigate to Intune > Devices > Azure AD devices +7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu +8. Navigate to Intune > Device enrollment > Windows enrollment > Devices +9. Select the checkbox next to the device you want to deregister +10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user” +11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored +12. With the unassigned device still selected, click the Delete button along the top menu to remove this device + +**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance. + +The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present. + +More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group). + +### Deregister from MPC + +To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would: + +1. Log into MPC +2. Navigate to Customer > Devices +3. Select the device to be deregistered and click the “Delete device” button + +![devices](images/devices.png) + +**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section. + +Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call. + +Because the repair facility will not have access to the user’s login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair: +1. Copy all important data off the device. +2. Let the repair facility know which version of Windows they should reinstall after the repair. +3. If applicable, let the repair facility know which version of Office they should reinstall after the repair. + +## Replace the motherboard + +Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected. + +Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after a MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum: + +- DiskSerialNumber +- SmbiosSystemSerialNumber +- SmbiosSystemManufacturer +- SmbiosSystemProductName +- SmbiosUuid +- TPM EKPub +- MacAddress +- ProductKeyID +- OSType + +**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in a MBR, such as: +- Verify that the device is still functional +- Disable BitLocker* +- Repair the Boot Configuration Data (BCD) +- Repair and verify the network driver operation + +*BitLocker can be suspended rather than disbled if the technician has the ability to resume it after the repair. + +## Capture a new Autopilot device ID (4K HH) from the device + +Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customer’s login credentials, they will have to reimage the device in order to gain access, per the following steps: + +1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition). +2. The repair technician boots the device to WinPE. +3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images). + + **NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example. + +4. The repair technician boots the device into the new Windows image. +5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below. + +Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH). + +Alternatively, the [WindowsAutoPilotInfo Powershell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps: + +1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below). +2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example. + + ```powershell + md c:\HWID + Set-Location c:\HWID + Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force + Install-Script -Name Get-WindowsAutopilotInfo -Force + Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv + ``` + +>If you are prompted to install the NuGet package, choose **Yes**.
          +>If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.
          +>If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**. + +The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually. + +**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device. + + +## Reregister the repaired device using the new device ID + +If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below. + +### Reregister from Intune + +To reregister an Autopilot device from Intune, an IT Admin would: +1. Sign in to Intune. +2. Navigate to Device enrollment > Windows enrollment > Devices > Import. +3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document). + +The following video provides a good overview of how to (re)register devices via MSfB.
          + +> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0] + +### Reregister from MPC + +To reregister an Autopilot device from MPC, an OEM or CSP would: + +1. Sign in to MPC. +2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file. + +![device](images/device2.png)
          +![device](images/device3.png) + +In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple were used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID. + +**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below: + +![hash](images/hh.png) + +## Reset the device + +Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows: + +On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset. + +![reset](images/reset.png) + +However, it’s likely the repair facility won’t have access to Windows because they lack the user credentials to login, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image). + +## Return the repaired device to the customer + +After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE. + +**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., there’s no way to log into the device because it’s been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves. + +**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isn’t actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step. + +## Specific repair scenarios + +This section covers the most common repair scenarios, and their impact on Autopilot enablement. + +NOTES ON TEST RESULTS: + +- Scenarios below were tested using Intune only (no other MDMs were tested). +- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled. +- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to backup data (if possible) prior to repair. +- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot. +- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID) + +In the following table:
          +- Supported = **Yes**: the device can be reenabled for Autopilot +- Supported = **No**: the device cannot be reenabled for Autopilot + + +
          ScenarioSupportedMicrosoft Recommendation +
          Motherboard Replacement (MBR) in generalYesThe recommended course of action for MBR scenarios is: + +1. Autopilot device is deregistered from the Autopilot program +2. The motherboard is replace +3. The device is reimaged (with BIOS info and DPK reinjected)* +4. A new Autopilot device ID (4K HH) is captured off the device +5. The repaired device is reregistered for the Autopilot program using the new device ID +6. The repaired device is reset to boot to OOBE +7. The repaired device is shipped back to the customer + +*It’s not necessary to reimage the device if the repair technician has access to the customer’s login credentials. It’s technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes. + +
          MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)Yes + +1. Deregister damaged device +2. Replace motherboard +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write device info into BIOS +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboardNoThis scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution. +
          MBR where the NIC card, HDD, and WLAN all remain the same after the repairYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.)* +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device + +
          MBR where the NIC card remains the same, but the HDD and WLAN are replacedYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Insert new HDD and WLAN +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          MBR where the NIC card and WLAN remains the same, but the HDD is replacedYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Insert new HDD +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.Yes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.Yes + +1. Deregister old device from which MB will be taken +2. Deregister damaged device (that you want to repair) +3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS) +4. Reimage device (to gain access), unless have access to customers’ login credentials +5. Write old device info into BIOS (same s/n, model, etc.) +6. Capture new 4K HH +7. Reregister repaired device +8. Reset device back to OOBE +9. Go through Autopilot OOBE (customer) +10. Autopilot successfully enabled + +NOTE: The repaired device can also be used successfully as a normal, non-Autopilot device. + +
          BIOS info excluded from MBR deviceNoRepair facility does not have BIOS tool to write device info into BIOS after MBR. + +1. Deregister damaged device +2. Replace motherboard (BIOS does NOT contain device info) +3. Reimage and write DPK into image +4. Capture new 4K HH +5. Reregister repaired device +6. Create Autopilot profile for device +7. Go through Autopilot OOBE (customer) +8. Autopilot FAILS to recognize repaired device + +
          MBR when there is no TPM chipYesThough we do not recommend enabling an Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot devices in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would: + +1. Deregister damaged device +2. Replace motherboard +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
          New DPK written into image on repaired Autopilot device with a new MBYesRepair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR. + +1. Deregister damaged device +2. Replace motherboard – BIOS does NOT contain DPK info +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reset or reimage device to pre-OOBE and write DPK into image +7. Reregister repaired device +8. Go through Autopilot OOBE +9. Autopilot successfully enabled + +
          New Repair Product Key (RDPK)YesUsing a MB with a new RDPK preinjected results in a successful Autopilot refurbishment scenario. + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage or rest image to pre-OOBE +4. Write device info into BIOS +5. Capture new 4K HH +6. Reregister repaired device +7. Reimage or reset image to pre-OOBE +8. Go through Autopilot OOBE +9. Autopilot successfully enabled + +
          No Repair Product Key (RDPK) injectedNoThis scenario violates Microsoft policy and breaks the Windows Autopilot experience. +
          Reimage damaged Autopilot device that was not deregistered prior to repairYes, but the device will still be associated with previous tenant ID, so should only be returned to same customer + +1. Reimage damaged device +2. Write DPK into image +3. Go through Autopilot OOBE +4. Autopilot successfully enabled (to previous tenant ID) + +
          Disk replacement from a non-Autopilot device to an Autopilot deviceYes + +1. Do not deregister damaged device prior to repair +2. Replace HDD on damaged device +3. Reimage or reset image back to OOBE +4. Go through Autopilot OOBE (customer) +5. Autopilot successfully enabled (repaired device recognized as its previous self) + +
          Disk replacement from one Autopilot device to another Autopilot deviceMaybeIf the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience. + +Assuming the used HDD was previously deregistered (before being used in this repair): + +1. Deregister damaged device +2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device +3. Reimage or rest the repaired device back to a pre-OOBE state +4. Go through Autopilot OOBE (customer) +5. Autopilot successfully enabled + +
          Third party network card replacement NoWhether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended. +
          A device repaired more than 3 timesNoAutopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future. +
          Memory replacementYesReplacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory. +
          GPU replacementYesReplacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU. +
          + +>When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two. + +**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps: +- Memory (RAM or ROM) +- Power Supply +- Video Card +- Card Reader +- Sound card +- Expansion card +- Microphone +- Webcam +- Fan +- Heat sink +- CMOS battery + +Other repair scenarios not yet tested and verified include: +- Daughterboard replacement +- CPU replacement +- Wifi replacement +- Ethernet replacement + +## FAQ + +| Question | Answer | +| --- | --- | +| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. | +| What if only some components are replaced rather than the full motherboard? | While it’s true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. | +| How does a repair technician gain access to a broken device if they don’t have the customer’s login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. | + +## Related topics + +[Device guidelines](autopilot-device-guidelines.md)
          diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md index d53325cfde..b3e02db65f 100644 --- a/windows/deployment/windows-autopilot/autopilot-support.md +++ b/windows/deployment/windows-autopilot/autopilot-support.md @@ -1,43 +1,43 @@ ---- -title: Windows Autopilot support -description: Support information for Windows Autopilot -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.date: 10/31/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Windows Autopilot support information - -**Applies to: Windows 10** - -The following table displays support information for the Windows Autopilot program. - -Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md). - - -| Audience | Support contact | -|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | -| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
          Low – 120 hours
          Normal – 72 hours
          High – 24 hours
          Immediate – 4 hours | -| OEM with a PFE | Reach out to your PFE for support. | -| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | -| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. | -| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | -| End-user | Contact your IT administrator. | -| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | -| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | -| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | -| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | -| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | -| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | - +--- +title: Windows Autopilot support +description: Support information for Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.date: 10/31/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Windows Autopilot support information + +**Applies to: Windows 10** + +The following table displays support information for the Windows Autopilot program. + +Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md). + + +| Audience | Support contact | +|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | +| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
          Low – 120 hours
          Normal – 72 hours
          High – 24 hours
          Immediate – 4 hours | +| OEM with a PFE | Reach out to your PFE for support. | +| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | +| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. | +| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | +| End-user | Contact your IT administrator. | +| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | +| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | +| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | +| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | +| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | +| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | + diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md index 11d6e7b42f..7e85f7099d 100644 --- a/windows/deployment/windows-autopilot/bitlocker.md +++ b/windows/deployment/windows-autopilot/bitlocker.md @@ -1,54 +1,54 @@ ---- -title: Setting the BitLocker encryption algorithm for Autopilot devices -ms.reviewer: -manager: laurawi -description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices. -keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10 -ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Setting the BitLocker encryption algorithm for Autopilot devices - -**Applies to** - -- Windows 10 - -With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. - -The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. - -To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices: - -1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. -2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. - - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. -3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. - -An example of Microsoft Intune Windows Encryption settings is shown below. - - ![BitLocker encryption settings](images/bitlocker-encryption.png) - -Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm. - -The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable. - -Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**. - -## Requirements - -Windows 10, version 1809 or later. - -## See also - -[Bitlocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) +--- +title: Setting the BitLocker encryption algorithm for Autopilot devices +ms.reviewer: +manager: laurawi +description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices. +keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: medium +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Setting the BitLocker encryption algorithm for Autopilot devices + +**Applies to** + +- Windows 10 + +With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. + +The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. + +To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. + - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + +An example of Microsoft Intune Windows Encryption settings is shown below. + + ![BitLocker encryption settings](images/bitlocker-encryption.png) + +Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm. + +The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable. + +Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**. + +## Requirements + +Windows 10, version 1809 or later. + +## See also + +[Bitlocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 86812d946a..5b29de8d83 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -1,850 +1,850 @@ ---- -title: Demonstrate Autopilot deployment -ms.reviewer: -manager: laurawi -description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: autopilot ---- - - -# Demonstrate Autopilot deployment - -**Applies to** - -- Windows 10 - -To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10. - -In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune. - ->Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. - -The following video provides an overview of the process: - -
          - - ->For a list of terms used in this guide, see the [Glossary](#glossary) section. - -## Prerequisites - -These are the things you'll need to complete this lab: - - - -
          Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
          Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
          Hyper-V or a physical device running Windows 10The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
          A Premium Intune accountThis guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
          - -## Procedures - -A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix. - -[Verify support for Hyper-V](#verify-support-for-hyper-v) -
          [Enable Hyper-V](#enable-hyper-v) -
          [Create a demo VM](#create-a-demo-vm) -
              [Set ISO file location](#set-iso-file-location) -
              [Determine network adapter name](#determine-network-adapter-name) -
              [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm) -
              [Install Windows 10](#install-windows-10) -
          [Capture the hardware ID](#capture-the-hardware-id) -
          [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe) -
          [Verify subscription level](#verify-subscription-level) -
          [Configure company branding](#configure-company-branding) -
          [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment) -
          [Register your VM](#register-your-vm) -
              [Autopilot registration using Intune](#autopilot-registration-using-intune) -
              [Autopilot registration using MSfB](#autopilot-registration-using-msfb) -
          [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile) -
              [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) -
                 [Assign the profile](#assign-the-profile) -
              [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) -
          [See Windows Autopilot in action](#see-windows-autopilot-in-action) -
          [Remove devices from Autopilot](#remove-devices-from-autopilot) -
              [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device) -
          [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v) -
          [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile) -
              [Add a Win32 app](#add-a-win32-app) -
                 [Prepare the app for Intune](#prepare-the-app-for-intune) -
                 [Create app in Intune](#create-app-in-intune) -
                 [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) -
              [Add Office 365](#add-office-365) -
                 [Create app in Intune](#create-app-in-intune) -
                 [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) -
          [Glossary](#glossary) - -## Verify support for Hyper-V - -If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). - ->If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10). - -If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed. - -## Enable Hyper-V - -To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command: - -```powershell -Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -``` - -This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command: - -```powershell -Install-WindowsFeature -Name Hyper-V -IncludeManagementTools -``` - -When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. - ->Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - - ![hyper-v feature](../images/hyper-v-feature.png) - - ![hyper-v](../images/svr_mgr2.png) - -

          If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. - -After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box. - -To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server). - -## Create a demo VM - -Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell. - -To use Windows Powershell we just need to know two things: - -1. The location of the Windows 10 ISO file. - - In the example, we assume the location is **c:\iso\win10-eval.iso**. -2. The name of the network interface that connects to the Internet. - - In the example, we use a Windows PowerShell command to determine this automatically. - -After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10. - -### Set ISO file location - -You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). -- When asked to select a platform, choose **64 bit**. - -After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). - -1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. -2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**. -3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory. - -### Determine network adapter name - -The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt: - -```powershell -(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -``` - -The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name. - -For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**. - -### Use Windows PowerShell to create the demo VM - -All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands. - ->[!IMPORTANT] ->**VM switch**: a VM switch is how Hyper-V connects VMs to a network.

          If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

          If you have never created an external VM switch before, then just run the commands below. - -```powershell -New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal -Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot -Start-VM -VMName WindowsAutopilot -``` - -After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager. - -See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM. - -

          -PS C:\autopilot> dir c:\iso
-
-
-    Directory: C:\iso
-
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
--a----        3/12/2019   2:46 PM     4627343360 win10-eval.iso
-
-PS C:\autopilot> (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
-Ethernet
-PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
-
-Name              SwitchType NetAdapterInterfaceDescription
-----              ---------- ------------------------------
-AutopilotExternal External   Intel(R) Ethernet Connection (2) I218-LM
-
-PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-
-Name             State CPUUsage(%) MemoryAssigned(M) Uptime   Status             Version
-----             ----- ----------- ----------------- ------   ------             -------
-WindowsAutopilot Off   0           0                 00:00:00 Operating normally 8.0
-
-PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-PS C:\autopilot> Start-VM -VMName WindowsAutopilot
-PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
-PS C:\autopilot> dir
-
-    Directory: C:\autopilot
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
-d-----        3/12/2019   3:15 PM                VMData
-d-----        3/12/2019   3:42 PM                VMs
-
-PS C:\autopilot>
-
          - -### Install Windows 10 - -Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: - - ![Windows setup](images/winsetup1.png) - ![Windows setup](images/winsetup2.png) - ![Windows setup](images/winsetup3.png) - ![Windows setup](images/winsetup4.png) - ![Windows setup](images/winsetup5.png) - ![Windows setup](images/winsetup6.png) - ->After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: - - ![Windows setup](images/winsetup7.png) - -Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again. - - ![Windows setup](images/winsetup8.png) - -To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: - -```powershell -Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install" -``` - -Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane. - -## Capture the hardware ID - ->NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool. - -Follow these steps to run the PS script: - -1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device: - - ```powershell - md c:\HWID - Set-Location c:\HWID - Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force - Install-Script -Name Get-WindowsAutopilotInfo -Force - $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" - Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv - ``` - -When you are prompted to install the NuGet package, choose **Yes**. - -See the sample output below. - -
          -PS C:\> md c:\HWID
-
-    Directory: C:\
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
-d-----        3/14/2019  11:33 AM                HWID
-
-PS C:\> Set-Location c:\HWID
-PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-
-NuGet provider is required to continue
-PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
- provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
- 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-import the NuGet provider now?
-[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
-PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-PS C:\HWID> dir
-
-    Directory: C:\HWID
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
--a----        3/14/2019  11:33 AM           8184 AutopilotHWID.csv
-
-PS C:\HWID>
-
          - -Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH. - -**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. - -![Serial number and hardware hash](images/hwid.png) - -You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). - -If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this. - ->[!NOTE] ->When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste. - -## Reset the VM back to Out-Of-Box-Experience (OOBE) - -With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. - -On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. -Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**. - -![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) - -Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process. - -![Reset this PC screen capture](images/autopilot-reset-progress.jpg) - -## Verify subscription level - -For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example: - -**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune** - -![MDM and Intune](images/mdm-intune2.png) - -If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. - -To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. - -![Reset this PC final prompt](images/aad-lic1.png) - -## Configure company branding - -If you already have company branding configured in Azure Active Directory, you can skip this step. - ->[!IMPORTANT] ->Make sure to sign-in with a Global Administrator account. - -Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. - -![Configure company branding](images/branding.png) - -When you are finished, click **Save**. - ->[!NOTE] ->Changes to company branding can take up to 30 minutes to apply. - -## Configure Microsoft Intune auto-enrollment - -If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step. - -Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**. - -For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. - -![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png) - -## Register your VM - -Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB. - -### Autopilot registration using Intune - -1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**. - - ![Intune device import](images/device-import.png) - - >[!NOTE] - >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. - -2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank. - - ![HWID CSV](images/hwid-csv.png) - - You should receive confirmation that the file is formatted correctly before uploading it, as shown above. - -3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. - -4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example. - - ![Import HWID](images/import-vm.png) - -### Autopilot registration using MSfB - ->[!IMPORTANT] ->If you've already registered your VM (or device) using Intune, then skip this step. - -Optional: see the following video for an overview of the process. - -  - -> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] - -First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one. - -Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page. - -Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: - -![Microsoft Store for Business](images/msfb.png) - -Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added. - -![Devices](images/msfb-device.png) - -## Create and assign a Windows Autopilot deployment profile - ->[!IMPORTANT] ->Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab: - -Pick one: -- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) -- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) - -### Create a Windows Autopilot deployment profile using Intune - ->[!NOTE] ->Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first: - -![Devices](images/intune-devices.png) - ->The example above lists both a physical device and a VM. Your list should only include only one of these. - -To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles** - -![Deployment profiles](images/deployment-profiles.png) - -Click on **Create profile**. - -![Create deployment profile](images/create-profile.png) - -On the **Create profile** blade, use the following values: - -| Setting | Value | -|---|---| -| Name | Autopilot Lab profile | -| Description | blank | -| Convert all targeted devices to Autopilot | No | -| Deployment mode | User-driven | -| Join to Azure AD as | Azure AD joined | - -Click on **Out-of-box experience (OOBE)** and configure the following settings: - -| Setting | Value | -|---|---| -| EULA | Hide | -| Privacy Settings | Hide | -| Hide change account options | Hide | -| User account type | Standard | -| Apply device name template | No | - -See the following example: - -![Deployment profile](images/profile.png) - -Click on **OK** and then click on **Create**. - ->If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile). - -#### Assign the profile - -Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. - -To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**: - -![All groups](images/all-groups.png) - -Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type: - -Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group. - -![New group](images/new-group.png) - -Now click **Create** to finish creating the new group. - -Click on **All groups** and click **Refresh** to verify that your new group has been successfully created. - -With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results). - -From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile: - -![Lab profile](images/deployment-profiles2.png) - -Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**). - -![Include group](images/include-group.png) - -Click **Select** and then click **Save**. - -![Include group](images/include-group2.png) - -It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot). - -### Create a Windows Autopilot deployment profile using MSfB - -If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section. - -A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below. - -First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. - -Click **Manage** from the top menu, then click **Devices** from the left navigation tree. - -![MSfB manage](images/msfb-manage.png) - -Click the **Windows Autopilot Deployment Program** link in the **Devices** tile. - -To CREATE the profile: - -Select your device from the **Devices** list: - -![MSfB create](images/msfb-create1.png) - -On the Autopilot deployment dropdown menu, select **Create new profile**: - -![MSfB create](images/msfb-create2.png) - -Name the profile, choose your desired settings, and then click **Create**: - -![MSfB create](images/msfb-create3.png) - -The new profile is added to the Autopilot deployment list. - -To ASSIGN the profile: - -To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown: - -![MSfB assign](images/msfb-assign1.png) - -Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column: - -![MSfB assign](images/msfb-assign2.png) - ->[!IMPORTANT] ->The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. - -## See Windows Autopilot in action - -If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**: - -![Device status](images/device-status.png) - -Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. - ->[!TIP] ->If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset). - -- Ensure your device has an internet connection. -- Turn on the device -- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). - -![OOBE sign-in page](images/autopilot-oobe.jpg) - -Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. - -![Device enabled](images/enabled-device.png) - -Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. - -Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings. - -## Remove devices from Autopilot - -To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below. - -### Delete (deregister) Autopilot device - -You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu. - -![Delete device](images/delete-device1.png) - -Click **X** when challenged to complete the operation: - -![Delete device](images/delete-device2.png) - -This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. - -![Delete device](images/delete-device3.png) - -The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune. - -To remove the device from the Autopilot program, select the device and click Delete. - -![Delete device](images/delete-device4.png) - -A warning message appears reminding you to first remove the device from Intune, which we previously did. - -![Delete device](images/delete-device5.png) - -At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: - -![Delete device](images/delete-device6.png) - -Once the device no longer appears, you are free to reuse it for other purposes. - -If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button: - -![Delete device](images/delete-device7.png) - -## Appendix A: Verify support for Hyper-V - -Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. - -To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - -
          -C:>systeminfo
-
-...
-Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
-                           Virtualization Enabled In Firmware: Yes
-                           Second Level Address Translation: Yes
-                           Data Execution Prevention Available: Yes
-
          - -In this example, the computer supports SLAT and Hyper-V. - ->If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - -You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: - -
          -C:>coreinfo -v
-
-Coreinfo v3.31 - Dump information on system CPU and memory topology
-Copyright (C) 2008-2014 Mark Russinovich
-Sysinternals - www.sysinternals.com
-
-Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-Microcode signature: 0000001B
-HYPERVISOR      -       Hypervisor is present
-VMX             *       Supports Intel hardware-assisted virtualization
-EPT             *       Supports Intel extended page tables (SLAT)
-
          - -Note: A 64-bit operating system is required to run Hyper-V. - -## Appendix B: Adding apps to your profile - -### Add a Win32 app - -#### Prepare the app for Intune - -Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool: - -1. The source folder for your application -2. The name of the setup executable file -3. The output folder for the new file - -For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app. - -Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi. - -Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: - -![Add app](images/app01.png) - -After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. - -#### Create app in Intune - -Log into the Azure portal and select **Intune**. - -Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. - -![Add app](images/app02.png) - -Under **App Type**, select **Windows app (Win32)**: - -![Add app](images/app03.png) - -On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: - -![Add app](images/app04.png) - -On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: - -![Add app](images/app05.png) - -On the **Program Configuration** blade, supply the install and uninstall commands: - -Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q -Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q - -NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file. - -![Add app](images/app06.png) - -Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). - -Click **OK** to save your input and activate the **Requirements** blade. - -On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: - -![Add app](images/app07.png) - -Next, configure the **Detection rules**. For our purposes, we will select manual format: - -![Add app](images/app08.png) - -Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: - -![Add app](images/app09.png) - -Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. - -**Return codes**: For our purposes, leave the return codes at their default values: - -![Add app](images/app10.png) - -Click **OK** to exit. - -You may skip configuring the final **Scope (Tags)** blade. - -Click the **Add** button to finalize and save your app package. - -Once the indicator message says the addition has completed. - -![Add app](images/app11.png) - -You will be able to find your app in your app list: - -![Add app](images/app12.png) - -#### Assign the app to your Intune profile - -**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. - -In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: - -![Add app](images/app13.png) - -Select **Add Group** to open the **Add group** pane that is related to the app. - -For our purposes, select *8Required** from the **Assignment type** dropdown menu: - ->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. - -Select **Included Groups** and assign the groups you previously created that will use this app: - -![Add app](images/app14.png) - -![Add app](images/app15.png) - -In the **Select groups** pane, click the **Select** button. - -In the **Assign group** pane, select **OK**. - -In the **Add group** pane, select **OK**. - -In the app **Assignments** pane, select **Save**. - -![Add app](images/app16.png) - -At this point, you have completed steps to add a Win32 app to Intune. - -For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). - -### Add Office 365 - -#### Create app in Intune - -Log into the Azure portal and select **Intune**. - -Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. - -![Add app](images/app17.png) - -Under **App Type**, select **Office 365 Suite > Windows 10**: - -![Add app](images/app18.png) - -Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: - -![Add app](images/app19.png) - -Click **OK**. - -In the **App Suite Information** pane, enter a unique suite name, and a suitable description. - ->Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. - -![Add app](images/app20.png) - -Click **OK**. - -In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: - -![Add app](images/app21.png) - -Click **OK** and then click **Add**. - -#### Assign the app to your Intune profile - -**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. - -In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: - -![Add app](images/app22.png) - -Select **Add Group** to open the **Add group** pane that is related to the app. - -For our purposes, select **Required** from the **Assignment type** dropdown menu: - ->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. - -Select **Included Groups** and assign the groups you previously created that will use this app: - -![Add app](images/app23.png) - -![Add app](images/app24.png) - -In the **Select groups** pane, click the **Select** button. - -In the **Assign group** pane, select **OK**. - -In the **Add group** pane, select **OK**. - -In the app **Assignments** pane, select **Save**. - -![Add app](images/app25.png) - -At this point, you have completed steps to add Office to Intune. - -For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365). - -If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: - -![Add app](images/app26.png) - -## Glossary - - - - - - - - - - - - - - -
          OEMOriginal Equipment Manufacturer
          CSVComma Separated Values
          MPCMicrosoft Partner Center
          CSPCloud Solution Provider
          MSfBMicrosoft Store for Business
          AADAzure Active Directory
          4K HH4K Hardware Hash
          CBRComputer Build Report
          ECEnterprise Commerce (server)
          DDSDevice Directory Service
          OOBEOut of the Box Experience
          VMVirtual Machine
          +--- +title: Demonstrate Autopilot deployment +ms.reviewer: +manager: laurawi +description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +ms.custom: autopilot +--- + + +# Demonstrate Autopilot deployment + +**Applies to** + +- Windows 10 + +To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10. + +In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune. + +>Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. + +The following video provides an overview of the process: + +
          + + +>For a list of terms used in this guide, see the [Glossary](#glossary) section. + +## Prerequisites + +These are the things you'll need to complete this lab: + + + +
          Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
          Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
          Hyper-V or a physical device running Windows 10The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
          A Premium Intune accountThis guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
          + +## Procedures + +A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix. + +[Verify support for Hyper-V](#verify-support-for-hyper-v) +
          [Enable Hyper-V](#enable-hyper-v) +
          [Create a demo VM](#create-a-demo-vm) +
              [Set ISO file location](#set-iso-file-location) +
              [Determine network adapter name](#determine-network-adapter-name) +
              [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm) +
              [Install Windows 10](#install-windows-10) +
          [Capture the hardware ID](#capture-the-hardware-id) +
          [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe) +
          [Verify subscription level](#verify-subscription-level) +
          [Configure company branding](#configure-company-branding) +
          [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment) +
          [Register your VM](#register-your-vm) +
              [Autopilot registration using Intune](#autopilot-registration-using-intune) +
              [Autopilot registration using MSfB](#autopilot-registration-using-msfb) +
          [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile) +
              [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) +
                 [Assign the profile](#assign-the-profile) +
              [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) +
          [See Windows Autopilot in action](#see-windows-autopilot-in-action) +
          [Remove devices from Autopilot](#remove-devices-from-autopilot) +
              [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device) +
          [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v) +
          [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile) +
              [Add a Win32 app](#add-a-win32-app) +
                 [Prepare the app for Intune](#prepare-the-app-for-intune) +
                 [Create app in Intune](#create-app-in-intune) +
                 [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) +
              [Add Office 365](#add-office-365) +
                 [Create app in Intune](#create-app-in-intune) +
                 [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) +
          [Glossary](#glossary) + +## Verify support for Hyper-V + +If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). + +>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10). + +If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed. + +## Enable Hyper-V + +To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command: + +```powershell +Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All +``` + +This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command: + +```powershell +Install-WindowsFeature -Name Hyper-V -IncludeManagementTools +``` + +When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. + +>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + + ![hyper-v feature](../images/hyper-v-feature.png) + + ![hyper-v](../images/svr_mgr2.png) + +

          If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. + +After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box. + +To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server). + +## Create a demo VM + +Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell. + +To use Windows Powershell we just need to know two things: + +1. The location of the Windows 10 ISO file. + - In the example, we assume the location is **c:\iso\win10-eval.iso**. +2. The name of the network interface that connects to the Internet. + - In the example, we use a Windows PowerShell command to determine this automatically. + +After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10. + +### Set ISO file location + +You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). +- When asked to select a platform, choose **64 bit**. + +After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). + +1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. +2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**. +3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory. + +### Determine network adapter name + +The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt: + +```powershell +(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name +``` + +The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name. + +For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**. + +### Use Windows PowerShell to create the demo VM + +All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands. + +>[!IMPORTANT] +>**VM switch**: a VM switch is how Hyper-V connects VMs to a network.

          If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

          If you have never created an external VM switch before, then just run the commands below. + +```powershell +New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name +New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal +Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot +Start-VM -VMName WindowsAutopilot +``` + +After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager. + +See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM. + +

          +PS C:\autopilot> dir c:\iso
+
+
+    Directory: C:\iso
+
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+-a----        3/12/2019   2:46 PM     4627343360 win10-eval.iso
+
+PS C:\autopilot> (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
+Ethernet
+PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
+
+Name              SwitchType NetAdapterInterfaceDescription
+----              ---------- ------------------------------
+AutopilotExternal External   Intel(R) Ethernet Connection (2) I218-LM
+
+PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+
+Name             State CPUUsage(%) MemoryAssigned(M) Uptime   Status             Version
+----             ----- ----------- ----------------- ------   ------             -------
+WindowsAutopilot Off   0           0                 00:00:00 Operating normally 8.0
+
+PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+PS C:\autopilot> Start-VM -VMName WindowsAutopilot
+PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
+PS C:\autopilot> dir
+
+    Directory: C:\autopilot
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+d-----        3/12/2019   3:15 PM                VMData
+d-----        3/12/2019   3:42 PM                VMs
+
+PS C:\autopilot>
+
          + +### Install Windows 10 + +Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: + + ![Windows setup](images/winsetup1.png) + ![Windows setup](images/winsetup2.png) + ![Windows setup](images/winsetup3.png) + ![Windows setup](images/winsetup4.png) + ![Windows setup](images/winsetup5.png) + ![Windows setup](images/winsetup6.png) + +>After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: + + ![Windows setup](images/winsetup7.png) + +Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again. + + ![Windows setup](images/winsetup8.png) + +To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: + +```powershell +Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install" +``` + +Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane. + +## Capture the hardware ID + +>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool. + +Follow these steps to run the PS script: + +1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device: + + ```powershell + md c:\HWID + Set-Location c:\HWID + Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force + Install-Script -Name Get-WindowsAutopilotInfo -Force + $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" + Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv + ``` + +When you are prompted to install the NuGet package, choose **Yes**. + +See the sample output below. + +
          +PS C:\> md c:\HWID
+
+    Directory: C:\
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+d-----        3/14/2019  11:33 AM                HWID
+
+PS C:\> Set-Location c:\HWID
+PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+NuGet provider is required to continue
+PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+import the NuGet provider now?
+[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
+PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+PS C:\HWID> dir
+
+    Directory: C:\HWID
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+-a----        3/14/2019  11:33 AM           8184 AutopilotHWID.csv
+
+PS C:\HWID>
+
          + +Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH. + +**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. + +![Serial number and hardware hash](images/hwid.png) + +You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). + +If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this. + +>[!NOTE] +>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste. + +## Reset the VM back to Out-Of-Box-Experience (OOBE) + +With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. + +On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. +Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**. + +![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) + +Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process. + +![Reset this PC screen capture](images/autopilot-reset-progress.jpg) + +## Verify subscription level + +For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example: + +**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune** + +![MDM and Intune](images/mdm-intune2.png) + +If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. + +To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. + +![Reset this PC final prompt](images/aad-lic1.png) + +## Configure company branding + +If you already have company branding configured in Azure Active Directory, you can skip this step. + +>[!IMPORTANT] +>Make sure to sign-in with a Global Administrator account. + +Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. + +![Configure company branding](images/branding.png) + +When you are finished, click **Save**. + +>[!NOTE] +>Changes to company branding can take up to 30 minutes to apply. + +## Configure Microsoft Intune auto-enrollment + +If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step. + +Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**. + +For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. + +![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png) + +## Register your VM + +Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB. + +### Autopilot registration using Intune + +1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**. + + ![Intune device import](images/device-import.png) + + >[!NOTE] + >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. + +2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank. + + ![HWID CSV](images/hwid-csv.png) + + You should receive confirmation that the file is formatted correctly before uploading it, as shown above. + +3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. + +4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example. + + ![Import HWID](images/import-vm.png) + +### Autopilot registration using MSfB + +>[!IMPORTANT] +>If you've already registered your VM (or device) using Intune, then skip this step. + +Optional: see the following video for an overview of the process. + +  + +> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] + +First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one. + +Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page. + +Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: + +![Microsoft Store for Business](images/msfb.png) + +Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added. + +![Devices](images/msfb-device.png) + +## Create and assign a Windows Autopilot deployment profile + +>[!IMPORTANT] +>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab: + +Pick one: +- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) +- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) + +### Create a Windows Autopilot deployment profile using Intune + +>[!NOTE] +>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first: + +![Devices](images/intune-devices.png) + +>The example above lists both a physical device and a VM. Your list should only include only one of these. + +To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles** + +![Deployment profiles](images/deployment-profiles.png) + +Click on **Create profile**. + +![Create deployment profile](images/create-profile.png) + +On the **Create profile** blade, use the following values: + +| Setting | Value | +|---|---| +| Name | Autopilot Lab profile | +| Description | blank | +| Convert all targeted devices to Autopilot | No | +| Deployment mode | User-driven | +| Join to Azure AD as | Azure AD joined | + +Click on **Out-of-box experience (OOBE)** and configure the following settings: + +| Setting | Value | +|---|---| +| EULA | Hide | +| Privacy Settings | Hide | +| Hide change account options | Hide | +| User account type | Standard | +| Apply device name template | No | + +See the following example: + +![Deployment profile](images/profile.png) + +Click on **OK** and then click on **Create**. + +>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile). + +#### Assign the profile + +Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. + +To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**: + +![All groups](images/all-groups.png) + +Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type: + +Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group. + +![New group](images/new-group.png) + +Now click **Create** to finish creating the new group. + +Click on **All groups** and click **Refresh** to verify that your new group has been successfully created. + +With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results). + +From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile: + +![Lab profile](images/deployment-profiles2.png) + +Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**). + +![Include group](images/include-group.png) + +Click **Select** and then click **Save**. + +![Include group](images/include-group2.png) + +It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot). + +### Create a Windows Autopilot deployment profile using MSfB + +If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section. + +A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below. + +First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. + +Click **Manage** from the top menu, then click **Devices** from the left navigation tree. + +![MSfB manage](images/msfb-manage.png) + +Click the **Windows Autopilot Deployment Program** link in the **Devices** tile. + +To CREATE the profile: + +Select your device from the **Devices** list: + +![MSfB create](images/msfb-create1.png) + +On the Autopilot deployment dropdown menu, select **Create new profile**: + +![MSfB create](images/msfb-create2.png) + +Name the profile, choose your desired settings, and then click **Create**: + +![MSfB create](images/msfb-create3.png) + +The new profile is added to the Autopilot deployment list. + +To ASSIGN the profile: + +To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown: + +![MSfB assign](images/msfb-assign1.png) + +Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column: + +![MSfB assign](images/msfb-assign2.png) + +>[!IMPORTANT] +>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. + +## See Windows Autopilot in action + +If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**: + +![Device status](images/device-status.png) + +Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. + +>[!TIP] +>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset). + +- Ensure your device has an internet connection. +- Turn on the device +- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). + +![OOBE sign-in page](images/autopilot-oobe.jpg) + +Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. + +![Device enabled](images/enabled-device.png) + +Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. + +Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings. + +## Remove devices from Autopilot + +To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below. + +### Delete (deregister) Autopilot device + +You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu. + +![Delete device](images/delete-device1.png) + +Click **X** when challenged to complete the operation: + +![Delete device](images/delete-device2.png) + +This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. + +![Delete device](images/delete-device3.png) + +The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune. + +To remove the device from the Autopilot program, select the device and click Delete. + +![Delete device](images/delete-device4.png) + +A warning message appears reminding you to first remove the device from Intune, which we previously did. + +![Delete device](images/delete-device5.png) + +At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: + +![Delete device](images/delete-device6.png) + +Once the device no longer appears, you are free to reuse it for other purposes. + +If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button: + +![Delete device](images/delete-device7.png) + +## Appendix A: Verify support for Hyper-V + +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. + +To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: + +
          +C:>systeminfo
+
+...
+Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
+                           Virtualization Enabled In Firmware: Yes
+                           Second Level Address Translation: Yes
+                           Data Execution Prevention Available: Yes
+
          + +In this example, the computer supports SLAT and Hyper-V. + +>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + +You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: + +
          +C:>coreinfo -v
+
+Coreinfo v3.31 - Dump information on system CPU and memory topology
+Copyright (C) 2008-2014 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+Microcode signature: 0000001B
+HYPERVISOR      -       Hypervisor is present
+VMX             *       Supports Intel hardware-assisted virtualization
+EPT             *       Supports Intel extended page tables (SLAT)
+
          + +Note: A 64-bit operating system is required to run Hyper-V. + +## Appendix B: Adding apps to your profile + +### Add a Win32 app + +#### Prepare the app for Intune + +Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool: + +1. The source folder for your application +2. The name of the setup executable file +3. The output folder for the new file + +For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app. + +Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi. + +Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: + +![Add app](images/app01.png) + +After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. + +#### Create app in Intune + +Log into the Azure portal and select **Intune**. + +Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. + +![Add app](images/app02.png) + +Under **App Type**, select **Windows app (Win32)**: + +![Add app](images/app03.png) + +On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: + +![Add app](images/app04.png) + +On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: + +![Add app](images/app05.png) + +On the **Program Configuration** blade, supply the install and uninstall commands: + +Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q +Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q + +NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file. + +![Add app](images/app06.png) + +Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). + +Click **OK** to save your input and activate the **Requirements** blade. + +On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: + +![Add app](images/app07.png) + +Next, configure the **Detection rules**. For our purposes, we will select manual format: + +![Add app](images/app08.png) + +Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: + +![Add app](images/app09.png) + +Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. + +**Return codes**: For our purposes, leave the return codes at their default values: + +![Add app](images/app10.png) + +Click **OK** to exit. + +You may skip configuring the final **Scope (Tags)** blade. + +Click the **Add** button to finalize and save your app package. + +Once the indicator message says the addition has completed. + +![Add app](images/app11.png) + +You will be able to find your app in your app list: + +![Add app](images/app12.png) + +#### Assign the app to your Intune profile + +**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. + +In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: + +![Add app](images/app13.png) + +Select **Add Group** to open the **Add group** pane that is related to the app. + +For our purposes, select *8Required** from the **Assignment type** dropdown menu: + +>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. + +Select **Included Groups** and assign the groups you previously created that will use this app: + +![Add app](images/app14.png) + +![Add app](images/app15.png) + +In the **Select groups** pane, click the **Select** button. + +In the **Assign group** pane, select **OK**. + +In the **Add group** pane, select **OK**. + +In the app **Assignments** pane, select **Save**. + +![Add app](images/app16.png) + +At this point, you have completed steps to add a Win32 app to Intune. + +For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). + +### Add Office 365 + +#### Create app in Intune + +Log into the Azure portal and select **Intune**. + +Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. + +![Add app](images/app17.png) + +Under **App Type**, select **Office 365 Suite > Windows 10**: + +![Add app](images/app18.png) + +Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: + +![Add app](images/app19.png) + +Click **OK**. + +In the **App Suite Information** pane, enter a unique suite name, and a suitable description. + +>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. + +![Add app](images/app20.png) + +Click **OK**. + +In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: + +![Add app](images/app21.png) + +Click **OK** and then click **Add**. + +#### Assign the app to your Intune profile + +**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. + +In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: + +![Add app](images/app22.png) + +Select **Add Group** to open the **Add group** pane that is related to the app. + +For our purposes, select **Required** from the **Assignment type** dropdown menu: + +>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. + +Select **Included Groups** and assign the groups you previously created that will use this app: + +![Add app](images/app23.png) + +![Add app](images/app24.png) + +In the **Select groups** pane, click the **Select** button. + +In the **Assign group** pane, select **OK**. + +In the **Add group** pane, select **OK**. + +In the app **Assignments** pane, select **Save**. + +![Add app](images/app25.png) + +At this point, you have completed steps to add Office to Intune. + +For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365). + +If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: + +![Add app](images/app26.png) + +## Glossary + + + + + + + + + + + + + + +
          OEMOriginal Equipment Manufacturer
          CSVComma Separated Values
          MPCMicrosoft Partner Center
          CSPCloud Solution Provider
          MSfBMicrosoft Store for Business
          AADAzure Active Directory
          4K HH4K Hardware Hash
          CBRComputer Build Report
          ECEnterprise Commerce (server)
          DDSDevice Directory Service
          OOBEOut of the Box Experience
          VMVirtual Machine
          diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index c08469ea87..6c5c118bec 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -1,39 +1,39 @@ ---- -title: Windows Autopilot Enrollment Status Page -ms.reviewer: -manager: laurawi -description: Gives an overview of the Enrollment Status Page capabilities, configuration -keywords: Autopilot Plug and Forget, Windows 10 -ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot Enrollment Status Page - -**Applies to** - -- Windows 10, version 1803 and later - -The Enrollment Status Page (ESP) displays the status of the complete device configuration process when an MDM managed user signs into a device for the very first time. The ESP will help users understand the progress of device provisioning and ensures the device has met the organizations desired state before the user can access the desktop for the first time. - -The ESP will track the installation of applications, security policies, certificates and network connections. Within Intune, an administrator can deploy ESP profiles to a licensed Intune user and configure specific settings within the ESP profile; a few of these settings are: force the installation of specified applications, allow users to collect troubleshooting logs, specify what a user can do if device setup fails. For more information, see how to set up the [Enrollment Status Page in Intune](https://docs.microsoft.com/intune/windows-enrollment-status). - - ![Enrollment Status Page](images/enrollment-status-page.png) - - -## More information - -For more information on configuring the Enrollment Status Page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
          -For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
          -For more information about blocking for app installation: -- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). -- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). +--- +title: Windows Autopilot Enrollment Status Page +ms.reviewer: +manager: laurawi +description: Gives an overview of the Enrollment Status Page capabilities, configuration +keywords: Autopilot Plug and Forget, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: medium +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot Enrollment Status Page + +**Applies to** + +- Windows 10, version 1803 and later + +The Enrollment Status Page (ESP) displays the status of the complete device configuration process when an MDM managed user signs into a device for the very first time. The ESP will help users understand the progress of device provisioning and ensures the device has met the organizations desired state before the user can access the desktop for the first time. + +The ESP will track the installation of applications, security policies, certificates and network connections. Within Intune, an administrator can deploy ESP profiles to a licensed Intune user and configure specific settings within the ESP profile; a few of these settings are: force the installation of specified applications, allow users to collect troubleshooting logs, specify what a user can do if device setup fails. For more information, see how to set up the [Enrollment Status Page in Intune](https://docs.microsoft.com/intune/windows-enrollment-status). + + ![Enrollment Status Page](images/enrollment-status-page.png) + + +## More information + +For more information on configuring the Enrollment Status Page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
          +For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
          +For more information about blocking for app installation: +- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). +- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index a053db3c32..f514184445 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -1,315 +1,315 @@ ---- -title: Windows Autopilot for existing devices -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Windows Autopilot for existing devices - -**Applies to: Windows 10** - -Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away. - -This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot. - ->[!NOTE] ->Windows Autopilot for existing devices only supports user-driven Azure Active Directory and Hybrid Azure AD profiles. Self-deploying profiles are not supported. - -## Prerequisites - -- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808) -- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later - - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. -- Assigned Microsoft Intune Licenses -- Azure Active Directory Premium -- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image - -## Procedures - -### Configure the Enrollment Status Page (optional) - -If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune. - -To enable and configure the enrollment and status page: - -1. Open [Intune in the Azure portal](https://aka.ms/intuneportal). -2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status). -3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. - -See the following examples. - -![enrollment status page](images/esp-config.png)

          -![mdm](images/mdm-config.png) - -### Create the JSON file - ->[!TIP] ->To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/en-us/download/details.aspx?id=54616). - -1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window -2. Enter the following lines to install the necessary modules - - #### Install required modules - - ```powershell - Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force - Install-Module AzureAD -Force - Install-Module WindowsAutopilotIntune -Force - ``` - -3. Enter the following lines and provide Intune administrative credentials - - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights. - - ```powershell - Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com - ``` - The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. -
          See the following example: - - ![Azure AD authentication](images/pwd.png) - - If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions: - - Select **Consent on behalf or your organization** - - Click **Accept** - -4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format: - - #### Retrieve profiles in Autopilot for existing devices JSON format - - ```powershell - Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON - ``` - - See the following sample output: (use the horizontal scroll bar at the bottom to view long lines) - 
          -    PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
-    {
-        "CloudAssignedTenantId":  "1537de22-988c-4e93-b8a5-83890f34a69b",
-        "CloudAssignedForcedEnrollment":  1,
-        "Version":  2049,
-        "Comment_File":  "Profile Autopilot Profile",
-        "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
-        "CloudAssignedTenantDomain":  "M365x373186.onmicrosoft.com",
-        "CloudAssignedDomainJoinMethod":  0,
-        "CloudAssignedOobeConfig":  28,
-        "ZtdCorrelationId":  "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
-    }
          - - Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed. - - See the following table for a description of properties used in the JSON file. - - - | Property | Description | - |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. | - | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. | - | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. | - | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | - | CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 | - | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.
          0 = not required, 1 = required. | - | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration. | - | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled.
          Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}" | - | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. | - - -5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed to view the entire command string) - - ```powershell - Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII - ``` - **IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI. - - If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example. - - ![Notepad JSON](images/notepad.png) - - After saving the file, move the file to a location suitable as an SCCM package source. - - >[!IMPORTANT] - >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

          **Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
          - - -### Create a package containing the JSON file - -1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages** -2. On the ribbon, click **Create Package** -3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:
          - - Name: **Autopilot for existing devices config** - - Select the **This package contains source files** checkbox - - Source folder: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file. - - Click **OK** and then click **Next**. - - Program Type: **Do not create a program** -4. Click **Next** twice and then click **Close**. - -**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package. - -### Create a target collection - ->[!NOTE] ->You can also choose to reuse an existing collection - -1. Navigate to **\Assets and Compliance\Overview\Device Collections** -2. On the ribbon, click **Create** and then click **Create Device Collection** -3. In the **Create Device Collection Wizard** enter the following **General** details: - - Name: **Autopilot for existing devices collection** - - Comment: (optional) - - Limiting collection: Click **Browse** and select **All Systems** - - >[!NOTE] - >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select. - -4. Click **Next**, then enter the following **Membership Rules** details: - - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection. - - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples. - - ![Named resource1](images/pc-01a.png) - ![Named resource2](images/pc-01b.png) - -5. Continue creating the device collection with the default settings: - - Use incremental updates for this collection: not selected - - Schedule a full update on this collection: default - - Click **Next** twice and then click **Close** - -### Create an Autopilot for existing devices Task Sequence - ->[!TIP] ->The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later. - -1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences** -2. On the Home ribbon, click **Create Task Sequence** -3. Select **Install an existing image package** and then click **Next** -4. In the Create Task Sequence Wizard enter the following details: - - Task sequence name: **Autopilot for existing devices** - - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later) - - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later. - - Select the **Partition and format the target computer before installing the operating system** checkbox. - - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional. - - Product Key and Server licensing mode: Optionally enter a product key and server licencing mode. - - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional. - - Enable the account and specify the local administrator password: Optional. - - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**. - - >[!IMPORTANT] - >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain. - -5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page. -6. On the State Migration page, enter the following details: - - Clear the **Capture user settings and files** checkbox. - - Clear the **Capture network settings** checkbox. - - Clear the **Capture Microsoft Windows settings** checkbox. - - Click **Next**. - - >[!NOTE] - >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined or hybrid AAD joined devices. - -7. On the Include Updates page, choose one of the three available options. This selection is optional. -8. On the Install applications page, add applications if desired. This is optional. -9. Click **Next**, confirm settings, click **Next** and then click **Close**. -10. Right click on the Autopilot for existing devices task sequence and click **Edit**. -11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action. -12. Click **Add** then click **New Group**. -13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**. -14. Click **Add**, point to **General**, then click **Run Command Line**. -15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group. -16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**: - ``` - cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c - ``` - - **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier. - -17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**. -18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section. -19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task. -20. Click **Add** and then click **New Group**. -21. Change **Name** from **New Group** to **Prepare Device for Autopilot** -22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary. -23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**. -24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step: - - Automatically build mass storage driver list: **Not selected** - - Do not reset activation flag: **Not selected** - - Shutdown the computer after running this action: **Optional** - - ![Autopilot task sequence](images/ap-ts-1.png) - -25. Click **OK** to close the Task Sequence Editor. - -### Deploy Content to Distribution Points - -Next, ensure that all content required for the task sequence is deployed to distribution points. - -1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**. -2. Click **Next**, **Review the content to distribute** and then click **Next**. -3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**. -4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. -5. When you are finished specifying content distribution, click **Next** twice then click **Close**. - -### Deploy the OS with Autopilot Task Sequence - -1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**. -2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details: - - Task Sequence: **Autopilot for existing devices**. - - Collection: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer). - - Click **Next** to specify **Deployment Settings**. - - Action: **Install**. - - Purpose: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations. - - Make available to the following: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media. - - Click **Next** to specify **Scheduling** details. - - Schedule when this deployment will become available: Optional - - Schedule when this deployment will expire: Optional - - Click **Next** to specify **User Experience** details. - - Show Task Sequence progress: Selected. - - Software Installation: Not selected. - - System restart (if required to complete the installation): Not selected. - - Commit changed at deadline or during a maintenance windows (requires restart): Optional. - - Allow task sequence to be run for client on the Internet: Optional - - Click **Next** to specify **Alerts** details. - - Create a deployment alert when the threshold is higher than the following: Optional. - - Click **Next** to specify **Distribution Points** details. - - Deployment options: **Download content locally when needed by the running task sequence**. - - When no local distribution point is available use a remote distribution point: Optional. - - Allow clients to use distribution points from the default site boundary group: Optional. - - Click **Next**, confirm settings, click **Next**, and then click **Close**. - -### Complete the client installation process - -1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: - - ``` - C:\Windows\CCM\SCClient.exe - ``` - -2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example: - - ![Named resource2](images/sc.png) - ![Named resource2](images/sc1.png) - -The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience. - -![refresh-1](images/up-1.png) -![refresh-2](images/up-2.png) -![refresh-3](images/up-3.png) - ->[!NOTE] ->If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information. - -### Register the device for Windows Autopilot - -Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). - -Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). - -## Speeding up the deployment process - -To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for [Speeding up Windows Autopilot for existing devices](https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/). +--- +title: Windows Autopilot for existing devices +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Windows Autopilot for existing devices + +**Applies to: Windows 10** + +Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away. + +This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot. + +>[!NOTE] +>Windows Autopilot for existing devices only supports user-driven Azure Active Directory and Hybrid Azure AD profiles. Self-deploying profiles are not supported. + +## Prerequisites + +- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808) +- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later + - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. +- Assigned Microsoft Intune Licenses +- Azure Active Directory Premium +- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image + +## Procedures + +### Configure the Enrollment Status Page (optional) + +If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune. + +To enable and configure the enrollment and status page: + +1. Open [Intune in the Azure portal](https://aka.ms/intuneportal). +2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status). +3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. + +See the following examples. + +![enrollment status page](images/esp-config.png)

          +![mdm](images/mdm-config.png) + +### Create the JSON file + +>[!TIP] +>To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/en-us/download/details.aspx?id=54616). + +1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window +2. Enter the following lines to install the necessary modules + + #### Install required modules + + ```powershell + Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force + Install-Module AzureAD -Force + Install-Module WindowsAutopilotIntune -Force + ``` + +3. Enter the following lines and provide Intune administrative credentials + - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights. + + ```powershell + Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com + ``` + The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. +
          See the following example: + + ![Azure AD authentication](images/pwd.png) + + If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions: + - Select **Consent on behalf or your organization** + - Click **Accept** + +4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format: + + #### Retrieve profiles in Autopilot for existing devices JSON format + + ```powershell + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON + ``` + + See the following sample output: (use the horizontal scroll bar at the bottom to view long lines) + 
          +    PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
+    {
+        "CloudAssignedTenantId":  "1537de22-988c-4e93-b8a5-83890f34a69b",
+        "CloudAssignedForcedEnrollment":  1,
+        "Version":  2049,
+        "Comment_File":  "Profile Autopilot Profile",
+        "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
+        "CloudAssignedTenantDomain":  "M365x373186.onmicrosoft.com",
+        "CloudAssignedDomainJoinMethod":  0,
+        "CloudAssignedOobeConfig":  28,
+        "ZtdCorrelationId":  "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
+    }
          + + Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed. + + See the following table for a description of properties used in the JSON file. + + + | Property | Description | + |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. | + | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. | + | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. | + | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | + | CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 | + | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.
          0 = not required, 1 = required. | + | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration. | + | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled.
          Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}" | + | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. | + + +5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed to view the entire command string) + + ```powershell + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII + ``` + **IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI. + + If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example. + + ![Notepad JSON](images/notepad.png) + + After saving the file, move the file to a location suitable as an SCCM package source. + + >[!IMPORTANT] + >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

          **Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
          + + +### Create a package containing the JSON file + +1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages** +2. On the ribbon, click **Create Package** +3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:
          + - Name: **Autopilot for existing devices config** + - Select the **This package contains source files** checkbox + - Source folder: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file. + - Click **OK** and then click **Next**. + - Program Type: **Do not create a program** +4. Click **Next** twice and then click **Close**. + +**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package. + +### Create a target collection + +>[!NOTE] +>You can also choose to reuse an existing collection + +1. Navigate to **\Assets and Compliance\Overview\Device Collections** +2. On the ribbon, click **Create** and then click **Create Device Collection** +3. In the **Create Device Collection Wizard** enter the following **General** details: + - Name: **Autopilot for existing devices collection** + - Comment: (optional) + - Limiting collection: Click **Browse** and select **All Systems** + + >[!NOTE] + >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select. + +4. Click **Next**, then enter the following **Membership Rules** details: + - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection. + - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples. + + ![Named resource1](images/pc-01a.png) + ![Named resource2](images/pc-01b.png) + +5. Continue creating the device collection with the default settings: + - Use incremental updates for this collection: not selected + - Schedule a full update on this collection: default + - Click **Next** twice and then click **Close** + +### Create an Autopilot for existing devices Task Sequence + +>[!TIP] +>The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later. + +1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences** +2. On the Home ribbon, click **Create Task Sequence** +3. Select **Install an existing image package** and then click **Next** +4. In the Create Task Sequence Wizard enter the following details: + - Task sequence name: **Autopilot for existing devices** + - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later) + - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later. + - Select the **Partition and format the target computer before installing the operating system** checkbox. + - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional. + - Product Key and Server licensing mode: Optionally enter a product key and server licencing mode. + - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional. + - Enable the account and specify the local administrator password: Optional. + - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**. + + >[!IMPORTANT] + >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain. + +5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page. +6. On the State Migration page, enter the following details: + - Clear the **Capture user settings and files** checkbox. + - Clear the **Capture network settings** checkbox. + - Clear the **Capture Microsoft Windows settings** checkbox. + - Click **Next**. + + >[!NOTE] + >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined or hybrid AAD joined devices. + +7. On the Include Updates page, choose one of the three available options. This selection is optional. +8. On the Install applications page, add applications if desired. This is optional. +9. Click **Next**, confirm settings, click **Next** and then click **Close**. +10. Right click on the Autopilot for existing devices task sequence and click **Edit**. +11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action. +12. Click **Add** then click **New Group**. +13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**. +14. Click **Add**, point to **General**, then click **Run Command Line**. +15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group. +16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**: + ``` + cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c + ``` + - **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier. + +17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**. +18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section. +19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task. +20. Click **Add** and then click **New Group**. +21. Change **Name** from **New Group** to **Prepare Device for Autopilot** +22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary. +23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**. +24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step: + - Automatically build mass storage driver list: **Not selected** + - Do not reset activation flag: **Not selected** + - Shutdown the computer after running this action: **Optional** + + ![Autopilot task sequence](images/ap-ts-1.png) + +25. Click **OK** to close the Task Sequence Editor. + +### Deploy Content to Distribution Points + +Next, ensure that all content required for the task sequence is deployed to distribution points. + +1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**. +2. Click **Next**, **Review the content to distribute** and then click **Next**. +3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**. +4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. +5. When you are finished specifying content distribution, click **Next** twice then click **Close**. + +### Deploy the OS with Autopilot Task Sequence + +1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**. +2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details: + - Task Sequence: **Autopilot for existing devices**. + - Collection: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer). + - Click **Next** to specify **Deployment Settings**. + - Action: **Install**. + - Purpose: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations. + - Make available to the following: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media. + - Click **Next** to specify **Scheduling** details. + - Schedule when this deployment will become available: Optional + - Schedule when this deployment will expire: Optional + - Click **Next** to specify **User Experience** details. + - Show Task Sequence progress: Selected. + - Software Installation: Not selected. + - System restart (if required to complete the installation): Not selected. + - Commit changed at deadline or during a maintenance windows (requires restart): Optional. + - Allow task sequence to be run for client on the Internet: Optional + - Click **Next** to specify **Alerts** details. + - Create a deployment alert when the threshold is higher than the following: Optional. + - Click **Next** to specify **Distribution Points** details. + - Deployment options: **Download content locally when needed by the running task sequence**. + - When no local distribution point is available use a remote distribution point: Optional. + - Allow clients to use distribution points from the default site boundary group: Optional. + - Click **Next**, confirm settings, click **Next**, and then click **Close**. + +### Complete the client installation process + +1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: + + ``` + C:\Windows\CCM\SCClient.exe + ``` + +2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example: + + ![Named resource2](images/sc.png) + ![Named resource2](images/sc1.png) + +The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience. + +![refresh-1](images/up-1.png) +![refresh-2](images/up-2.png) +![refresh-3](images/up-3.png) + +>[!NOTE] +>If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information. + +### Register the device for Windows Autopilot + +Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). + +Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). + +## Speeding up the deployment process + +To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for [Speeding up Windows Autopilot for existing devices](https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/). diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md index d0070ad1db..efeffc2e04 100644 --- a/windows/deployment/windows-autopilot/index.md +++ b/windows/deployment/windows-autopilot/index.md @@ -9,6 +9,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop @@ -57,7 +58,7 @@ This guide is intended for use by an IT-specialist, system architect, or busines Registering devicesThe process of registering a device with the Windows Autopilot deployment service is described. Configuring device profilesThe device profile settings that specifie its behavior when it is deployed are described. Enrollment status pageSettings that are available on the Enrollment Status Page are described. -Bitlocker encryption Available options for configuring BitLocker on Windows Autopilot devices are described. +BitLocker encryption Available options for configuring BitLocker on Windows Autopilot devices are described. Troubleshooting Windows AutopilotDiagnotic event information and troubleshooting procedures are provided. Known issuesA list of current known issues and solutions is provided. @@ -73,4 +74,4 @@ This guide is intended for use by an IT-specialist, system architect, or busines ## Related topics -[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot) \ No newline at end of file +[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot) diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index dae9f38910..d1f538dd46 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -1,47 +1,46 @@ ---- -title: Windows Autopilot known issues -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -audience: itpro -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot - known issues - -**Applies to** - -- Windows 10 - - -
          IssueMore information -
          The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267): - -- Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success." -- Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image. -- BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption. -- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error. -- A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue. -Download and install the KB4505903 update.

          See the section: How to get this update for information on specific release channels you can use to obtain the update. -
          White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.
          -
          To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab -
          White glove gives a red screenWhite glove is not supported on a VM. -
          Error importing Windows Autopilot devices from a .csv fileEnsure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid. -
          Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8. -
          Something went wrong is displayed page during OOBE.The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements. -
          - -## Related topics - -[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
          -[Troubleshooting Windows Autopilot](troubleshooting.md) \ No newline at end of file +--- +title: Windows Autopilot known issues +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot - known issues + +**Applies to** + +- Windows 10 + + +
          IssueMore information +
          The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267): + +- Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success." +- Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image. +- BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption. +- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error. +- A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue. +Download and install the KB4505903 update.

          See the section: How to get this update for information on specific release channels you can use to obtain the update. +
          White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.
          +
          To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab +
          White glove gives a red screenWhite glove is not supported on a VM. +
          Error importing Windows Autopilot devices from a .csv fileEnsure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid. +
          Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8. +
          Something went wrong is displayed page during OOBE.The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements. +
          + +## Related topics + +[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
          +[Troubleshooting Windows Autopilot](troubleshooting.md) diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md index 996999fc4f..6e54f66318 100644 --- a/windows/deployment/windows-autopilot/profiles.md +++ b/windows/deployment/windows-autopilot/profiles.md @@ -1,48 +1,48 @@ ---- -title: Configure Autopilot profiles -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Configure Autopilot profiles - -**Applies to** - -- Windows 10 - -For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices). - -## Profile settings - -The following profile settings are available: - -- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process. - -- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process. - -- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings. - -- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool. - -- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete. - -- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users. - -- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details. - -## Related topics - -[Profile download](troubleshooting.md#profile-download) -[Registering devices](add-devices.md) +--- +title: Configure Autopilot profiles +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Configure Autopilot profiles + +**Applies to** + +- Windows 10 + +For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices). + +## Profile settings + +The following profile settings are available: + +- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process. + +- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process. + +- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings. + +- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool. + +- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete. + +- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users. + +- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details. + +## Related topics + +[Profile download](troubleshooting.md#profile-download) +[Registering devices](add-devices.md) diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md index efa12958dc..9ae9105cbd 100644 --- a/windows/deployment/windows-autopilot/registration-auth.md +++ b/windows/deployment/windows-autopilot/registration-auth.md @@ -1,81 +1,81 @@ ---- -title: Windows Autopilot customer consent -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot customer consent - -**Applies to: Windows 10** - -This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf. - -## CSP authorization - -CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions: - - -
          Direct CSPGets direct authorization from the customer to register devices. -
          Indirect CSP ProviderGets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. -
          Indirect CSP ResellerGets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. -
          - -### Steps - -For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process: - -1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so: - - CSP logs into Microsoft Partner Center - - Click **Dashboard** on the top menu - - Click **Customer** on the side menu - - Click the **Request a reseller relationship** link: - ![Request a reseller relationship](images/csp1.png) - - Select the checkbox indicating whether or not you want delegated admin rights: - ![Delegated rights](images/csp2.png) - - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges - - Send the template above to the customer via email. -2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page: - - ![Global admin](images/csp3.png) - - NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: - - ![Not global admin](images/csp4.png) - -3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously. -4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example: - -![Customers](images/csp5.png) - -## OEM authorization - -Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com. - -1. OEM emails link to their customer. -2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page: - - ![Global admin](images/csp6.png) - - NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: - - ![Not global admin](images/csp7.png) -3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously. - -4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process. - -## Summary - -At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked. - +--- +title: Windows Autopilot customer consent +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot customer consent + +**Applies to: Windows 10** + +This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf. + +## CSP authorization + +CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions: + + +
          Direct CSPGets direct authorization from the customer to register devices. +
          Indirect CSP ProviderGets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center. +
          Indirect CSP ResellerGets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. +
          + +### Steps + +For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process: + +1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so: + - CSP logs into Microsoft Partner Center + - Click **Dashboard** on the top menu + - Click **Customer** on the side menu + - Click the **Request a reseller relationship** link: + ![Request a reseller relationship](images/csp1.png) + - Select the checkbox indicating whether or not you want delegated admin rights: + ![Delegated rights](images/csp2.png) + - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges + - Send the template above to the customer via email. +2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page: + + ![Global admin](images/csp3.png) + + NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: + + ![Not global admin](images/csp4.png) + +3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously. +4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example: + +![Customers](images/csp5.png) + +## OEM authorization + +Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com. + +1. OEM emails link to their customer. +2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page: + + ![Global admin](images/csp6.png) + + NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: + + ![Not global admin](images/csp7.png) +3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously. + +4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process. + +## Summary + +At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked. + diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index ee06f80d04..939b4ac431 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -9,6 +9,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop @@ -29,7 +30,7 @@ Self-deploying mode joins the device into Azure Active Directory, enrolls the de Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. >[!NOTE] ->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. +>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) and [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md). ![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index dda5ad6943..2d857f5388 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -1,121 +1,121 @@ ---- -title: Troubleshooting Windows Autopilot -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Troubleshooting Windows Autopilot - -**Applies to: Windows 10** - -Windows Autopilot is designed to simplify all parts of the Windows device lifecycle, but there are always situations where issues may arise, either due to configuration or other issues. To assist with troubleshooting efforts, review the following information. - -## Troubleshooting process - -Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device: - -- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection. -- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place. -- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated. -- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials. -- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune). -- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in. - -For troubleshooting, key activities to perform are: - -- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)? -- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)? -- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected? -- Azure AD join issues. Was the device able to join Azure Active Directory? -- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? - -## Troubleshooting Autopilot OOBE issues - -If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that. - -### Windows 10 version 1803 and above - -To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot**. The following events may be recorded, depending on the scenario and profile configuration. - -| Event ID | Type | Description | -|----------|------|-------------| -| 100 | Warning | “AutoPilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. | -| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. | -| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. | -| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. | -| 111 | Info | “AutoPilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. | -| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. | -| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. | -| 161 | Info | “AutoPilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. | -| 163 | Info | “AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. | -| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” | -| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. | -| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. | - -In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above. - -### Windows 10 version 1709 and above - -On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot**. Available registry entries include: - -| Value | Description | -|-------|-------------| -| AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. | -| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. | -| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn’t registered with Autopilot, this value will be blank.| -| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. | -| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. | -| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | - -### Windows 10 version 1703 and above - -On Windows 10 version 1703 and above, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information. - -## Troubleshooting Azure AD Join issues - -The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD. - -Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed. - -## Troubleshooting Intune enrollment issues - -See [this knowledge base article](https://support.microsoft.com/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user. - -Error code 80180018 will typically be reported on an error page titled "Something went wrong". This error means that the MDM enrollment failed. - -If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with an administrator account to see why and reset manually," see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help. - -## Profile download - -When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC. - -When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table. - -| Windows 10 version | Profile download behavior | -| --- | --- | -| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. | -| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. | -| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. | - -If you need to reboot a computer during OOBE: -- Press Shift-F10 to open a command prompt. -- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately. - -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options). - -## Related topics - -[Windows Autopilot - known issues](known-issues.md)
          -[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
          +--- +title: Troubleshooting Windows Autopilot +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Troubleshooting Windows Autopilot + +**Applies to: Windows 10** + +Windows Autopilot is designed to simplify all parts of the Windows device lifecycle, but there are always situations where issues may arise, either due to configuration or other issues. To assist with troubleshooting efforts, review the following information. + +## Troubleshooting process + +Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device: + +- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection. +- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place. +- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated. +- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials. +- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune). +- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in. + +For troubleshooting, key activities to perform are: + +- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)? +- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)? +- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected? +- Azure AD join issues. Was the device able to join Azure Active Directory? +- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? + +## Troubleshooting Autopilot OOBE issues + +If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that. + +### Windows 10 version 1803 and above + +To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot**. The following events may be recorded, depending on the scenario and profile configuration. + +| Event ID | Type | Description | +|----------|------|-------------| +| 100 | Warning | “AutoPilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. | +| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. | +| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. | +| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. | +| 111 | Info | “AutoPilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. | +| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. | +| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. | +| 161 | Info | “AutoPilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. | +| 163 | Info | “AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. | +| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” | +| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. | +| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. | + +In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above. + +### Windows 10 version 1709 and above + +On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot**. Available registry entries include: + +| Value | Description | +|-------|-------------| +| AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. | +| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. | +| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn’t registered with Autopilot, this value will be blank.| +| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. | +| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. | +| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | + +### Windows 10 version 1703 and above + +On Windows 10 version 1703 and above, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information. + +## Troubleshooting Azure AD Join issues + +The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD. + +Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed. + +## Troubleshooting Intune enrollment issues + +See [this knowledge base article](https://support.microsoft.com/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user. + +Error code 80180018 will typically be reported on an error page titled "Something went wrong". This error means that the MDM enrollment failed. + +If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with an administrator account to see why and reset manually," see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help. + +## Profile download + +When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC. + +When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table. + +| Windows 10 version | Profile download behavior | +| --- | --- | +| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. | +| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. | +| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. | + +If you need to reboot a computer during OOBE: +- Press Shift-F10 to open a command prompt. +- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options). + +## Related topics + +[Windows Autopilot - known issues](known-issues.md)
          +[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)
          diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index cce649aaf6..7629dc2ba8 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -1,99 +1,99 @@ ---- -title: Windows Autopilot User-Driven Mode -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot user-driven mode - -Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - -- Unbox the device, plug it in, and turn it on. -- Choose a language, locale and keyboard. -- Connect it to a wireless or wired network with internet access. -- Specify your e-mail address and password for your organization account. - -After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. - -Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. - -## Available user-driven modes - -The following options are available for user-driven deployment: - -- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. -- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. - -### User-driven mode for Azure Active Directory join - -In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: - -- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. -- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each device that will be deployed using user-driven deployment, these additional steps are needed: - -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. - -Also see the [Validation](#validation) section below. - -### User-driven mode for hybrid Azure Active Directory join - -Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). - -#### Requirements - -To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: - -- A Windows Autopilot profile for user-driven mode must be created and - - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. -- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. -- The device must be running Windows 10, version 1809 or later. -- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). -- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md). -- The Intune Connector for Active Directory must be installed. - - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. -- If using Proxy, WPAD Proxy settings option must be enabled and configured. - -**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. - -#### Step by step instructions - -See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). - -Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. - -## Validation - -When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: - -- If multiple languages are preinstalled in Windows 10, the user must pick a language. -- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. -- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. -- Once connected to a network, the Autopilot profile will be downloaded. -- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). -- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. -- Once correct credentials have been entered, the device will join Azure Active Directory. -- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). -- If configured, the [enrollment status page](enrollment-status.md) will be displayed. -- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. -- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. - -In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. +--- +title: Windows Autopilot User-Driven Mode +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot user-driven mode + +Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: + +- Unbox the device, plug it in, and turn it on. +- Choose a language, locale and keyboard. +- Connect it to a wireless or wired network with internet access. +- Specify your e-mail address and password for your organization account. + +After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. + +Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. + +## Available user-driven modes + +The following options are available for user-driven deployment: + +- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. +- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. + +### User-driven mode for Azure Active Directory join + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each device that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +Also see the [Validation](#validation) section below. + +### User-driven mode for hybrid Azure Active Directory join + +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). + +#### Requirements + +To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: + +- A Windows Autopilot profile for user-driven mode must be created and + - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. +- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. +- The device must be running Windows 10, version 1809 or later. +- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). +- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md). +- The Intune Connector for Active Directory must be installed. + - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. +- If using Proxy, WPAD Proxy settings option must be enabled and configured. + +**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. + +#### Step by step instructions + +See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. + +## Validation + +When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: + +- If multiple languages are preinstalled in Windows 10, the user must pick a language. +- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. +- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. +- Once connected to a network, the Autopilot profile will be downloaded. +- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). +- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. +- Once correct credentials have been entered, the device will join Azure Active Directory. +- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). +- If configured, the [enrollment status page](enrollment-status.md) will be displayed. +- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. +- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. + +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index 4c997d322d..75e7e3a334 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -7,9 +7,11 @@ ms.mktglfcycl: deploy ms.localizationpriority: low ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay manager: laurawi -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay ms.collection: M365-modern-desktop ms.topic: article --- @@ -44,7 +46,7 @@ In addition to [Windows Autopilot requirements](windows-autopilot-requirements.m ## Preparation -Devices slated for WG provisioning are registered for Autopilot via the normal registration process. +Devices slated for white glove provisioning are registered for Autopilot via the normal registration process. To be ready to try out Windows Autopilot for white glove deployment, ensure that you can first successfully use existing Windows Autopilot user-driven scenarios: diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 7058bc777e..a9317ae207 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -9,6 +9,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop @@ -73,9 +74,9 @@ If the WNS services are not available, the Autopilot process will still continue If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps. -Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). -Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. -Hybrid AAD joinHybrid AAD can be join, the machine should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode +Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). +Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. +Hybrid AAD joinThe device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode ## Licensing requirements diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md index d58d236a4f..d0424dce3f 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md @@ -1,135 +1,135 @@ ---- -title: Windows Autopilot Reset -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot Reset - -- Applies to: Windows 10, version 1709 and later (local reset) -- Applies to: Windows 10, version 1809 and later (remote reset) - -Windows Autopilot Reset removes personal files, apps, and settings and reapplies a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune so that the device is once again ready for use. Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply. - -The Windows Autopilot Reset process automatically retains information from the existing device: - -- Set the region, language, and keyboard to the originally-configured values. -- Wi-Fi connection details. -- Provisioning packages previously applied to the device, as well as a provisioning package present on a USB drive when the reset process is initiated. -- Azure Active Directory device membership and MDM enrollment information. - -Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed. - ->[!NOTE] ->The Autopilot Reset does not support Hybrid Azure AD joined devices. - -## Scenarios - -Windows Autopilot Reset supports two scenarios: - -- [Local reset](#reset-devices-with-local-windows-autopilot-reset) initiated by IT personnel or other administrators from the organization. -- [Remote reset](#reset-devices-with-remote-windows-autopilot-reset) initiated remotely by IT personnel via an MDM service such as Microsoft Intune. - -Additional requirements and configuration details apply with each scenario; see the detailed links above for more information. - -## Reset devices with local Windows Autopilot Reset - -**Applies to: Windows 10, version 1709 and above** - -The Intune Service Administrator role is required to perform this task. For more information, see [Add users and grant administrative permission to Intune](https://docs.microsoft.com/intune/users-add). - -IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. - -To enable local Autopilot Reset in Windows 10: - -1. [Enable the policy for the feature](#enable-local-windows-autopilot-reset) -2. [Trigger a reset for each device](#trigger-local-windows-autopilot-reset) - -### Enable local Windows Autopilot Reset - -To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident. - -You can set the policy using one of these methods: - -- MDM provider - - - When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category. The **Automatic Redeployment** setting should be set to **Allow**. Deploy this setting to all devices where a local reset should be permitted. - - If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy. - -- Windows Configuration Designer - - You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package. - -- Set up School PCs app - - The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset. - -### Trigger local Windows Autopilot Reset - -Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use. - -**To trigger a local Autopilot Reset** - -1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**. - - ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) - - This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes: - 1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset - 2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process. - - ![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png) - -2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset. - - Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use. - -## Reset devices with remote Windows Autopilot Reset - -**Applies to: Windows 10, version 1809 or later** - -When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process. - -To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Azure AD. This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md). - -### Triggering a remote Windows Autopilot Reset - -To trigger a remote Windows Autopilot Reset via Intune, follow these steps: - -- Navigate to **Devices** tab in the Intune console. -- In the **All devices** view, select the targeted reset devices and then click **More** to view device actions. -- Select **Autopilot Reset** to kick-off the reset task. - ->[!NOTE] ->The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher. - ->[!IMPORTANT] ->The feature for Autopilot Reset will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device). - -Once the reset is complete, the device is again ready for use. - - - -## Troubleshooting - -Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported. - -To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: - -``` -reagentc /enable -``` - -If Windows Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. +--- +title: Windows Autopilot Reset +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot Reset + +- Applies to: Windows 10, version 1709 and later (local reset) +- Applies to: Windows 10, version 1809 and later (remote reset) + +Windows Autopilot Reset removes personal files, apps, and settings and reapplies a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune so that the device is once again ready for use. Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply. + +The Windows Autopilot Reset process automatically retains information from the existing device: + +- Set the region, language, and keyboard to the originally-configured values. +- Wi-Fi connection details. +- Provisioning packages previously applied to the device, as well as a provisioning package present on a USB drive when the reset process is initiated. +- Azure Active Directory device membership and MDM enrollment information. + +Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed. + +>[!NOTE] +>The Autopilot Reset does not support Hybrid Azure AD joined devices. + +## Scenarios + +Windows Autopilot Reset supports two scenarios: + +- [Local reset](#reset-devices-with-local-windows-autopilot-reset) initiated by IT personnel or other administrators from the organization. +- [Remote reset](#reset-devices-with-remote-windows-autopilot-reset) initiated remotely by IT personnel via an MDM service such as Microsoft Intune. + +Additional requirements and configuration details apply with each scenario; see the detailed links above for more information. + +## Reset devices with local Windows Autopilot Reset + +**Applies to: Windows 10, version 1709 and above** + +The Intune Service Administrator role is required to perform this task. For more information, see [Add users and grant administrative permission to Intune](https://docs.microsoft.com/intune/users-add). + +IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. + +To enable local Autopilot Reset in Windows 10: + +1. [Enable the policy for the feature](#enable-local-windows-autopilot-reset) +2. [Trigger a reset for each device](#trigger-local-windows-autopilot-reset) + +### Enable local Windows Autopilot Reset + +To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident. + +You can set the policy using one of these methods: + +- MDM provider + + - When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category. The **Automatic Redeployment** setting should be set to **Allow**. Deploy this setting to all devices where a local reset should be permitted. + - If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy. + +- Windows Configuration Designer + + You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package. + +- Set up School PCs app + + The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset. + +### Trigger local Windows Autopilot Reset + +Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use. + +**To trigger a local Autopilot Reset** + +1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**. + + ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) + + This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes: + 1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset + 2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process. + + ![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png) + +2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset. + + Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use. + +## Reset devices with remote Windows Autopilot Reset + +**Applies to: Windows 10, version 1809 or later** + +When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process. + +To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Azure AD. This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md). + +### Triggering a remote Windows Autopilot Reset + +To trigger a remote Windows Autopilot Reset via Intune, follow these steps: + +- Navigate to **Devices** tab in the Intune console. +- In the **All devices** view, select the targeted reset devices and then click **More** to view device actions. +- Select **Autopilot Reset** to kick-off the reset task. + +>[!NOTE] +>The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher. + +>[!IMPORTANT] +>The feature for Autopilot Reset will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device). + +Once the reset is complete, the device is again ready for use. + + + +## Troubleshooting + +Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported. + +To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: + +``` +reagentc /enable +``` + +If Windows Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index 938d13c7dc..5ee0171987 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -1,67 +1,67 @@ ---- -title: Windows Autopilot scenarios and capabilities -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot scenarios and capabilities - -**Applies to: Windows 10** - -## Scenarios - -Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management). - -The following Windows Autopilot scenarios are described in this guide: - -| Scenario | More information | -| --- | --- | -| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) | -| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) | -| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) | -| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) | -| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) | - -## Windows Autopilot capabilities - -### Windows Autopilot is self-updating during OOBE - -Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates. - -### Cortana voiceover and speech recognition during OOBE - -In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs. - -If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default. - -HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions - -The key value is a DWORD with **0** = disabled and **1** = enabled. - -| Value | Description | -| --- | --- | -| 0 | Cortana voiceover is disabled | -| 1 | Cortana voiceover is enabled | -| No value | Device will fall back to default behavior of the edition | - -To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce). - -### Bitlocker encryption - -With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md) - -## Related topics - -[Windows Autopilot: What's new](windows-autopilot-whats-new.md) +--- +title: Windows Autopilot scenarios and capabilities +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot scenarios and capabilities + +**Applies to: Windows 10** + +## Scenarios + +Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management). + +The following Windows Autopilot scenarios are described in this guide: + +| Scenario | More information | +| --- | --- | +| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) | +| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) | +| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) | +| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) | +| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) | + +## Windows Autopilot capabilities + +### Windows Autopilot is self-updating during OOBE + +Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates. + +### Cortana voiceover and speech recognition during OOBE + +In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs. + +If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default. + +HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions + +The key value is a DWORD with **0** = disabled and **1** = enabled. + +| Value | Description | +| --- | --- | +| 0 | Cortana voiceover is disabled | +| 1 | Cortana voiceover is enabled | +| No value | Device will fall back to default behavior of the edition | + +To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce). + +### Bitlocker encryption + +With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md) + +## Related topics + +[Windows Autopilot: What's new](windows-autopilot-whats-new.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md index 6f157802ae..36ee6c06ad 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md @@ -1,52 +1,51 @@ ---- -title: Windows Autopilot what's new -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -audience: itpro -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot: What's new - -**Applies to** - -- Windows 10 - -## New in Windows 10, version 1903 - -[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video: - -
          - -> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI] - -Also new in this version of Windows: -- The Intune enrollment status page (ESP) now tracks Intune Management Extensions. -- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. -- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. -- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE. - -## New in Windows 10, version 1809 - -Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. - -You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. - ->[!NOTE] ->Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. - -## Related topics - -[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)
          -[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/) \ No newline at end of file +--- +title: Windows Autopilot what's new +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot: What's new + +**Applies to** + +- Windows 10 + +## New in Windows 10, version 1903 + +[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video: + +
          + +> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI] + +Also new in this version of Windows: +- The Intune enrollment status page (ESP) now tracks Intune Management Extensions. +- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. +- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. +- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE. + +## New in Windows 10, version 1809 + +Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. + +You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. + +>[!NOTE] +>Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. + +## Related topics + +[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)
          +[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/) diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index 7ad46ca665..f307fbf265 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -1,65 +1,65 @@ ---- -title: Overview of Windows Autopilot -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Overview of Windows Autopilot - -**Applies to** - -- Windows 10 - -Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. - -Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram: - - ![Process overview](images/image1.png) - -When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. - -Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. - -Windows Autopilot enables you to: -* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](windows-autopilot-requirements-configuration.md)). -* Restrict the Administrator account creation. -* Create and auto-assign devices to configuration groups based on a device's profile. -* Customize OOBE content specific to the organization. - -## Windows Autopilot walkthrough - -The following video shows the process of setting up Windows Autopilot: - -
          - - - -## Benefits of Windows Autopilot - -Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. - -From the user's perspective, it only takes a few simple operations to make their device ready to use. - -From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated. - -## Requirements - -Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements. - -## Related topics - -[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)
          -[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) \ No newline at end of file +--- +title: Overview of Windows Autopilot +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Overview of Windows Autopilot + +**Applies to** + +- Windows 10 + +Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. + +Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram: + + ![Process overview](images/image1.png) + +When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features. + +Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. + +Windows Autopilot enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](windows-autopilot-requirements-configuration.md)). +* Restrict the Administrator account creation. +* Create and auto-assign devices to configuration groups based on a device's profile. +* Customize OOBE content specific to the organization. + +## Windows Autopilot walkthrough + +The following video shows the process of setting up Windows Autopilot: + +
          + + + +## Benefits of Windows Autopilot + +Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. + +From the user's perspective, it only takes a few simple operations to make their device ready to use. + +From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated. + +## Requirements + +Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements. + +## Related topics + +[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)
          +[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index dfab99ad78..742ae20f20 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -4,11 +4,13 @@ description: To successfully deploy the Windows 10 operating system and applica ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877 ms.reviewer: manager: laurawi -ms.author: greg-lindsay +ms.audience: itpro +author: greg-lindsay keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +audience: itpro author: greg-lindsay ms.topic: article --- diff --git a/windows/docfx.json b/windows/docfx.json index 0e7c823b17..21cba6820f 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -15,6 +15,7 @@ ], "globalMetadata": { "ROBOTS": "INDEX, FOLLOW", + "audience": "ITPro", "breadcrumb_path": "/itpro/windows/breadcrumb/toc.json", "_op_documentIdPathDepotMapping": { "./": { diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 78a9eb10fb..b850fee41f 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -34,6 +34,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "audience": "ITPro", "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index acef50c475..aed5ac00b0 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -36,12 +36,12 @@ At Microsoft, we use Windows diagnostic data to inform our decisions and focus o To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: -- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. -- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. -- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. -- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. -- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. +- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. +- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. +- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. +- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. +- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. +- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. @@ -56,16 +56,16 @@ The release cadence of Windows may be fast, so feedback is critical to its succe ### What is Windows diagnostic data? Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: -- Keep Windows up to date -- Keep Windows secure, reliable, and performant -- Improve Windows – through the aggregate analysis of the use of Windows -- Personalize Windows engagement surfaces +- Keep Windows up to date +- Keep Windows secure, reliable, and performant +- Improve Windows – through the aggregate analysis of the use of Windows +- Personalize Windows engagement surfaces Here are some specific examples of Windows diagnostic data: -- Type of hardware being used -- Applications installed and usage details -- Reliability information on device drivers +- Type of hardware being used +- Applications installed and usage details +- Reliability information on device drivers ### What is NOT diagnostic data? @@ -96,9 +96,9 @@ There was a version of a video driver that was crashing on some devices running Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: -- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. -- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. +- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. +- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. **These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 8577fea884..6f5daf90d1 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -44,8 +44,8 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn ### Download the Diagnostic Data Viewer Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. - >[!Important] - >It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264). + >[!Important] + >It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830). ### Start the Diagnostic Data Viewer You can start this app from the **Settings** panel. diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 5a6da07e0b..55e655b1dc 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -34,6 +34,7 @@ "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", + "audience": "ITPro", "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md index 4797029729..3ad1a4a14e 100644 --- a/windows/privacy/gdpr-win10-whitepaper.md +++ b/windows/privacy/gdpr-win10-whitepaper.md @@ -105,11 +105,11 @@ A key provision within the GDPR is data protection by design and by default, and The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: -- Generate, store, and limit the use of cryptographic keys. +- Generate, store, and limit the use of cryptographic keys. -- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself. +- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself. -- Help to ensure platform integrity by taking and storing security measurements. +- Help to ensure platform integrity by taking and storing security measurements. Additional advanced device protection relevant to your operating without data breaches include Windows Trusted Boot to help maintain the integrity of the system by ensuring malware is unable to start before system defenses. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index f5a74dfff8..e2fa73f5c7 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -154,14 +154,14 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt |**Allowed traffic endpoints** | | --- | -|ctldl.windowsupdate.com| +|activation-v2.sls.microsoft.com/*| |cdn.onenote.net| +|client.wns.windows.com| +|crl.microsoft.com/pki/crl/*| +|ctldl.windowsupdate.com| +|dm3p.wns.windows.com| +|\*microsoft.com/pkiops/\*| +|ocsp.digicert.com/*| |r.manage.microsoft.com| |tile-service.weather.microsoft.com| |settings-win.data.microsoft.com| -|client.wns.windows.com| -|dm3p.wns.windows.com| -|crl.microsoft.com/pki/crl/*| -|*microsoft.com/pkiops/**| -|activation-v2.sls.microsoft.com/*| -|ocsp.digicert.com/*| diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index 4f007d6da6..ae5da4bba4 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -23,11 +23,11 @@ ms.reviewer: Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md index c8c4bffe0c..2ad044d990 100644 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -23,11 +23,11 @@ ms.reviewer: Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 2f2f90b82d..f574f6409d 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -23,11 +23,11 @@ ms.reviewer: Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 5400e152f2..01c084966d 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -22,11 +22,11 @@ ms.date: 5/3/2019 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json index 5bab1ca43c..4dcacaf204 100644 --- a/windows/release-information/docfx.json +++ b/windows/release-information/docfx.json @@ -38,6 +38,7 @@ "breadcrumb_path": "/windows/release-information/breadcrumb/toc.json", "ms.prod": "w10", "ms.date": "4/30/2019", + "audience": "ITPro", "titleSuffix": "Windows Release Information", "extendBreadcrumb": true, "feedback_system": "None" diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml index 048946f759..ab7065d60a 100644 --- a/windows/release-information/resolved-issues-windows-10-1507.yml +++ b/windows/release-information/resolved-issues-windows-10-1507.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -53,6 +54,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 10240.18244

          June 11, 2019
          KB4503291          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		OS Build 10240.18244

          June 11, 2019
          KB4503291          		Resolved
          KB4507458          		July 09, 2019
          10:00 AM PT
          Unable to access some gov.uk websites
          gov.uk websites that don’t support “HSTS” may not be accessible

          See details >          		OS Build 10240.18215

          May 14, 2019
          KB4499154          		Resolved
          KB4505051          		May 19, 2019
          02:00 PM PT
          Embedded objects may display incorrectly
          Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

          See details >          		OS Build 10240.18132

          February 12, 2019
          KB4487018          		Resolved
          KB4493475          		April 09, 2019
          10:00 AM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 10240.18244

          June 11, 2019
          KB4503291          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml index c20d9b33f0..2c0de867c7 100644 --- a/windows/release-information/resolved-issues-windows-10-1607.yml +++ b/windows/release-information/resolved-issues-windows-10-1607.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -65,6 +66,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 14393.3025

          June 11, 2019
          KB4503267          		Resolved External
          		August 09, 2019
          04:25 PM PT
          SCVMM cannot enumerate and manage logical switches deployed on the host
          For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

          See details >          		OS Build 14393.2639

          November 27, 2018
          KB4467684          		Resolved
          KB4507459          		July 16, 2019
          10:00 AM PT
          Some applications may fail to run as expected on clients of AD FS 2016
          Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)

          See details >          		OS Build 14393.2941

          April 25, 2019
          KB4493473          		Resolved
          KB4507459          		July 16, 2019
          10:00 AM PT
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

          See details >          		OS Build 14393.2969

          May 14, 2019
          KB4494440          		Resolved
          KB4507460          		July 09, 2019
          10:00 AM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 14393.3025

          June 11, 2019
          KB4503267          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-10-1703.yml b/windows/release-information/resolved-issues-windows-10-1703.yml index b87928c05d..3401b26fdf 100644 --- a/windows/release-information/resolved-issues-windows-10-1703.yml +++ b/windows/release-information/resolved-issues-windows-10-1703.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -58,6 +59,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 15063.1868

          June 11, 2019
          KB4503279          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

          See details >          		OS Build 15063.1805

          May 14, 2019
          KB4499181          		Resolved
          KB4507450          		July 09, 2019
          10:00 AM PT
          Difficulty connecting to some iSCSI-based SANs
          Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

          See details >          		OS Build 15063.1839

          May 28, 2019
          KB4499162          		Resolved
          KB4509476          		June 26, 2019
          04:00 PM PT
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		OS Build 15063.1868

          June 11, 2019
          KB4503279          		Resolved
          KB4503289          		June 18, 2019
          02:00 PM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 15063.1868

          June 11, 2019
          KB4503279          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml index cd92b2d492..d2b59916e7 100644 --- a/windows/release-information/resolved-issues-windows-10-1709.yml +++ b/windows/release-information/resolved-issues-windows-10-1709.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -59,6 +60,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 16299.1217

          June 11, 2019
          KB4503284          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Difficulty connecting to some iSCSI-based SANs
          Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

          See details >          		OS Build 16299.1182

          May 28, 2019
          KB4499147          		Resolved
          KB4509477          		June 26, 2019
          04:00 PM PT
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		OS Build 16299.1217

          June 11, 2019
          KB4503284          		Resolved
          KB4503281          		June 18, 2019
          02:00 PM PT
          Opening Internet Explorer 11 may fail
          Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

          See details >          		OS Build 16299.1182

          May 28, 2019
          KB4499147          		Resolved
          KB4503284          		June 11, 2019
          10:00 AM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 16299.1217

          June 11, 2019
          KB4503284          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml index 7174542746..24ad1254f2 100644 --- a/windows/release-information/resolved-issues-windows-10-1803.yml +++ b/windows/release-information/resolved-issues-windows-10-1803.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -59,6 +60,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Difficulty connecting to some iSCSI-based SANs
          Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

          See details >          		OS Build 17134.799

          May 21, 2019
          KB4499183          		Resolved
          KB4509478          		June 26, 2019
          04:00 PM PT
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Resolved
          KB4503288          		June 18, 2019
          02:00 PM PT
          Opening Internet Explorer 11 may fail
          Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

          See details >          		OS Build 17134.799

          May 21, 2019
          KB4499183          		Resolved
          KB4503286          		June 11, 2019
          10:00 AM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index 0d43d708e8..f2dc569ffb 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -71,6 +72,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Difficulty connecting to some iSCSI-based SANs
          Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

          See details >          		OS Build 17763.529

          May 21, 2019
          KB4497934          		Resolved
          KB4509479          		June 26, 2019
          04:00 PM PT
          Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
          Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.

          See details >          		OS Build 17763.503

          May 14, 2019
          KB4494441          		Resolved
          KB4501371          		June 18, 2019
          02:00 PM PT
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Resolved
          KB4501371          		June 18, 2019
          02:00 PM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index 4e7aae8a05..ad7c9065b6 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -52,6 +53,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 18362.175

          June 11, 2019
          KB4503293          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Display brightness may not respond to adjustments
          Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

          See details >          		OS Build 18362.116

          May 21, 2019
          KB4505057          		Resolved
          KB4505903          		July 26, 2019
          02:00 PM PT
          RASMAN service may stop working and result in the error “0xc0000005”
          The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Resolved
          KB4505903          		July 26, 2019
          02:00 PM PT
          Loss of functionality in Dynabook Smartphone Link app
          After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.

          See details >          		OS Build 18362.116

          May 20, 2019
          KB4505057          		Resolved
          		July 11, 2019
          01:54 PM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 18362.175

          June 11, 2019
          KB4503293          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml index 8d0678c091..33a6733fd2 100644 --- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -60,6 +61,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		June 11, 2019
          KB4503292          		Resolved External
          		August 09, 2019
          04:25 PM PT
          IE11 may stop working when loading or interacting with Power BI reports
          Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

          See details >          		May 14, 2019
          KB4499164          		Resolved
          KB4503277          		June 20, 2019
          02:00 PM PT
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		June 11, 2019
          KB4503292          		Resolved
          KB4503277          		June 20, 2019
          02:00 PM PT
          Unable to access some gov.uk websites
          gov.uk websites that don’t support “HSTS” may not be accessible

          See details >          		May 14, 2019
          KB4499164          		Resolved
          KB4505050          		May 18, 2019
          02:00 PM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		June 11, 2019
          KB4503292          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml index dc386260cc..9bf1ac9d82 100644 --- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -61,6 +62,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		June 11, 2019
          KB4503276          		Resolved External
          		August 09, 2019
          04:25 PM PT
          IE11 may stop working when loading or interacting with Power BI reports
          Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

          See details >          		May 14, 2019
          KB4499151          		Resolved
          KB4503283          		June 20, 2019
          02:00 PM PT
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		June 11, 2019
          KB4503276          		Resolved
          KB4503283          		June 20, 2019
          02:00 PM PT
          Issue using PXE to start a device from WDS
          There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

          See details >          		March 12, 2019
          KB4489881          		Resolved
          KB4503276          		June 11, 2019
          10:00 AM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		June 11, 2019
          KB4503276          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml index 1a7ffb0d7a..aeb08c2fd5 100644 --- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml +++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -52,6 +53,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		June 11, 2019
          KB4503273          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		June 11, 2019
          KB4503273          		Resolved
          KB4503271          		June 20, 2019
          02:00 PM PT
          System unresponsive after restart if Sophos Endpoint Protection installed
          Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

          See details >          		April 09, 2019
          KB4493471          		Resolved
          		May 14, 2019
          01:21 PM PT
          System may be unresponsive after restart if Avira antivirus software installed
          Devices with Avira antivirus software installed may become unresponsive upon restart.

          See details >          		April 09, 2019
          KB4493471          		Resolved
          		May 14, 2019
          01:19 PM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		June 11, 2019
          KB4503273          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml index b46a4674bf..532b8144c8 100644 --- a/windows/release-information/resolved-issues-windows-server-2012.yml +++ b/windows/release-information/resolved-issues-windows-server-2012.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -59,6 +60,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusDate resolved
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		June 11, 2019
          KB4503285          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Some devices and generation 2 Hyper-V VMs may have issues installing updates
          Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.

          See details >          		June 11, 2019
          KB4503285          		Resolved
          KB4503295          		June 21, 2019
          02:00 PM PT
          IE11 may stop working when loading or interacting with Power BI reports
          Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

          See details >          		May 14, 2019
          KB4499171          		Resolved
          KB4503295          		June 21, 2019
          02:00 PM PT
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		June 11, 2019
          KB4503285          		Resolved
          KB4503295          		June 20, 2019
          02:00 PM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		June 11, 2019
          KB4503285          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 9f116c65f8..010cb9d55b 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -60,7 +60,7 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - +
          SummaryOriginating updateStatusLast updated
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

          See details >          		OS Build 10240.18244

          June 11, 2019
          KB4503291          		Resolved
          KB4507458          		July 09, 2019
          10:00 AM PT
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 10240.18244

          June 11, 2019
          KB4503291          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 10240.18094

          January 08, 2019
          KB4480962          		Mitigated
          		April 25, 2019
          02:00 PM PT
          " @@ -72,12 +72,12 @@ sections:
          " -- title: June 2019 +- title: August 2019 - items: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Event Viewer may close or you may receive an error when using Custom Views
          When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: This issue was resolved in KB4507458.

          Back to top          		OS Build 10240.18244

          June 11, 2019
          KB4503291          		Resolved
          KB4507458          		Resolved:
          July 09, 2019
          10:00 AM PT

          Opened:
          June 12, 2019
          11:11 AM PT
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 10240.18244

          June 11, 2019
          KB4503291          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          " diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index 4bfa74c40c..a554e88e9e 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -60,12 +60,13 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - + + + - @@ -79,12 +80,23 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 14393.3115

          July 16, 2019
          KB4507459          		Investigating
          		August 01, 2019
          06:12 PM PT
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 14393.3025

          June 11, 2019
          KB4503267          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 14393.3115

          July 16, 2019
          KB4507459          		Investigating
          		August 08, 2019
          07:18 PM PT
          Apps and scripts using the NetQueryDisplayInformation API may fail with error
          Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.

          See details >          		OS Build 14393.3053

          June 18, 2019
          KB4503294          		Investigating
          		August 01, 2019
          05:00 PM PT
          Internet Explorer 11 and apps using the WebBrowser control may fail to render
          JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.

          See details >          		OS Build 14393.3085

          July 09, 2019
          KB4507460          		Mitigated
          		July 26, 2019
          04:58 PM PT
          SCVMM cannot enumerate and manage logical switches deployed on the host
          For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

          See details >          		OS Build 14393.2639

          November 27, 2018
          KB4467684          		Resolved
          KB4507459          		July 16, 2019
          10:00 AM PT
          Some applications may fail to run as expected on clients of AD FS 2016
          Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)

          See details >          		OS Build 14393.2941

          April 25, 2019
          KB4493473          		Resolved
          KB4507459          		July 16, 2019
          10:00 AM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		OS Build 14393.3025

          June 11, 2019
          KB4503267          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

          See details >          		OS Build 14393.2969

          May 14, 2019
          KB4494440          		Resolved
          KB4507460          		July 09, 2019
          10:00 AM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 14393.2724

          January 08, 2019
          KB4480961          		Mitigated
          		April 25, 2019
          02:00 PM PT
          Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
          Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

          See details >          		OS Build 14393.2608

          November 13, 2018
          KB4467691          		Mitigated
          		February 19, 2019
          10:00 AM PT
          Cluster service may fail if the minimum password length is set to greater than 14
          The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

          See details >          		OS Build 14393.2639

          November 27, 2018
          KB4467684          		Mitigated
          		April 25, 2019
          02:00 PM PT
          + + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 14393.3025

          June 11, 2019
          KB4503267          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          Apps and scripts using the NetQueryDisplayInformation API may fail with error
           Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

          Affected platforms:
          • Server: Windows Server 2019; Windows Server 2016
          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 14393.3053

          June 18, 2019
          KB4503294          		Investigating
          		Last updated:
          August 01, 2019
          05:00 PM PT

          Opened:
          August 01, 2019
          05:00 PM PT
          + " + - title: July 2019 - items: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507459. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 14393.3115

          July 16, 2019
          KB4507459          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507459. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 14393.3115

          July 16, 2019
          KB4507459          		Investigating
          		Last updated:
          August 08, 2019
          07:18 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Internet Explorer 11 and apps using the WebBrowser control may fail to render
          Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.

          Affected platforms:
          • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server 2016
          Workaround: To mitigate this issue, you need to Enable Script Debugging using one of the following ways.

          You can configure the below registry key:
          Registry setting: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main
          Value: Disable Script Debugger
          Type: REG_SZ
          Data: no

          Or you can Enable Script Debugging in Internet Settings. You can open Internet Setting by either typing Internet Settings into the search box on Windows or by selecting Internet Options in Internet Explorer. Once open, select Advanced then Browsing and finally, select Enable Script Debugging.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 14393.3085

          July 09, 2019
          KB4507460          		Mitigated
          		Last updated:
          July 26, 2019
          04:58 PM PT

          Opened:
          July 26, 2019
          04:58 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 14393.3025

          June 11, 2019
          KB4503267          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT
          @@ -99,15 +111,6 @@ sections: " -- title: May 2019 -- items: - - type: markdown - text: " - - -
          DetailsOriginating updateStatusHistory
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

          Affected platforms:
          • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server 2016
          Resolution: This issue was resolved in KB4507460.

          Back to top          		OS Build 14393.2969

          May 14, 2019
          KB4494440          		Resolved
          KB4507460          		Resolved:
          July 09, 2019
          10:00 AM PT

          Opened:
          May 21, 2019
          08:50 AM PT
          - " - - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 4dbe8ada26..58b6047c36 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -60,8 +60,8 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - - + +
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 15063.1955

          July 16, 2019
          KB4507467          		Investigating
          		August 01, 2019
          06:12 PM PT
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

          See details >          		OS Build 15063.1805

          May 14, 2019
          KB4499181          		Resolved
          KB4507450          		July 09, 2019
          10:00 AM PT
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 15063.1868

          June 11, 2019
          KB4503279          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 15063.1955

          July 16, 2019
          KB4507467          		Investigating
          		August 08, 2019
          07:18 PM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 15063.1563

          January 08, 2019
          KB4480973          		Mitigated
          		April 25, 2019
          02:00 PM PT
          " @@ -73,21 +73,22 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " + + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 15063.1868

          June 11, 2019
          KB4503279          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: July 2019 - items: - type: markdown text: " - -
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507467. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 15063.1955

          July 16, 2019
          KB4507467          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          - " - -- title: May 2019 -- items: - - type: markdown - text: " - - +
          DetailsOriginating updateStatusHistory
          Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
          Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4499181 and restarting.

          Affected platforms:
          • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server 2016
          Resolution: This issue was resolved in KB4507450.

          Back to top          		OS Build 15063.1805

          May 14, 2019
          KB4499181          		Resolved
          KB4507450          		Resolved:
          July 09, 2019
          10:00 AM PT

          Opened:
          May 21, 2019
          08:50 AM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507467. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 15063.1955

          July 16, 2019
          KB4507467          		Investigating
          		Last updated:
          August 08, 2019
          07:18 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          " diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index cee8270547..279e20ebd2 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -60,7 +60,8 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - + +
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 16299.1296

          July 16, 2019
          KB4507465          		Investigating
          		August 01, 2019
          06:12 PM PT
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 16299.1217

          June 11, 2019
          KB4503284          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 16299.1296

          July 16, 2019
          KB4507465          		Investigating
          		August 08, 2019
          07:18 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		OS Build 16299.1217

          June 11, 2019
          KB4503284          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 16299.904

          January 08, 2019
          KB4480978          		Mitigated
          		April 25, 2019
          02:00 PM PT
          @@ -73,12 +74,22 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " + + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 16299.1217

          June 11, 2019
          KB4503284          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: July 2019 - items: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507465. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 16299.1296

          July 16, 2019
          KB4507465          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507465. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 16299.1296

          July 16, 2019
          KB4507465          		Investigating
          		Last updated:
          August 08, 2019
          07:18 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 16299.1217

          June 11, 2019
          KB4503284          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT
          " diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index fccb71eca1..ab543899da 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -20,6 +20,11 @@ sections: text: " Find information on known issues for Windows 10, version 1803. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s). + +
          Current status as of August 7, 2019:
          +
          Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the release information dashboard.
          +
          + " - items: @@ -60,7 +65,8 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - + + @@ -74,12 +80,22 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 17134.915

          July 16, 2019
          KB4507466          		Investigating
          		August 01, 2019
          06:12 PM PT
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 17134.915

          July 16, 2019
          KB4507466          		Investigating
          		August 08, 2019
          07:18 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Startup to a black screen after installing updates
          Your device may startup to a black screen during the first logon after installing updates.

          See details >          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Mitigated
          		June 14, 2019
          04:41 PM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

          See details >          		OS Build 17134.523

          January 08, 2019
          KB4480966          		Mitigated
          		April 25, 2019
          02:00 PM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: July 2019 - items: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507466. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 17134.915

          July 16, 2019
          KB4507466          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4507466. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 17134.915

          July 16, 2019
          KB4507466          		Investigating
          		Last updated:
          August 08, 2019
          07:18 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17134.829

          June 11, 2019
          KB4503286          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT
          " diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index de3ecd7333..d67d705cf0 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -18,7 +18,7 @@ sections: - items: - type: markdown text: " - Find information on known issues and the status of the rollout for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s). + Find information on known issues for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
          Current status:
          Windows 10, version 1809 is designated for broad deployment and available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel. @@ -64,7 +64,9 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          - + + + @@ -79,12 +81,23 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusLast updated
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 17763.652

          July 22, 2019
          KB4505658          		Investigating
          		August 01, 2019
          06:12 PM PT
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 17763.652

          July 22, 2019
          KB4505658          		Investigating
          		August 08, 2019
          07:18 PM PT
          Apps and scripts using the NetQueryDisplayInformation API may fail with error
          Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.

          See details >          		OS Build 17763.55

          October 09, 2018
          KB4464330          		Investigating
          		August 01, 2019
          05:00 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Startup to a black screen after installing updates
          Your device may startup to a black screen during the first logon after installing updates.

          See details >          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Mitigated
          		June 14, 2019
          04:41 PM PT
          Devices with some Asian language packs installed may receive an error
          After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

          See details >          		OS Build 17763.437

          April 09, 2019
          KB4493509          		Mitigated
          		May 03, 2019
          10:59 AM PT
          + + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          Apps and scripts using the NetQueryDisplayInformation API may fail with error
           Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

          Affected platforms:
          • Server: Windows Server 2019; Windows Server 2016
          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17763.55

          October 09, 2018
          KB4464330          		Investigating
          		Last updated:
          August 01, 2019
          05:00 PM PT

          Opened:
          August 01, 2019
          05:00 PM PT
          + " + - title: July 2019 - items: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4505658. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 17763.652

          July 22, 2019
          KB4505658          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4505658. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 17763.652

          July 22, 2019
          KB4505658          		Investigating
          		Last updated:
          August 08, 2019
          07:18 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17763.557

          June 11, 2019
          KB4503327          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT
          " @@ -103,7 +116,7 @@ sections: - type: markdown text: " - +
          DetailsOriginating updateStatusHistory
          Devices with some Asian language packs installed may receive an error
          After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

          Affected platforms:
          • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
          • Server: Windows Server, version 1809; Windows Server 2019
          Workaround:
          1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
          2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
          Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
          1. Go to Settings app -> Recovery.
          2. Click on Get Started under \"Reset this PC\" recovery option.
          3. Select \"Keep my Files\".
          Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17763.437

          April 09, 2019
          KB4493509          		Mitigated
          		Last updated:
          May 03, 2019
          10:59 AM PT

          Opened:
          May 02, 2019
          04:36 PM PT
          Devices with some Asian language packs installed may receive an error
          After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

          Affected platforms:
          • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
          • Server: Windows Server, version 1809; Windows Server 2019
          Workaround:
          1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
          2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
          Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
            1. Go to Settings app -> Recovery.
            2. Click on Get Started under \"Reset this PC\" recovery option.
            3. Select \"Keep my Files\".
          Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 17763.437

          April 09, 2019
          KB4493509          		Mitigated
          		Last updated:
          May 03, 2019
          10:59 AM PT

          Opened:
          May 02, 2019
          04:36 PM PT
          " diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index b2ca8f3142..1eff433b4f 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -18,7 +18,7 @@ sections: - items: - type: markdown text: " - Find information on known issues for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s). + Find information on known issues and the status of the rollout for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s). + + + +
          Current status as of July 16, 2019:
          @@ -65,10 +65,11 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          + + + - - @@ -91,13 +92,23 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusLast updated
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		OS Build 18362.175

          June 11, 2019
          KB4503293          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Issues updating when certain versions of Intel storage drivers are installed
          Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Mitigated External
          		August 09, 2019
          02:20 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		August 08, 2019
          07:18 PM PT
          Intermittent loss of Wi-Fi connectivity
          Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

          See details >          		OS Build 18362.116

          May 21, 2019
          KB4505057          		Mitigated External
          		August 01, 2019
          08:44 PM PT
          Gamma ramps, color profiles, and night light settings do not apply in some cases
          Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

          See details >          		OS Build 18362.116

          May 21, 2019
          KB4505057          		Mitigated
          		August 01, 2019
          06:27 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		August 01, 2019
          06:12 PM PT
          Issues updating when certain versions of Intel storage drivers are installed
          Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Mitigated External
          		August 01, 2019
          05:58 PM PT
          Display brightness may not respond to adjustments
          Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

          See details >          		OS Build 18362.116

          May 21, 2019
          KB4505057          		Resolved
          KB4505903          		July 26, 2019
          02:00 PM PT
          RASMAN service may stop working and result in the error “0xc0000005”
          The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Resolved
          KB4505903          		July 26, 2019
          02:00 PM PT
          The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
          Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

          See details >          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		July 16, 2019
          09:04 AM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		OS Build 18362.175

          June 11, 2019
          KB4503293          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: July 2019 - items: - type: markdown text: " - - + + diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index 23ba82cf44..88c5129963 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          DetailsOriginating updateStatusHistory
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		Last updated:
          August 01, 2019
          06:12 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Issues updating when certain versions of Intel storage drivers are installed
          Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).  

          To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.

          Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.6.1044.

          Affected platforms:
          • Client: Windows 10, version 1903
          • Server: Windows Server, version 1903
          Next steps: To resolve this issue, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later.  Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for the May 2019 Update. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

          Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Mitigated External
          		Last updated:
          August 01, 2019
          05:58 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Issues updating when certain versions of Intel storage drivers are installed
          Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).  

          To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.

          Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.

          Affected platforms:
          • Client: Windows 10, version 1903
          • Server: Windows Server, version 1903
          Workaround: To mitigate this issue before the resolution is released, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later.  Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for Windows 10, version 1903. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

          Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

          Next Steps: We are working on a resolution and estimate a solution will be available in late August.

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Mitigated External
          		Last updated:
          August 09, 2019
          02:20 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          Domain connected devices that use MIT Kerberos realms will not start up
          Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.

          To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

          Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
          HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
          Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in mid-August.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		Last updated:
          August 08, 2019
          07:18 PM PT

          Opened:
          July 25, 2019
          06:10 PM PT
          The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
          Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.

          To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved.

          Affected platforms:
          • Client: Windows 10, version 1903
          Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager.

          Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		Last updated:
          July 16, 2019
          09:04 AM PT

          Opened:
          July 12, 2019
          04:20 PM PT
          Initiating a Remote Desktop connection may result in black screen
          When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).

          Affected platforms:
          • Client: Windows 10, version 1903
          • Server: Windows Server, version 1903
          Next steps: We are working on a resolution that will be made available in upcoming release.

          Back to top          		OS Build 18362.145

          May 29, 2019
          KB4497935          		Investigating
          		Last updated:
          July 12, 2019
          04:42 PM PT

          Opened:
          July 12, 2019
          04:42 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.

          Affected platforms:
          • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
          Workaround:
          To mitigate this issue on an SCCM server:
          1. Verify Variable Window Extension is enabled.
          2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
          Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

          To mitigate this issue on a WDS server without SCCM:
          1. In WDS TFTP settings, verify Variable Window Extension is enabled.
          2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
          3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
          Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

          Next steps: We are working on a resolution and will provide an update in an upcoming release.

          Back to top          		OS Build 18362.175

          June 11, 2019
          KB4503293          		Mitigated
          		Last updated:
          July 10, 2019
          07:09 PM PT

          Opened:
          July 10, 2019
          02:51 PM PT
          +
          SummaryOriginating updateStatusLast updated
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		June 11, 2019
          KB4503292          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		June 11, 2019
          KB4503292          		Mitigated
          		July 10, 2019
          02:59 PM PT
          System may be unresponsive after restart with certain McAfee antivirus products
          Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

          See details >          		April 09, 2019
          KB4493472          		Mitigated
          		April 25, 2019
          02:00 PM PT
          @@ -72,6 +73,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " + + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		June 11, 2019
          KB4503292          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: July 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 36e559e6aa..a15ed55837 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          + @@ -74,6 +75,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusLast updated
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		June 11, 2019
          KB4503276          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		June 11, 2019
          KB4503276          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Japanese IME doesn't show the new Japanese Era name as a text input option
          If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

          See details >          		April 25, 2019
          KB4493443          		Mitigated
          		May 15, 2019
          05:53 PM PT
          System may be unresponsive after restart with certain McAfee antivirus products
          Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

          See details >          		April 09, 2019
          KB4493446          		Mitigated
          		April 18, 2019
          05:00 PM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		June 11, 2019
          KB4503276          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: July 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index f3d9d5d69b..7e730c134a 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          +
          SummaryOriginating updateStatusLast updated
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		June 11, 2019
          KB4503273          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		June 11, 2019
          KB4503273          		Mitigated
          		July 10, 2019
          02:59 PM PT
          " @@ -71,6 +72,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " + + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		June 11, 2019
          KB4503273          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: July 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index 55b84c6427..ed7deea5f4 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
          This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

          + @@ -73,6 +74,15 @@ sections:
          " +- title: August 2019 +- items: + - type: markdown + text: " +
          SummaryOriginating updateStatusLast updated
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

          See details >          		June 11, 2019
          KB4503285          		Resolved External
          		August 09, 2019
          04:25 PM PT
          Devices starting using PXE from a WDS or SCCM servers may fail to start
          Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

          See details >          		June 11, 2019
          KB4503285          		Mitigated
          		July 10, 2019
          07:09 PM PT
          Japanese IME doesn't show the new Japanese Era name as a text input option
          If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

          See details >          		April 25, 2019
          KB4493462          		Mitigated
          		May 15, 2019
          05:53 PM PT
          Certain operations performed on a Cluster Shared Volume may fail
          Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

          See details >          		January 08, 2019
          KB4480975          		Mitigated
          		April 25, 2019
          02:00 PM PT
          + +
          DetailsOriginating updateStatusHistory
          MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
          You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

          Affected platforms:
          • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
          • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
          Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

          Back to top          		June 11, 2019
          KB4503285          		Resolved External
          		Last updated:
          August 09, 2019
          04:25 PM PT

          Opened:
          August 09, 2019
          04:25 PM PT
          + " + - title: July 2019 - items: - type: markdown diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 14b733039f..328ee569c2 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -35,6 +35,8 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", + "manager": "dansimp", + "audience": "ITPro", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index d8db3e63d2..c1d0c47fdc 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -194,9 +194,9 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.| | S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.| | S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.| -| S-1-5-5- *X *- *Y * | Logon Session| The *X * and *Y * values for these SIDs uniquely identify a particular logon session.| +| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.| | S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.| -| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
          The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName *, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName * (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| +| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
          The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| | S-1-5-8| Proxy| Does not currently apply: this SID is not used.| | S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.| | S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.| diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index c67ea0ab51..870cc58a84 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -71,7 +71,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t **Enrolling devices in a certificate** Run the following command: -``` syntax +```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -87,7 +87,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` @@ -96,7 +96,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` @@ -143,7 +143,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 1a19c1ea01..e50ae1fdfb 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -34,14 +34,14 @@ The following known issue has been fixed in the [Cumulative Security Update for The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: -- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217) +- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217) This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221) -- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview) +- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview) - This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems: + This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems: - Windows 10 Version 1607 and Windows Server 2016: [KB4015217 (OS Build 14393.1066 and 14393.1083)](https://support.microsoft.com/help/4015217) @@ -52,30 +52,30 @@ The following known issues have been fixed by servicing releases made available The following issue affects the Java GSS API. See the following Oracle bug database article: -- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) +- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). The following issue affects Cisco AnyConnect Secure Mobility Client: -- [Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \* +- [Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \* *Registration required to access this article. The following issue affects McAfee Application and Change Control (MACC): -- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1] +- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1] The following issue affects AppSense Environment Manager. For further information, see the following Knowledge Base article: -- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \** +- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \** The following issue affects Citrix applications: -- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [1] +- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [1] [1] Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article: -- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786) +- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786) For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx) @@ -86,7 +86,7 @@ For further technical information on LSAISO.exe, see the MSDN article: [Isolated ## Vendor support See the following article on Citrix support for Secure Boot: -- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/) +- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/) Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions: diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 3fe994764f..a583960ecd 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -106,7 +106,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic > [!NOTE] > You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](https://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. - + + ### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). @@ -115,7 +116,7 @@ You can also enable Windows Defender Credential Guard by using the [Windows Defe DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot ``` > [!IMPORTANT] -> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. +> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. ### Review Windows Defender Credential Guard performance @@ -199,7 +200,8 @@ To disable Windows Defender Credential Guard, you can use the following set of p For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - + + #### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). @@ -208,7 +210,7 @@ You can also disable Windows Defender Credential Guard by using the [Windows Def DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot ``` > [!IMPORTANT] -> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. +> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. #### Disable Windows Defender Credential Guard for a virtual machine diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 2e1a83d9b7..582af34a67 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -96,7 +96,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t **Enrolling devices in a certificate** Run the following command: -``` syntax +```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -112,7 +112,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` @@ -121,7 +121,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` @@ -172,7 +172,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## @@ -363,7 +363,7 @@ write-host "There are no issuance policies which are not mapped to groups" Save the script file as set-IssuancePolicyToGroupLink.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md index 0b6d13f777..dae9193c68 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md @@ -25,7 +25,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## @@ -216,7 +216,7 @@ write-host "There are no issuance policies which are not mapped to groups" Save the script file as set-IssuancePolicyToGroupLink.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index 3c60042dd6..18314f3f58 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -44,7 +44,7 @@ Windows Hello provides many benefits, including: - Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
          For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. -## Where is Microsoft Hello data stored? +## Where is Windows Hello data stored? The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor. ## Has Microsoft set any device requirements for Windows Hello? diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index 1a029f2dc9..37591f1f54 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -147,7 +147,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 ### On-premises Deployments -** Requirements** +**Requirements** * Active Directory * On-premises Windows Hello for Business deployment * Reset from settings - Windows 10, version 1703, Professional @@ -260,7 +260,7 @@ Users appreciate convenience of biometrics and administrators value the security ![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png) > [!IMPORTANT] -> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.\ +> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature. ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 2fc0996eb0..73c0ca23ab 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -79,7 +79,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ 2. Click **Login** and provide Azure credentials -3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid] is the user principal name of user in Azure Active Directory. Click **Go** +3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. ![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png) @@ -659,7 +659,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png) -15. Under **Extended key usage**, type **Smart Card Logon** under Name. Type **1.3.6.1.4.1.311.20.2.2 under **Object identifier**. Click **Add**. +15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 1df71e5f3d..433457239a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -196,10 +196,19 @@ In a federated Azure AD configuration, devices rely on Active Directory Federati Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service. +When you're using AD FS, you need to enable the following WS-Trust endpoints: +`/adfs/services/trust/2005/windowstransport` +`/adfs/services/trust/13/windowstransport` +`/adfs/services/trust/2005/usernamemixed` +`/adfs/services/trust/13/usernamemixed` +`/adfs/services/trust/2005/certificatemixed` +`/adfs/services/trust/13/certificatemixed` + +> [!WARNING] +> Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust WIndows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. + > [!NOTE] -> When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**. -> -> If you don't have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). +>If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX). The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 71517e7da8..cd40458897 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized. You need A Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema). +> [!NOTE] +> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. + ### Section Review > [!div class="checklist"] > * Azure Active Directory Connect directory synchronization diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 05a4294ad7..f65eaf8b20 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -151,7 +151,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. #### Use biometrics diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 73e64d3e70..1b30d94278 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -33,9 +33,9 @@ On-premises certificate-based deployments of Windows Hello for Business needs on ## Enable Windows Hello for Business Group Policy -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. +The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. +If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows 10. ## Create the Windows Hello for Business Group Policy object diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 19a03daf36..06aa82ad4b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -18,6 +18,9 @@ ms.reviewer: --- # Validate and Deploy Multifactor Authentication Services (MFA) +> [!IMPORTANT] +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. + **Applies to** - Windows 10, version 1703 or later - On-premises deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 68ee7e67cf..207675b3e4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -166,11 +166,13 @@ If your organization does not have cloud resources, write **On-Premises** in box ### Trust type +Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. + Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). -Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. +Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 062ad20bc7..d9a19aed80 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,5 +1,5 @@ --- -title: Password-less Strategy +title: Passwordless Strategy description: Reducing Password Usage Surface keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: w10 @@ -14,195 +14,195 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +ms.reviewer: --- -# Password-less Strategy +# Passwordless Strategy -## Four steps to Password-less +## Four steps to password freedom -Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password-less. -![Password-less approach](images/four-steps-passwordless.png) +Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom. +![Passwordless approach](images/four-steps-passwordless.png) ### 1. Develop a password replacement offering -Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory. +Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory. -Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. +Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. -### 3. Transition into a password-less deployment -Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: - - the user never types their password - - the user never changes their password - - the user does not know their password +### 3. Transition into a passwordless deployment +Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where: + - the users never type their password + - the users never change their password + - the users do not know their password -In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. +In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. ### 4. Eliminate passwords from the identity directory -The final step of the password-less story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly password-less environment. +The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment. ## Methodology -The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations. +Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed by any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. -### Prepare for the Journey -The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey. +### Prepare for the Journey +The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria influencing the length of that journey. -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is: +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the: - Number of departments -- Organization or department hierarchy +- Organization or department hierarchy - Number and type of applications and services - Number of work personas - Organization's IT structure -#### Number of departments -The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. +#### Number of departments +The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly, while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. +You need to know all the departments within your organization and you need to know which departments use computers and which ones do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used, most likely differs between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services -The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. +The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. -Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications. +Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. #### Number of work personas -Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. +Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work, and you will refer to them in documentation and in meetings. You need to give them a name. -Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. +Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. -Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. +Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person who is in that department and who uses that specific software. #### Organization's IT structure -IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded. +IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. #### Assess your Organization -You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? +You have a ton of information. You have created your work personas, you have identified your stakeholders throughout the different IT groups. Now what? -By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. +By now you can see why it is a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you have identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it is only a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project which must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. -How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: +How long does it take to become passwordless? The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they have agreed on the strategy). Those resources will: - work through the work personas - organize and deploy user acceptance testing - evaluate user acceptance testing results for user-visible password surfaces - work with stakeholders to create solutions that mitigate user-visible password surfaces - add the solution to the project backlog and prioritize against other projects -- deploy solution -- User acceptance testing to confirm the solution mitigates the user-visible password surface -- Repeat as needed +- deploy the solution +- perform user acceptance testing to confirm that the solution mitigates the user-visible password surface +- repeat the testing as needed -Your organization's journey to password-less may take some time to get there. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less. +Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. ### Where to start? -What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused. +What is the best guidance for kicking off the journey to password freedom? You will want to show your management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. -#### Work persona -You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps. +#### Work persona +You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the steps to password freedom. > [!IMPORTANT] -> Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. +> Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. -Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. +Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. +Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of the targeted work persona. -You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your time line. +You will want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline. ## The Process -The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like +The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: -1. Password-less replacement offering (Step 1) - 1. Identify test users that represent the targeted work persona. +1. Passwordless replacement offering (Step 1) + 1. Identify test users representing the targeted work persona. 2. Deploy Windows Hello for Business to test users. - 3. Validate password and Windows Hello for Business work. + 3. Validate that passwords and Windows Hello for Business work. 2. Reduce User-visible Password Surface (Step 2) 1. Survey test user workflow for password usage. 2. Identify password usage and plan, develop, and deploy password mitigations. 3. Repeat until all user password usage is mitigated. - 4. Remove password capabilities from the Windows. - 5. Validate **all** workflows do not need passwords. -3. Transition into a password-less (Step 3) - 1. Awareness campaign and user education. - 2. Including remaining users that fit the work persona. - 3. Validate **all** users of the work personas do not need passwords. - 4. Configure user accounts to disallow password authentication. + 4. Remove password capabilities from Windows. + 5. Validate that **none of the workflows** need passwords. +3. Transition into a passwordless scenario (Step 3) + 1. Awareness campaign and user education. + 2. Include remaining users who fit the work persona. + 3. Validate that **none of the users** of the work personas need passwords. + 4. Configure user accounts to disallow password authentication. -After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. +After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process. -### Password-less replacement offering (Step 1) -THe first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. +### Passwordless replacement offering (Step 1) +The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona -A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. +A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users -Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. +Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. -With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. +With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. > [!NOTE] -> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. +> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. -#### Validate password and Windows Hello for Business work -In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas. +#### Validate that passwords and Windows Hello for Business work +In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas. ### Reduce User-visible Password Surface (Step 2) Before you move to step 2, ensure you have: -- selected your targeted work persona. -- identified your test users that represented the targeted work persona. +- selected your targeted work persona. +- identified your test users who represent the targeted work persona. - deployed Windows Hello for Business to test users. - validated passwords and Windows Hello for Business both work for the test users. #### Survey test user workflow for password usage -Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2. +Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as you further your progress through step 2. -Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is: +Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions: - What is the name of the application that asked for a password?. - Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?). - What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.). - How frequently do you use this application in a given day? week? -- Is the password you type into the application the same as the password you use to sign-in to Windows? +- Is the password you type into the application the same as the password you use to sign-in to Windows? -Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt which could delay the transition to password-less. +Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless. #### Identify password usage and plan, develop, and deploy password mitigations -Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. +Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. -Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. +Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it is policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. -Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios. Remember to include scenarios like: +Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they are low percentage scenarios. Remember to include scenarios like: - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. -Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker. This will certainly vary by organization. +Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. -Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. +Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. -Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). +Mitigating password usage with applications is one of the more challenging obstacles in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). -The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. +The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. -Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authenticate. +Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. #### Repeat until all user password usage is mitigated -Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance. +Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you are stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you are out of options, contact Microsoft for assistance. -#### Remove password capabilities from the Windows -You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password. +#### Remove password capabilities from Windows +You believe you have mitigated all the password usage for the targeted work persona. Now comes the true test - configure Windows so the user cannot use a password. -Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. +Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. -##### Security Policy -You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. +##### Security Policy +You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. ![securityPolicyLocation](images/passwordless/00-securityPolicy.png) **Windows Server 2016 and earlier** @@ -213,33 +213,33 @@ The policy name for these operating systems is **Interactive logon: Require smar The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. ![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png) -When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. +When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider -You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** +You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > Logon** ![HideCredProvPolicy](images/passwordless/00-hidecredprov.png) -The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. +The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. ![HideCredProvPolicy2](images/passwordless/01-hidecredprov.png) -Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. +Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. -#### Validate all workflows do not need passwords -This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a passwords. Users will be blocked is any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. +#### Validate that none of the workflows needs passwords +This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. -### Transition into a password-less deployment (Step 3) -Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success. +### Transition into a passwordless deployment (Step 3) +Congratulations! You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education -In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. +In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this, you want to invest in an awareness campaign. -An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out. +An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. #### Including remaining users that fit the work persona -You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. +You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment. -#### Validate **all** users of the work personas do not need passwords. -You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment. +#### Validate that none of the users of the work personas needs passwords +You have successfully transitioned all users for the targeted work persona to being passwordless. Monitor the users within the work persona to ensure they do not encounter any issues while working in a passwordless environment. Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are: - Is the reporting user performing a task outside the work persona? @@ -247,24 +247,24 @@ Track all reported issues. Set priority and severity to each reported issue and - Is the outage a result of a misconfiguration? - Is the outage a overlooked gap from step 2? -Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process. +Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process. -Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating. +Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal, but do not let this slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. #### Configure user accounts to disallow password authentication. -You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. +You transitioned all the users for the targeted work persona to a passwordless environment and you have successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object. The account options on a user account includes an option -- **Smart card is required for interactive logon**, also known as (SCRIL). > [!NOTE] -> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. +> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. ![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** -When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users is effectively password-less because: +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: - the do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password @@ -274,7 +274,7 @@ When you configure an user account for SCRIL, Active Directory changes the affec **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.** > [!NOTE] -> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. +> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. ![SCRIL setting from ADAC on Windows Server 2016](images/passwordless/01-scril-adac-2016.png) **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.** @@ -283,14 +283,14 @@ When you configure an user account for SCRIL, Active Directory changes the affec > Windows Hello for Business was formerly known as Microsoft Passport. ##### Automatic password change for SCRIL configured users -Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users. +Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. -In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages. +In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages. ![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] -> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. +> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. ## The Road Ahead -The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). +The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a passwordless future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index b6001998ed..d55a5400cc 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -17,7 +17,7 @@ ms.date: 02/05/2018 # Identity and access management -Learn more about identity annd access management technologies in Windows 10 and Windows 10 Mobile. +Learn more about identity and access management technologies in Windows 10 and Windows 10 Mobile. | Section | Description | |-|-| diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 8029b9b1b9..acd70ac9ea 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -206,7 +206,7 @@ This command returns the volumes on the target, current encryption status and vo For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process. -``` syntax +```powershell manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` @@ -237,7 +237,7 @@ Data volumes use the same syntax for encryption as operating system volumes but A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. -``` syntax +```powershell manage-bde -protectors -add -pw C: manage-bde -on C: ``` @@ -382,13 +382,13 @@ Occasionally, all protectors may not be shown when using Get-BitLockerVo If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below: -``` syntax +```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector. Using this information, we can then remove the key protector for a specific volume using the command: -``` syntax +```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` > **Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. @@ -398,19 +398,19 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. To enable BitLocker with just the TPM protector. This can be done using the command: -``` syntax +```powershell Enable-BitLocker C: ``` The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. -``` syntax +```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` ### Data volume Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins. -``` syntax +```powershell $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw @@ -423,12 +423,12 @@ The ADAccountOrGroup protector is an Active Directory SID-based protector. This To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. -``` syntax +```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: -``` syntax +```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` > **Note:**  Use of this command requires the RSAT-AD-PowerShell feature. @@ -437,7 +437,7 @@ get-aduser -filter {samaccountname -eq "administrator"} In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: -``` syntax +```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" ``` > **Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. @@ -469,7 +469,7 @@ Administrators who prefer a command line interface can utilize manage-bde to che To check the status of a volume using manage-bde, use the following command: -``` syntax +```powershell manage-bde -status ``` > **Note:**  If no volume letter is associated with the -status command, all volumes on the computer display their status. @@ -480,7 +480,7 @@ Windows PowerShell commands offer another way to query BitLocker status for volu Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command: -``` syntax +```powershell Get-BitLockerVolume -Verbose | fl ``` This command will display information about the encryption method, volume type, key protectors, etc. @@ -506,12 +506,12 @@ Once decryption is complete, the drive will update its status in the control pan Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: -``` syntax +```powershell manage-bde -off C: ``` This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command: -``` syntax +```powershell manage-bde -status C: ``` ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets @@ -520,12 +520,12 @@ Decryption with Windows PowerShell cmdlets is straightforward, similar to manage Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is: -``` syntax +```powershell Disable-BitLocker ``` If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: -``` syntax +```powershell Disable-BitLocker -MountPoint E:,F:,G: ``` ## See also diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 70ba14d6a6..f8d1a6e1f9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -52,14 +52,14 @@ The `servermanager` Windows PowerShell module can use either the `Install-Window By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell. -``` syntax +```powershell Install-WindowsFeature BitLocker -WhatIf ``` The results of this command show that only the BitLocker Drive Encryption feature installs using this command. To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command: -``` syntax +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl ``` @@ -75,7 +75,7 @@ The result of this command displays the following list of all the administration The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is: -``` syntax +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart ``` @@ -85,7 +85,7 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools - The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. -``` syntax +```powershell Get-WindowsOptionalFeature -Online | ft ``` @@ -93,13 +93,13 @@ From this output, we can see that there are three BitLocker related optional fea To install BitLocker using the `dism` module, use the following command: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All ``` This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All ``` ## More information diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 6545ca0992..49b3e4f60f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -313,7 +313,7 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many - Verify the clients were rebooted after applying the policy. - Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer: - ``` syntax + ```powershell manage-bde –protectors –get C: ``` >**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index f21beec5e9..bde16da8e3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -278,26 +278,25 @@ You can reset the recovery password in two ways: 1. Remove the previous recovery password - ``` syntax + ```powershell Manage-bde –protectors –delete C: –type RecoveryPassword ``` 2. Add the new recovery password - ``` syntax + ```powershell Manage-bde –protectors –add C: -RecoveryPassword - ``` 3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. - ``` syntax + ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword - ``` + 4. Backup the new recovery password to AD DS - ``` syntax + ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` >**Warning:**  You must include the braces in the ID string. @@ -315,7 +314,7 @@ You can reset the recovery password in two ways: You can use the following sample script to create a VBScript file to reset the recovery passwords. -``` syntax +```vb ' Target drive letter strDriveLetter = "c:" ' Target computer name @@ -404,7 +403,7 @@ The following sample script exports all previously-saved key packages from AD D You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS. -``` syntax +```vb ' -------------------------------------------------------------------------------- ' Usage ' -------------------------------------------------------------------------------- @@ -551,7 +550,7 @@ The following sample script exports a new key package from an unlocked, encrypte **cscript GetBitLockerKeyPackage.vbs -?** -``` syntax +```vb ' -------------------------------------------------------------------------------- ' Usage ' -------------------------------------------------------------------------------- diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index 30fea18843..20ab73acfb 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -46,7 +46,7 @@ Listed below are examples of basic valid commands for operating system volumes. A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: -``` syntax +```powershell manage-bde -status ``` This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: @@ -55,7 +55,7 @@ This command returns the volumes on the target, current encryption status, encry The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. -``` syntax +```powershell manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` @@ -64,7 +64,7 @@ manage-bde -on C: An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command: -``` syntax +```powershell manage-bde -protectors -add C: -pw -sid ``` @@ -72,13 +72,13 @@ This command will require you to enter and then confirm the password protector b On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is: -``` syntax +```powershell manage-bde -on C: ``` This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command: -``` syntax +```powershell manage-bde -protectors -get ``` ### Using manage-bde with data volumes @@ -87,7 +87,7 @@ Data volumes use the same syntax for encryption as operating system volumes but A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. -``` syntax +```powershell manage-bde -protectors -add -pw C: manage-bde -on C: ``` @@ -257,7 +257,7 @@ If you want to remove the existing protectors prior to provisioning BitLocker on A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below: -``` syntax +```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` @@ -266,7 +266,7 @@ Using this, you can display the information in the $keyprotectors variable to de Using this information, you can then remove the key protector for a specific volume using the command: -``` syntax +```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` @@ -278,13 +278,13 @@ Using the BitLocker Windows PowerShell cmdlets is similar to working with the ma The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: -``` syntax +```powershell Enable-BitLocker C: - ``` + In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. -``` syntax +```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` @@ -293,7 +293,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. -``` syntax +```powershell $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw @@ -306,7 +306,7 @@ The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2 To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. -``` syntax +```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` @@ -314,7 +314,7 @@ For users who wish to use the SID for the account or group, the first step is to >**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. -``` syntax +```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` @@ -322,7 +322,7 @@ get-aduser -filter {samaccountname -eq "administrator"} The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: -``` syntax +```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index e19f192e4c..01c9fe213f 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -66,13 +66,13 @@ BitLocker encryption is available for disks before or after addition to a cluste 2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. - ``` syntax + ```powershell Get-Cluster - ``` + 4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: - ``` syntax + ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` @@ -88,32 +88,32 @@ When the cluster service owns a disk resource already, it needs to be set into m 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" ``` 3. Put the physical disk resource into maintenance mode using Windows PowerShell. - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` 4. Identify the name of the cluster with Windows PowerShell. - ``` syntax + ```powershell Get-Cluster ``` 5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: - ``` syntax + ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. 6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode: - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource ``` @@ -146,7 +146,7 @@ You can also use manage-bde to enable BitLocker on clustered volumes. The steps 6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. -``` syntax +```powershell manage-bde -status "C:\ClusterStorage\volume1" ``` diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 08af5d2456..96b109ce32 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -172,6 +172,17 @@ You can try any of the processes included in these scenarios, but you should foc
          Stop Google Drive from syncing WIP protected files and folders. +
            +
          • In silent configuration, add Google Drive to Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.
            • +
          • Google Drive details
            • + Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US + File=GOOGLEDRIVESYNC.EXE +
          +
          >[!NOTE] diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 08a7fe11e3..cf6a9871cb 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -394,7 +394,7 @@ ####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md) ####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md) ####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md) -####### [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md) +####### [Is domain seen in organization (Deprecated)](microsoft-defender-atp/is-domain-seen-in-org.md) ###### [File]() ####### [File methods and properties](microsoft-defender-atp/files.md) @@ -405,9 +405,9 @@ ###### [IP]() ####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md) -####### [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md) +####### [Get IP related machines (Deprecated)](microsoft-defender-atp/get-ip-related-machines.md) ####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md) -####### [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md) +####### [Is IP seen in organization (Deprecated)](microsoft-defender-atp/is-ip-seen-org.md) ###### [User]() ####### [User methods](microsoft-defender-atp/user.md) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index c5c5466214..d72c39898d 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -39,6 +39,26 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit failure events, click **Fail.** - To audit all events, click **All.** + + +6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include: + + - **This folder only** + - **This folder, subfolders and files** + - **This folder and subfolders** + - **This folder and files** + - **Subfolders and files only** + - **Subfolders only** + - **Files only** + +7. By default, the selected **Basic Permissions** to audit are the following: + - **Read and execute** + - **List folder contents** + - **Read** + - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. + + + > **Important:**  Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.   ## Additional considerations diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index 163c584492..2ca7cca35a 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -30,9 +30,9 @@ There is no example of this event in this document. ***Event Schema:*** -*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. * +*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.* -*Number of audit messages discarded: %1 * +*Number of audit messages discarded: %1* *This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.* diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index be8925c8ba..9231f28b82 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -48,7 +48,7 @@ It appears that this event never occurs. *LPC Server Port Name:%6* -*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." * +*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index f3c3ed088b..2ca7e8267c 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -138,7 +138,7 @@ This event generates when a logon session is created (on destination machine). I - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.” -**Logon Information** \[Version 2\]**: ** +**Logon Information** \[Version 2\]**:** - **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field. diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 95a2dfe34f..45dcd000c9 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -142,7 +142,7 @@ Before this event can generate, certain ACEs might need to be set in the object - **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 8e1fe42fab..94d84a85cf 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -151,7 +151,7 @@ This event generates every time a new process starts. - **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process. -- **Token Elevation Type** \[Type = UnicodeString\]**: ** +- **Token Elevation Type** \[Type = UnicodeString\]**:** - **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index f9b06a7a3b..f78b83ef3c 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -99,7 +99,7 @@ You will see unique event for every user. - **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**New Right: ** +**New Right:** - **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights: diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index d009b73786..09c240e026 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -99,7 +99,7 @@ You will see unique event for every user. - **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**Removed Right: ** +**Removed Right:** - **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights: diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index 38d46d5ace..c51f51c999 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -100,7 +100,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category - **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index f04223bd5b..13f2c744aa 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were granted to mu - **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**Access Granted: ** +**Access Granted:** - **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows: diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index a86f9f5168..9bb398d835 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were removed for m - **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**Access Removed: ** +**Access Removed:** - **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows: diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 8597d956a6..faa3dcf853 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -266,7 +266,7 @@ For 4738(S): A user account was changed. |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Display Name**
          **User Principal Name**
          **Home Directory**
          **Home Drive**
          **Script Path**
          **Profile Path**
          **User Workstations**
          **Password Last Set**
          **Account Expires**
          **Primary Group ID
          Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. | | **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. | -| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. | | **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | - Consider whether to track the following user account control flags: diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 22ae105d96..b39135ee00 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -276,7 +276,7 @@ For 4742(S): A computer account was changed. | **Display Name** is not -
          **User Principal Name** is not -
          **Home Directory** is not -
          **Home Drive** is not -
          **Script Path** is not -
          **Profile Path** is not -
          **User Workstations** is not -
          **Account Expires** is not -
          **Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. | | **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. | | **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:
          **516** for domain controllers
          **521** for read only domain controllers (RODCs)
          **515** for servers and workstations (domain computers)
          Other values should be monitored. | -| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. | | **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | - Consider whether to track the following account control flags: diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index 74ffbb09b0..efdf01da8a 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -116,7 +116,7 @@ Separate events will be generated for “Registry” and “File system” polic | Job | Port | FilterConnectionPort | | | ALPC Port | Semaphore | Adapter | | -- **Object Name: ** +- **Object Name:** - Key – if “Registry” Global Object Access Auditing policy was changed. @@ -128,7 +128,7 @@ Separate events will be generated for “Registry” and “File system” polic - **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index e62c824d10..62ced88fe8 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -44,7 +44,7 @@ There is no example of this event in this document. *Security ID:%7* -*New Flags:%8 * +*New Flags:%8* ***Required Server Roles:*** Active Directory domain controller. diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index f74c140ce4..34454c6d14 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -159,7 +159,7 @@ This event doesn't generate for Active Directory objects. - **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index cc73362f36..d385a72649 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -152,7 +152,7 @@ Resource attributes for file or folder can be changed, for example, using Window - **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index f8dcd9f29b..3be7e9bec3 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -156,7 +156,7 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi - **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index 81e6052b16..c7f46521ae 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -141,7 +141,7 @@ This event generates every time network share object was modified. - **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 696faaadce..f5ec73669e 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -177,7 +177,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. - ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index 4d84e4bb68..c1f8d98680 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -52,7 +52,7 @@ There is no example of this event in this document. > > *Layer Name:%9* > -> *Layer Run-Time ID:%10 * +> *Layer Run-Time ID:%10* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 25faaeb212..699a093def 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -52,7 +52,7 @@ There is no example of this event in this document. > > *Layer Name:%9* > -> *Layer Run-Time ID:%10 * +> *Layer Run-Time ID:%10* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index d018fdee5e..7a379132bc 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -30,7 +30,7 @@ There is no example of this event in this document. *BranchCache: Received an incorrectly formatted response while discovering availability of content.* -*IP address of the client that sent this response:%1 * +*IP address of the client that sent this response:%1* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 9f647bcec8..1ce4c083dd 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: Received invalid data from a peer. Data discarded. * +*BranchCache: Received invalid data from a peer. Data discarded.* *IP address of the client that sent this data:%1* diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 5002d2167c..dde20455d3 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. * +*BranchCache: The message to the hosted cache offering it data is incorrectly formatted.* *IP address of the client that sent this message: %1* diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index 29629cb6a7..e8020581ad 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. * +*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data.* *Domain name of the hosted cache is:%1* diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index 0505b241b2..43228f26be 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. * +*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.* *Domain name of the hosted cache:%1* diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index 8f28ea3891..e1f76dbf69 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: A service connection point object could not be parsed. * +*BranchCache: A service connection point object could not be parsed.* *SCP object GUID: %1* diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 05cbed96aa..97a809c8de 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -141,7 +141,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Microsoft Threat Protection](microsoft-defender-atp/threat-protection-integration.md)**
          Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization. - [Conditional access](microsoft-defender-atp/conditional-access.md) -- [O365 ATP](microsoft-defender-atp/threat-protection-integration.md) +- [Office 365 ATP](microsoft-defender-atp/threat-protection-integration.md) - [Azure ATP](microsoft-defender-atp/threat-protection-integration.md) - [Azure Security Center](microsoft-defender-atp/threat-protection-integration.md) - [Skype for Business](microsoft-defender-atp/threat-protection-integration.md) diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md index ab6330fbe8..52771c8630 100644 --- a/windows/security/threat-protection/intelligence/coinminer-malware.md +++ b/windows/security/threat-protection/intelligence/coinminer-malware.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index 269b44ae01..31ef30f618 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index dbccc045ba..79047be15a 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md index 0367399251..1a57f85019 100644 --- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md +++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md index cf077a0a1b..3e680879b5 100644 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ b/windows/security/threat-protection/intelligence/developer-faq.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: levinec +ms.author: ellevin author: levinec ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md index 4ae184bdda..19d1a76072 100644 --- a/windows/security/threat-protection/intelligence/developer-info.md +++ b/windows/security/threat-protection/intelligence/developer-info.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: levinec +ms.author: ellevin author: levinec ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index 047f060649..a7e660c5da 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium ms.pagetype: security -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md index 0716cab937..beff687643 100644 --- a/windows/security/threat-protection/intelligence/exploits-malware.md +++ b/windows/security/threat-protection/intelligence/exploits-malware.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 6e0e5385e8..62bcff1173 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index f26e686027..d4c3119d19 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 83a0c0a704..2a52b19798 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 27d9e2a4fe..4f5d3c7278 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index d916ad8a4b..59d35b2c35 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index b7eaea126c..5ebb6aa87a 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index 528be6dda2..3dc3456226 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 07018d689f..d3bd25dce2 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md index 54f39ce774..545a2d7f62 100644 --- a/windows/security/threat-protection/intelligence/submission-guide.md +++ b/windows/security/threat-protection/intelligence/submission-guide.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index 6ea3d8c4e2..7530ec2c2e 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 4744f0f0e3..35942059ca 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index a786d8ecd1..c1d189ea17 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: high -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index 918006ff72..c9f64fecd6 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index 1be49ef74a..220e69b806 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index d8e216919b..28718f36f6 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index b899f41868..82c6baab29 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 50fe7168fa..38ad06123a 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index aca7c0581d..6c51864314 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium -ms.author: levinec +ms.author: ellevin author: levinec manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md index a82f47f963..9180ed1db4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md @@ -59,6 +59,13 @@ For information on other tables in the Advanced hunting schema, see [the Advanc | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS | +| ShareName | string | Name of shared folder containing the file | +| RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity | +| RequestSourcePort | string | Source port on the remote device that initiated the activity | +| RequestAccountName | string | User name of account used to remotely initiate the activity | +| RequestAccountDomain | string | Domain of the account used to remotely initiate the activity | +| RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity | | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection | diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index fe729da635..0f5c27cc7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index a3455dcc67..0379951dbd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -58,10 +58,10 @@ The Windows Defender AV threat severity represents the absolute severity of the The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. So, for example: -- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. -- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. -- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". -- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. +- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. +- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". +- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. #### Understanding alert categories We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md index a3d83d4880..b4aec2ce09 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md index 122b141332..e526a20669 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md @@ -22,6 +22,12 @@ ms.topic: article Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use). +### Throttling limits + +Name | Calls | Renewal period +:---|:---|:--- +API calls per connection | 100 | 60 seconds + ## Legal Notices diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index e97f64fda4..3fd9f905d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 1eadc36802..11998ea410 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -34,6 +34,8 @@ Your configuration score widget shows the collective security configuration stat - Security controls ## How it works +>[!NOTE] +> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management. The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: - Compare collected configurations to the collected benchmarks to discover misconfigured assets diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md index 0911a2d722..9356c13eb8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index 0d8f88aa59..706f90cf75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 75b3616e1c..e07aee7cf0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -1,7 +1,7 @@ --- title: Configure and manage Microsoft Threat Experts capabilities ms.reviewer: -description: You need to register to Microsoft Threats Experts preview to configure, manage, and use it in your daily security operations and security administration work. +description: Register to Microsoft Threats Experts to configure, manage, and use it in your daily security operations and security administration work. keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service search.product: Windows 10 search.appverid: met150 @@ -9,8 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas +ms.author: dolmont +author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -23,12 +23,12 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] +[!Include[Prerelease information](prerelease.md)] ## Before you begin -To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges will not be incurred during for the capability in preview, but for the generally available capability, there will be charges. +To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges are not incurred during for the capability in preview, but for the generally available capability, there will be charges. -You also need to ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. +Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. ## Register to Microsoft Threat Experts managed threat hunting service If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. @@ -47,11 +47,11 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M 6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**. ## Receive targeted attack notification from Microsoft Threat Experts -You can receive targeted attack notification from Microsoft Threat Experts through the following: +You can receive targeted attack notification from Microsoft Threat Experts through the following medium: - The Microsoft Defender ATP portal's **Alerts** dashboard - Your email, if you choose to configure it -To receive targeted attack notifications through email, you need to create an email notification rule. +To receive targeted attack notifications through email, create an email notification rule. ### Create an email notification rule You can create rules to send email notifications for notification recipients. See [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details. @@ -68,11 +68,14 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert >[!NOTE] >The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. -You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. +You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. -1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry. -2. From the upper right-hand menu, click **?**, then select **Ask a threat expert**. -3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a support ticket. +>[!NOTE] +>Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. + +1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an inquiry. +2. From the upper right-hand menu, click **?**. Then, select **Ask a threat expert**. +3. Asking a threat expert is a two-step process: provide the necessary information and open a support ticket. **Step 1: Provide information** a. Provide enough information to give the Microsoft Threat Experts enough context to start the investigation. Select the inquiry category from the **Provide information > Inquiry** details drop-down menu.
          @@ -83,7 +86,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w **Step 2: Open a support ticket** >[!NOTE] - >To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview. + >To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview. a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**:
          @@ -100,7 +103,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w e. Verify your contact details and add another if necessary. Then, click **Next**.
          - f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number.
          + f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. A confirmation page indicating the response time and your support request number shows.
          ## Sample questions to ask Microsoft Threat Experts @@ -111,12 +114,12 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. **Possible machine compromise** -- Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity. +- Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many machines. We appreciate any input to clarify whether this is related to malicious activity. - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]? **Threat intelligence details** -- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link? -- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? +- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link? +- I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? **Microsoft Threat Experts’ alert communications** - Can your incident response team help us address the targeted attack notification that we got? @@ -129,7 +132,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w ## Scenario ### Receive a progress report about your managed hunting inquiry -Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories: +Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories: - More information is needed to continue with the investigation - A file or several file samples are needed to determine the technical context - Investigation requires more time diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index d12bc037b7..bdc69b1a68 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -1,6 +1,8 @@ --- title: Configure managed security service provider support -description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP + +description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP + keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,9 +23,11 @@ ms.date: 09/03/2018 # Configure managed security service provider integration **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) + [!include[Prerelease information](prerelease.md)] @@ -35,19 +39,23 @@ You'll need to take the following configuration steps to enable the managed secu > - MSSP customers: Organizations that engage the services of MSSPs. The integration will allow MSSPs to take the following actions: -- Get access to MSSP customer's Microsoft Defender Security Center portal + +- Get access to MSSP customer's Windows Defender Security Center portal - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools -Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal. +Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal. + Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. In general, the following configuration steps need to be taken: -- **Grant the MSSP access to Microsoft Defender Security Center**
          -This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant. + +- **Grant the MSSP access to Windows Defender Security Center**
          +This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant. + - **Configure alert notifications sent to MSSPs**
          This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer. @@ -61,31 +69,36 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. ## Grant the MSSP access to the portal ->[!NOTE] + +>[!NOTE] > These set of steps are directed towards the MSSP customer.
          > Access to the portal can only be done by the MSSP customer. -As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center. +As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. + Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality. You'll need to take the following 2 steps: - Add MSSP user to your tenant as a guest user -- Grant MSSP user access to Microsoft Defender Security Center + +- Grant MSSP user access to Windows Defender Security Center + ### Add MSSP user to your tenant as a guest user Add a user who is a member of the MSSP tenant to your tenant as a guest user. To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator). - -### Grant MSSP user access to Microsoft Defender Security Center -Grant the guest user access and permissions to your Microsoft Defender Security Center tenant. + +### Grant MSSP user access to Windows Defender Security Center +Grant the guest user access and permissions to your Windows Defender Security Center tenant. Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md). -If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md). +If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac.md). + >[!NOTE] >There is no difference between the Member user and Guest user roles from RBAC perspective. @@ -94,12 +107,14 @@ It is recommended that groups are created for MSSPs to make authorization access As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. -## Access the Microsoft Defender Security Center MSSP customer portal + +## Access the Windows Defender Security Center MSSP customer portal ->[!NOTE] +>[!NOTE] >These set of steps are directed towards the MSSP. -By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. +By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. + MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. @@ -123,7 +138,9 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met. + For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications). + These check boxes must be checked: - **Include organization name** - The customer name will be added to email notifications @@ -141,46 +158,49 @@ To fetch alerts into your SIEM system you'll need to take the following steps: Step 1: Create a third-party application Step 2: Get access and refresh tokens from your customer's tenant - -Step 3: Whitelist your application on Microsoft Defender Security Center + +Step 3: Whitelist your application on Windows Defender Security Center + ### Step 1: Create an application in Azure Active Directory (Azure AD) -You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant. + +You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant. + 1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/). 2. Select **Azure Active Directory** > **App registrations**. -3. Click **New application registration**. + +3. Click **New registration**. + 4. Specify the following values: - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name) - - Application type: Web app / API - - Sign-on URL: `https://SiemMsspConnector` + + - Supported account types: Account in this organizational directory only + - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name) -5. Click **Create**. The application is displayed in the list of applications you own. +5. Click **Register**. The application is displayed in the list of applications you own. -6. Select the application, then click **Settings** > **Properties**. +6. Select the application, then click **Overview**. -7. Copy the value from the **Application ID** field. +7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step. -8. Change the value in the **App ID URI** to: `https:///SiemMsspConnector` (replace \ with the tenant name. +8. Select **Certificate & secrets** in the new application panel. -9. Ensure that the **Multi-tenanted** field is set to **Yes**. +9. Click **New client secret**. -10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`. - -11. Click **Save**. - -12. Select **Keys** and specify the following values: - Description: Enter a description for the key. - Expires: Select **In 1 year** -13. Click **Save**. Save the value is a safe place, you'll need this + +10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step. + ### Step 2: Get access and refresh tokens from your customer's tenant This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow. @@ -248,17 +268,20 @@ After providing your credentials, you'll need to grant consent to the applicatio `Set-ExecutionPolicy -ExecutionPolicy Bypass` 6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId ` - - - Replace \ with the Application ID you got from the previous step. - - Replace \ with the application key you created from the previous step. - - Replace \ with your customer's tenant ID. + + - Replace \ with the **Application (client) ID** you got from the previous step. + - Replace \ with the **Client Secret** you created from the previous step. + - Replace \ with your customer's **Tenant ID**. + 7. You'll be asked to provide your credentials and consent. Ignore the page redirect. 8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. -### Step 3: Whitelist your application on Microsoft Defender Security Center -You'll need to whitelist the application you created in Microsoft Defender Security Center. + +### Step 3: Whitelist your application on Windows Defender Security Center +You'll need to whitelist the application you created in Windows Defender Security Center. + You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you. @@ -272,12 +295,15 @@ You'll need to have **Manage portal system settings** permission to whitelist th 5. Click **Authorize application**. -You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md). + +You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md). + - In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value. - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). ## Fetch alerts from MSSP customer's tenant using APIs + For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md). ## Related topics @@ -285,4 +311,5 @@ For information on how to fetch alerts using REST API, see [Pull alerts using RE - [Manage portal access using RBAC](rbac.md) - [Pull alerts to your SIEM tools](configure-siem.md) - [Pull alerts using REST API](pull-alerts-using-rest-api.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index b9c6aceba6..6b24d02ebe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -140,7 +140,7 @@ Agent Resource | Ports To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below. >[!NOTE] ->The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.comsccm/apps/deploy-use/packages-and-programs). +>The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs). Supported tools include: - Local script diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index c100b9ddf2..f4a2b266d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -61,7 +61,7 @@ machineId | String | Id of the machine on which the event was identified. **Requ severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. title | String | Title for the alert. **Required**. description | String | Description of the alert. **Required**. -recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. +recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**. eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**. reportId | String | The reportId, as obtained from the advanced query. **Required**. category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index c3eaee164d..55180b158c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md index da3414815c..20b16719e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md @@ -2,7 +2,7 @@ ms.date: 10/17/2018 ms.reviewer: manager: dansimp -ms.author: mjcaparas +ms.author: macapara author: mjcaparas --- > [!WARNING] diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md index 1939474a15..c589b30285 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 6d064aed64..a2e28ff082 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp @@ -62,29 +62,29 @@ This page explains how to create an AAD application, get an access token to Micr 4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission: - - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. + - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. - - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. - ![Image of API access and API selection](images/add-permission.png) + ![Image of API access and API selection](images/add-permission.png) - - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions** + - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions** - ![Image of API access and API selection](images/application-permissions-public-client.png) + ![Image of API access and API selection](images/application-permissions-public-client.png) - - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example! + - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example! - For instance, + For instance, - - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission - - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission - - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission + - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission + - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. - - Click **Grant consent** + - Click **Grant consent** - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect. + **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect. - ![Image of Grant permissions](images/grant-consent.png) + ![Image of Grant permissions](images/grant-consent.png) 6. Write down your application ID and your tenant ID: @@ -102,42 +102,42 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co - Copy/Paste the below class in your application. - Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token. - ``` - namespace WindowsDefenderATP - { - using System.Net.Http; - using System.Text; - using System.Threading.Tasks; - using Newtonsoft.Json.Linq; + ```csharp + namespace WindowsDefenderATP + { + using System.Net.Http; + using System.Text; + using System.Threading.Tasks; + using Newtonsoft.Json.Linq; - public static class WindowsDefenderATPUtils - { - private const string Authority = "https://login.windows.net"; + public static class WindowsDefenderATPUtils + { + private const string Authority = "https://login.windows.net"; - private const string WdatpResourceId = "https://api.securitycenter.windows.com"; + private const string WdatpResourceId = "https://api.securitycenter.windows.com"; - public static async Task AcquireUserTokenAsync(string username, string password, string appId, string tenantId) - { - using (var httpClient = new HttpClient()) - { - var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}"; + public static async Task AcquireUserTokenAsync(string username, string password, string appId, string tenantId) + { + using (var httpClient = new HttpClient()) + { + var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}"; - var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded"); + var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded"); - using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false)) - { - response.EnsureSuccessStatusCode(); + using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false)) + { + response.EnsureSuccessStatusCode(); - var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false); + var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false); - var jObject = JObject.Parse(json); + var jObject = JObject.Parse(json); - return jObject["access_token"].Value(); - } - } - } - } - } + return jObject["access_token"].Value(); + } + } + } + } + } ``` ## Validate the token @@ -156,16 +156,17 @@ Sanity check to make sure you got a correct token: - The Expiration time of the token is 1 hour (you can send more then one request with the same token) - Example of sending a request to get a list of alerts **using C#** - ``` - var httpClient = new HttpClient(); - var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + ```csharp + var httpClient = new HttpClient(); - request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); - var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); - // Do something useful with the response + var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); + + // Do something useful with the response ``` ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index 880b4e2b38..60ecb971c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index 58362fcab8..34c8475792 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md index c8029a1428..0a52c8cea1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index c166277e71..fbcee47cf2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md index 2e00867ddd..c247c9aa81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get IP related machines API +# Get IP related machines API (Deprecated) **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started.md b/windows/security/threat-protection/microsoft-defender-atp/get-started.md index e9af976de1..8b6890297b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 2b5551a0bb..92bc4c7650 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' GET /api/users/{id}/alerts ``` -**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) ** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)** ## Request headers diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 341c605bbb..ca042a7e99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine GET /api/users/{id}/machines ``` -**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) ** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)** ## Request headers diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index ee65c7302f..dcc141f161 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp @@ -45,8 +45,8 @@ Sensitivity labels classify and help protect sensitive content. Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories: -- Default -- Custom +- Default +- Custom Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for). diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md index 408e800158..38debbe291 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md +++ b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Was domain seen in org +# Was domain seen in org (Deprecated) **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md index 3239831649..f112796be2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md +++ b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Was IP seen in org +# Was IP seen in org (Deprecated) **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 095c078b1f..9747f2d0ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -61,8 +61,8 @@ Comment | String | Comment to associate with the action. **Required**. IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'. **IsolationType** controls the type of isolation to perform and can be one of the following: -- Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details) +- Full – Full isolation +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details) ## Response diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md index fe12e8ee4e..eb66c2d069 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md @@ -2,7 +2,7 @@ ms.date: 08/28/2017 ms.reviewer: manager: dansimp -ms.author: mjcaparas +ms.author: macapara author: mjcaparas --- >[!Note] diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md index 1dc3f9be1f..2e124ba8aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index dce7f4aaf2..a5f617c624 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index 25c32174b9..c4c4ca728b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md index 5f0af03683..b5bb4b00fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md index 352d6289b9..d7197b2574 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index bb96ea1b7e..f799ef59bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md index 35d03646ca..48dac8442f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md @@ -392,7 +392,7 @@ ####### [Get domain related alerts](get-domain-related-alerts.md) ####### [Get domain related machines](get-domain-related-machines.md) ####### [Get domain statistics](get-domain-statistics.md) -####### [Is domain seen in organization](is-domain-seen-in-org.md) +####### [Is domain seen in organization (Deprecated)](is-domain-seen-in-org.md) ###### [File]() ####### [Methods and properties](files.md) @@ -403,9 +403,9 @@ ###### [IP]() ####### [Get IP related alerts](get-ip-related-alerts.md) -####### [Get IP related machines](get-ip-related-machines.md) +####### [Get IP related machines (Deprecated)](get-ip-related-machines.md) ####### [Get IP statistics](get-ip-statistics.md) -####### [Is IP seen in organization](is-ip-seen-org.md) +####### [Is IP seen in organization (Deprecated)](is-ip-seen-org.md) ###### [User]() ####### [Methods](user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md index e520f70a7f..ff5e1ed7d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index f28db7412f..0d041b05e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp @@ -33,8 +33,8 @@ Topic | Description [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. [Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. -Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP. -Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. +[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP. +[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. [Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 5de1f9d993..71c91ea9c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -9,8 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas +ms.author: deniseb +author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -23,15 +23,14 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in your organization from new and emerging threats. +Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. -| Capability | Description | +| Article | Description | |------------|-------------| -| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protects and maintains the integrity of the system as it starts and while it's running, and validates system integrity through local and remote attestation. In addition, container isolation for Microsoft Edge helps protect host operating system from malicious websites. | -| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. | -| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) | Applies exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV) | -| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) | Extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. | -| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. | -| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) | reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV. | -| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Host-based, two-way network traffic filtering that blocks unauthorized network traffic flowing into or out of the local device. | - +| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. | +| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. | +| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. | +| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | +| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) | +| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) | +| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index d9d1de552d..9579771415 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 9065093f4d..8343dc2003 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md index 94b82c67e2..344d125399 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.author: mjcaparas +ms.author: macapara ms.date: 09/07/2018 --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md index ccc8855e33..dcaa31ea84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->[!NOTE] +>[!NOTE] > Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. @@ -40,17 +40,17 @@ The **Secure score dashboard** displays a snapshot of: ![Secure score dashboard](images/new-secure-score-dashboard.png) ## Microsoft secure score -The Microsoft secure score tile is reflective of the sum of all the Microsoft Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings. +The Microsoft secure score tile is reflective of the sum of all the security controls that are configured according to the recommended Windows baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings. ![Image of Microsoft secure score tile](images/mss.png) -Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). +Each Microsoft security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported Microsoft security controls (security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess). -In the example image, the total points for the Windows security controls and Office 365 add up to 602 points. +In the example image, the total points for the security controls and Office 365 add up to 602 points. -You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md). +You can set the baselines for calculating the security control scores on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md). ## Secure score over time You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. @@ -79,11 +79,11 @@ Within the tile, you can click on each control to see the recommended optimizati Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. -## Related topic +## Related topic - [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) +- [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md index b2d8409667..e649152e6b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md index 89fd91c5ae..8dea2272e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md index a5949f146b..01d6034c12 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md @@ -2,7 +2,7 @@ ms.date: 08/28/2017 ms.reviewer: manager: dansimp -ms.author: mjcaparas +ms.author: macapara author: mjcaparas --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 230e57d75e..3f4ceec2f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -63,7 +63,7 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline - - **Search box** - select File from the drop–down menu and enter the file name + - **Search box** - select **File** from the drop–down menu and enter the file name 2. Go to the top bar and select **Stop and Quarantine File**. @@ -98,7 +98,7 @@ You can roll back and remove a file from quarantine if you’ve determined that 1. Open an elevated command–line prompt on the machine: - a. Go to **Start** and type cmd. + a. Go to **Start** and type _cmd_. b. Right–click **Command prompt** and select **Run as administrator**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 5bb659b44e..d9cfb97c3f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -96,7 +96,7 @@ The package contains the following folders: |:---|:---------| |Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine.

          NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | |Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | -|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

          - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

          - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

          ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

          - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

          - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

          - FirewassExecutionLog.txt and pfirewall.log | +|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

          - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

          - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

          ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

          - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

          - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

          - FirewassExecutionLog.txt and pfirewall.log | | Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

          - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

          - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | | Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | | Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index eba85f1a0f..cffc0ad85b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md index 409f485d23..12a021ec3d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md index 65e723e229..9febf311eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md index 01dbb65739..c292829e80 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index bd86e1319d..a5154e0ab4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md index bcceb8902e..95fe03d4b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md index b0ae432a26..1bef9658a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md @@ -27,7 +27,7 @@ ms.topic: conceptual Each security control lists recommendations that you can take to increase the security posture of your organization. ### Endpoint detection and response (EDR) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool. +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool. >[!IMPORTANT] >This feature is available for machines on Windows 10, version 1607 or later. @@ -45,17 +45,17 @@ You can take the following actions to increase the overall security score of you For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). -### Microsoft Defender Antivirus (Microsoft Defender AV) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AV. +### Windows Defender Antivirus (Windows Defender AV) optimization +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV. >[!IMPORTANT] >This feature is available for machines on Windows 10, version 1607 or later. -#### Minimum baseline configuration setting for Microsoft Defender AV: -Machines are considered "well configured" for Microsoft Defender AV if the following requirements are met: +#### Minimum baseline configuration setting for Windows Defender AV: +A well-configured machine for Windows Defender AV meets the following requirements: -- Microsoft Defender AV is reporting correctly -- Microsoft Defender AV is turned on +- Windows Defender AV is reporting correctly +- Windows Defender AV is turned on - Security intelligence is up-to-date - Real-time protection is on - Potentially Unwanted Application (PUA) protection is enabled @@ -64,16 +64,16 @@ Machines are considered "well configured" for Microsoft Defender AV if the follo You can take the following actions to increase the overall security score of your organization: >[!NOTE] -> For the Microsoft Defender Antivirus properties to show, you'll need to ensure that the Microsoft Defender Antivirus Cloud-based protection is properly configured on the machine. +> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine. - Fix antivirus reporting - - This recommendation is displayed when the Microsoft Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). + - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). - Turn on antivirus - Update antivirus Security intelligence - Turn on real-time protection - Turn on PUA protection -For more information, see [Configure Microsoft Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). +For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). ### OS security updates optimization @@ -90,15 +90,15 @@ You can take the following actions to increase the overall security score of you For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter). -### Microsoft Defender Exploit Guard (Microsoft Defender EG) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline. +### Windows Defender Exploit Guard (Windows Defender EG) optimization +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Windows Defender EG. When endpoints are configured according to the baseline, the Windows Defender EG events shows on the Microsoft Defender ATP Machine timeline. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender EG: -Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met: +#### Minimum baseline configuration setting for Windows Defender EG: +A well-configured machine for Windows Defender EG meets the following requirements: - System level protection settings are configured correctly - Attack Surface Reduction rules are configured correctly @@ -148,48 +148,48 @@ You can take the following actions to increase the overall security score of you - Turn on all system-level Exploit Protection settings - Set all ASR rules to enabled or audit mode - Turn on Controlled Folder Access -- Turn on Microsoft Defender Antivirus on compatible machines +- Turn on Windows Defender Antivirus on compatible machines -For more information, see [Microsoft Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). +For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). -### Microsoft Defender Application Guard (Microsoft Defender AG) optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline. +### Windows Defender Application Guard (Windows Defender AG) optimization +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender AG: -Machines are considered "well configured" for Microsoft Defender AG if the following requirements are met: +#### Minimum baseline configuration setting for Windows Defender AG: +A well-configured machine for Windows Defender AG meets the following requirements: - Hardware and software prerequisites are met -- Microsoft Defender AG is turned on compatible machines +- Windows Defender AG is turned on compatible machines - Managed mode is turned on ##### Recommended actions: You can take the following actions to increase the overall security score of your organization: -- Ensure hardware and software prerequisites are met +- Ensure that you meet the hardware and software prerequisites >[!NOTE] - >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on. + >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on. -- Turn on Microsoft Defender AG on compatible machines +- Turn on Windows Defender AG on compatible machines - Turn on managed mode -For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). +For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). -### Microsoft Defender SmartScreen optimization -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen. +### Windows Defender SmartScreen optimization +A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender SmartScreen. >[!WARNING] -> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data. +> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender SmartScreen: +#### Minimum baseline configuration setting for Windows Defender SmartScreen: The following settings must be configured with the following settings: - Check apps and files: **Warn** or **Block** - SmartScreen for Microsoft Edge: **Warn** or **Block** @@ -201,27 +201,27 @@ You can take the following actions to increase the overall security score of you - Set **SmartScreen for Microsoft Edge** to **Warn** or **Block** - Set **SmartScreen for Microsoft store apps** to **Warn** or **Off** -For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). +For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). -### Microsoft Defender Firewall optimization -A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall. +### Windows Defender Firewall optimization +A well-configured machine must have Windows Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Firewall. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender Firewall +#### Minimum baseline configuration setting for Windows Defender Firewall -- Microsoft Defender Firewall is turned on for all network connections -- Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -- Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -- Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked +- Windows Defender Firewall is turned on for all network connections +- Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked +- Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked +- Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked -For more information on Microsoft Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). +For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). >[!NOTE] -> If Microsoft Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely. +> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely. ##### Recommended actions: @@ -234,7 +234,7 @@ You can take the following actions to increase the overall security score of you - Fix sensor data collection - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). -For more information, see [Microsoft Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). +For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). ### BitLocker optimization A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker. @@ -258,17 +258,17 @@ You can take the following actions to increase the overall security score of you For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). -### Microsoft Defender Credential Guard optimization -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Credential Guard. +### Windows Defender Credential Guard optimization +A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. -#### Minimum baseline configuration setting for Microsoft Defender Credential Guard: -Well-configured machines for Microsoft Defender Credential Guard meets the following requirements: +#### Minimum baseline configuration setting for Windows Defender Credential Guard: +Well-configured machines for Windows Defender Credential Guard meets the following requirements: - Hardware and software prerequisites are met -- Microsoft Defender Credential Guard is turned on compatible machines +- Windows Defender Credential Guard is turned on compatible machines ##### Recommended actions: @@ -279,7 +279,7 @@ You can take the following actions to increase the overall security score of you - Fix sensor data collection - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). -For more information, see [Manage Microsoft Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). +For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index f7c9eff384..731963f220 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -75,7 +75,7 @@ The **Sensor health** tile provides information on the individual machine’s ab ![Sensor health tile](images/atp-tile-sensor-health.png) There are two status indicators that provide information on the number of machines that are not reporting properly to the service: -- **Misconfigured** – These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. +- **Misconfigured** – These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. - **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index e620a05684..9c38688bb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas +ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp @@ -51,6 +51,9 @@ Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals t ## Office 365 Advanced Threat Protection (Office 365 ATP) [Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. +>[!NOTE] +> Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first activity time. After that, the data is no longer available in Office 365 ATP. + ## Skype for Business The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index f981d9c12a..289a76f1c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -296,8 +296,8 @@ You might also need to check the following: ## Licensing requirements Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - - Windows 10 Enterprise E5 - - Windows 10 Education E5 + - Windows 10 Enterprise E5 + - Windows 10 Education E5 - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index f78005ca01..668831d19d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -34,31 +34,31 @@ The following steps guide you on how to create roles in Microsoft Defender Secur 3. Enter the role name, description, and permissions you'd like to assign to the role. - - **Role name** - - **Description** - - **Permissions** - - **View data** - Users can view information in the portal. - - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. - - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. - - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. - - >[!NOTE] - >This setting is only available in the Microsoft Defender ATP administrator (default) role. + - **Role name** + - **Description** + - **Permissions** + - **View data** - Users can view information in the portal. + - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. + - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. - - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + > [!NOTE] + > This setting is only available in the Microsoft Defender ATP administrator (default) role. - - **Live response capabilities** - Users can take basic or advanced live response commands.
          - - Basic commands allow users to: - - Start a live response session - - Run read only live response commands on a remote machine - - Advanced commands allow users to: - - Run basic actions - - Download a file from the remote machine - - View a script from the files library - - Run a script on the remote machine from the files library take read and write commands. - - For more information on the available commands, see [Investigate machines using Live response](live-response.md). - + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + + - **Live response capabilities** - Users can take basic or advanced live response commands. + - Basic commands allow users to: + - Start a live response session + - Run read only live response commands on a remote machine + - Advanced commands allow users to: + - Run basic actions + - Download a file from the remote machine + - View a script from the files library + - Run a script on the remote machine from the files library take read and write commands. + + For more information on the available commands, see [Investigate machines using Live response](live-response.md). + 4. Click **Next** to assign the role to an Azure AD group. 5. Use the filter to select the Azure AD group that you'd like to add to this role. diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 994b79b7b6..b3c05cd9a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -79,8 +79,8 @@ For more information preview features, see [Preview features](https://docs.micro Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - New in Windows 10 version 1809, there are two new attack surface reduction rules: - - Block Adobe Reader from creating child processes - - Block Office communication application from creating child processes. + - Block Adobe Reader from creating child processes + - Block Office communication application from creating child processes. - [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/). @@ -95,8 +95,8 @@ Query data using Advanced hunting in Microsoft Defender ATP. - [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
          New attack surface reduction rules: - - Use advanced protection against ransomware - - Block credential stealing from the Windows local security authority subsystem (lsass.exe) + - Use advanced protection against ransomware + - Block credential stealing from the Windows local security authority subsystem (lsass.exe) - Block process creations originating from PSExec and WMI commands - Block untrusted and unsigned processes that run from USB - Block executable content from email client and webmail diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index c2c3f86318..7036973802 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -49,7 +49,7 @@ The Security Compliance Toolkit consists of: - Local Group Policy Object (LGPO) tool -You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/). +You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines). ## What is the Policy Analyzer tool? diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index 4fcca719b6..ef5a46869a 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -102,7 +102,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf | 565 | Access was granted to an already existing object type. | | 567 | A permission associated with a handle was used.
          **Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. | | 569 | The resource manager in Authorization Manager attempted to create a client context. | -| 570 | A client attempted to access an object.
          **Note: ** An event will be generated for every attempted operation on the object. | +| 570 | A client attempted to access an object.
          **Note:** An event will be generated for every attempted operation on the object. | ## Security considerations diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 44a4ae63d3..300f56c569 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -413,7 +413,7 @@ Here are the minimum steps for WEF to operate: ## Appendix E – Annotated baseline subscription event query -``` syntax +```xml @@ -578,8 +578,7 @@ Here are the minimum steps for WEF to operate: ## Appendix F – Annotated Suspect Subscription Event Query -``` syntax - +```xml diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index a9991a6eef..0389c92dd6 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -22,16 +22,16 @@ ms.date: 10/13/2017 Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the user’s personal apps and data. Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include: -- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods. -- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps. -- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices. +- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods. +- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps. +- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices. This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware. **In this article:** -- Windows Hello for Business -- Windows Information Protection -- Malware resistance +- Windows Hello for Business +- Windows Information Protection +- Malware resistance ## Windows Hello @@ -56,9 +56,9 @@ To compromise Windows Hello credentials, an attacker would need access to the ph Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them – there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the user’s device and be able to impersonate the user’s biometric identity to gain access to corporate resources, which is far more difficult than stealing a password. Windows Hello supports three biometric sensor scenarios: -- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology. -- **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello. -- **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology. +- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology. +- **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello. +- **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology. >Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture. @@ -72,8 +72,6 @@ The biometric image collected at enrollment is converted into an algorithmic for A Windows Hello companion device enables a physical device, like a wearable, to serve as a factor for validating the user’s identity before granting them access to their credentials. For instance, when the user has physical possession of a companion device they can easily, possibly even automatically, unlock their PC and authenticate with apps and websites. This type of device can be useful for smartphones or tablets that don’t have integrated biometric sensors or for industries where users need a faster, more convenient sign-in experience, such as retail. -In some cases, the companion device for Windows Hello enables a physical device, like a phone, wearable, or other types of device to store all of the user’s credentials. Storage of the credentials on a mobile device makes it possible to use them on any supporting device, like a kiosk or family PC, and eliminates the need to enroll Windows Hello on each device. Companion devices also help enable organizations to meet regulatory requirements, such as Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS 140-2). - ### Standards-based approach The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms. @@ -87,12 +85,12 @@ Enterprises have seen huge growth in the convergence of personal and corporate d Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. It’s easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity. Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include: -- Automatically tag personal and corporate data. -- Protect data while it’s at rest on local or removable storage. -- Control which apps can access corporate data. -- Control which apps can access a virtual private network (VPN) connection. -- Prevent users from copying corporate data to public locations. -- Help ensure business data is inaccessible when the device is in a locked state. +- Automatically tag personal and corporate data. +- Protect data while it’s at rest on local or removable storage. +- Control which apps can access corporate data. +- Control which apps can access a virtual private network (VPN) connection. +- Prevent users from copying corporate data to public locations. +- Help ensure business data is inaccessible when the device is in a locked state. ### Enlightened apps @@ -101,21 +99,21 @@ Third-party data loss protection solutions usually require developers to wrap th Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default. When you do not want all data encrypted by default – because it would create a poor user experience – developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that: -- Don’t use common controls for saving files. -- Don’t use common controls for text boxes. -- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance). +- Don’t use common controls for saving files. +- Don’t use common controls for text boxes. +- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance). In many cases, most apps don’t require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data. **When is app enlightenment required?** -- **Required** - - App needs to work with both personal and enterprise data. -- **Recommended** - - App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps. - - App needs to access enterprise data, while protection under lock is activated. -- **Not required** - - App handles only corporate data - - App handles only personal data +- **Required** + - App needs to work with both personal and enterprise data. +- **Recommended** + - App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps. + - App needs to access enterprise data, while protection under lock is activated. +- **Not required** + - App handles only corporate data + - App handles only personal data ### Data leakage control @@ -124,10 +122,10 @@ To configure Windows Information Protection in a Mobile Device Management (MDM) Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Window Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data. The extent to which users will be prevented from copying and pasting data from authorized apps to unauthorized apps or locations on the web depends on which protection level is set: -- **Block.** Windows Information Protection blocks users from completing the operation. -- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log. -- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log. -- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log. +- **Block.** Windows Information Protection blocks users from completing the operation. +- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log. +- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log. +- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log. ### Data separation @@ -140,11 +138,11 @@ Windows Information Protection provides data separation without requiring a cont Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored – even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device. You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices. -- Cryptography - - Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled. - - TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections. -- BitLocker - - Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one. +- Cryptography + - Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled. + - TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections. +- BitLocker + - Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one. To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello. @@ -230,9 +228,9 @@ A Trusted Platform Module (TPM) is a tamper-resistant cryptographic module that A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling a reliable report of the software used to start a platform. The following list describes key functionality that a TPM provides in Windows 10 Mobile: -- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys. -- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device. -- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM. +- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys. +- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device. +- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM. Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. When the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since then, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection, as well as the ability to plug-in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself. @@ -241,9 +239,9 @@ Many assume that original equipment manufacturers (OEMs) must implant a TPM in h >Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](https://technet.microsoft.com/library/dn915086.aspx) Several Windows 10 Mobile security features require TPM: -- Virtual smart cards -- Measured Boot -- Health attestation (requires TPM 2.0 or later) +- Virtual smart cards +- Measured Boot +- Health attestation (requires TPM 2.0 or later) Still other features will use the TPM if it is available. For example, Windows Hello does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Windows Hello. @@ -312,9 +310,9 @@ Malware depends on its ability to insert a malicious payload into memory with th The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use. Windows 10 Mobile has made several important improvements to the security of the heap over previous versions of Windows: -- Internal data structures that the heap uses are better protected against memory corruption. -- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable. -- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app. +- Internal data structures that the heap uses are better protected against memory corruption. +- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable. +- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app. ### Memory reservations @@ -342,9 +340,9 @@ The security policy of a specific AppContainer defines the operating system capa A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. Access to other capabilities can be declared within the app code itself. Unlike traditional desktop applications, access to additional capabilities and privileges cannot be requested at run time. The AppContainer concept is advantageous because it provides: -- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions. -- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent. -- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types. +- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions. +- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent. +- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types. Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the app’s age rating and publisher. @@ -355,9 +353,9 @@ The combination of Device Guard and AppContainer help to prevent unauthorized ap The web browser is a critical component of any security strategy. It is the user’s interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks. Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways: -- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability. -- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. -- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design. +- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability. +- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. +- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design. ## Summary diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 4f08806147..39bb11b2f0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -51,13 +51,14 @@ As a cloud service, it is required that computers have access to the internet an | **Service**| **Description** |**URL** | | :--: | :-- | :-- | -| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com| -| *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com| -| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com| -| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net | -| *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs | -| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | -| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com| +| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|\*.wdcp.microsoft.com \*.wdcpalt.microsoft.com \*.wd.microsoft.com| +| *Microsoft Update Service (MU)*| Security intelligence and product updates |\*.update.microsoft.com| +| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| \*.download.microsoft.com| +| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net | +| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs | +| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | +| *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com| + ## Validate connections between your network and the cloud diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 7ee34ff838..575ad0d393 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -41,6 +41,6 @@ You can also manually merge AppLocker policies. For the procedure to do this, se Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path. -``` syntax +```powershell C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge ``` diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 6fa4d92a72..a3834e3625 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -50,11 +50,11 @@ The following table contains information about the events that you can use to de | 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.| | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| | 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| | 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| | 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| | 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| | 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index 8e77d3e330..d3c403d633 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -30,7 +30,7 @@ This topic for IT professionals provides links to procedural topics about creati | Topic | Description | | - | - | | [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.| -| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only ** within your IT environment by using AppLocker.| +| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.| | [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.| | [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.| | [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.| diff --git a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md index 105f6a46bb..babbce2e0b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md @@ -52,10 +52,10 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) - One or the other, not both at the same time - Does not support wildcard in the middle (ex. C:\\*\foo.exe) - - Examples: - - %WINDIR%\\... - - %SYSTEM32%\\... - - %OSDRIVE%\\... +- Supported Macros: + - %WINDIR%\\... + - %SYSTEM32%\\... + - %OSDRIVE%\\... - Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index ab584cebd9..530d8659f9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -111,15 +111,16 @@ They could also choose to create a catalog that captures information about the u Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. -- New-CIPolicy parameters +- New-CIPolicy parameter - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level) ```powershell - New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u + New-CIPolicy -FilePath .\mypolicy.xml -Level FileName -ScanPath -UserPEs ``` Optionally, add -UserWriteablePaths to ignore user writeability - + +- New-CIPolicyRule parameter - FilePathRule: create a rule where filepath string is directly set to value of \ ```powershell @@ -134,7 +135,7 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD $rules = New-CIPolicyRule … $rules += New-CIPolicyRule … … - New-CIPolicyRule -f .\mypolicy.xml -u + New-CIPolicy -FilePath .\mypolicy.xml -Rules $rules -UserPEs ``` - Wildcards supported @@ -149,6 +150,6 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD - Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: ```powershell - Set-RuleOption -o 18 .\policy.xml + Set-RuleOption -Option 18 .\policy.xml ``` diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 9617e485b3..3605322e2c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -18,7 +18,7 @@ ms.date: 01/08/2019 **Applies to:** -- Windows 10 +- Windows 10 Enterprise - Windows Server 2016 - Windows Server 2019 @@ -40,8 +40,8 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs ## WDAC System Requirements -WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. +WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above. +They can be applied to computers running Windows 10 Enterprise or Windows Server 2016 and above and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. Group Policy or Intune can be used to distribute WDAC policies. ## New and changed functionality diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index fb335353dc..c129bb0353 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -29,11 +29,13 @@ These settings, located at **Computer Configuration\Administrative Templates\Net >You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. -| Policy name | Supported versions | Description | -|-------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. | -| Enterprise resource domains hosted in the cloud | At least Windows Server 2012, Windows 8, or Windows RT | A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. | -| Domains categorized as both work and personal | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. | + +|Policy name|Supported versions|Description| +|-----------|------------------|-----------| +|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, include a full domain name (for example "**contoso.com**") in the configuration. 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (when there is more than one subdomain). Configuring "**.constoso.com**" will automatically trust "**subdomain1.contoso.com**", "**subdomain2.contoso.com**", etc. 3) To trust a subdomain, precede your domain with two dots, for example "**..contoso.com**". | +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| + ## Application-specific settings These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 8a0d017824..1d5756d650 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -103,3 +103,11 @@ Answering frequently asked questions about Windows Defender Application Guard (A | **A:** | To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com. |
          + +| | | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? | +| **A:** | When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). | + +
          + diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 3f889598d3..dc6820bd94 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -19,29 +19,12 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Review system requirements - + +See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard. >[!NOTE] >Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. -### Hardware requirements -Your environment needs the following hardware to run Windows Defender Application Guard. -|Hardware|Description| -|--------|-----------| -|64-bit CPU|A 64-bit computer with minimum 4 cores is required for the hypervisor. For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).| -|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

          **-AND-**

          One of the following virtualization extensions for VBS:

          VT-x (Intel)

          **-OR-**

          AMD-V| -|Hardware memory|Microsoft requires a minimum of 8GB RAM| -|Hard disk|5 GB free space, solid state disk (SSD) recommended| -|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| - -### Software requirements -Your environment needs the following software to run Windows Defender Application Guard. - -|Software|Description| -|--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
          Windows 10 Professional edition, version 1803| -|Browser|Microsoft Edge and Internet Explorer| -|Management system
          (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

          **-OR-**

          [System Center Configuration Manager](https://docs.microsoft.com/sccm/)

          **-OR-**

          [Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

          **-OR-**

          Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| ## Prepare for Windows Defender Application Guard diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 4aadf6d205..00c7bfddf4 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -39,69 +39,12 @@ Application Guard has been created to target several types of systems: ## Frequently Asked Questions -| | | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Can I enable Application Guard on machines equipped with 4GB RAM? | -| **A:** | We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | -| | HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | -| | HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. | -| | HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB. | - -
          - - -| | | -|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Can employees download documents from the Application Guard Edge session onto host devices? | -| **A:** | In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

          In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. | - -
          - - -| | | -|--------|------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Can employees copy and paste between the host device and the Application Guard Edge session? | -| **A:** | Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. | - -
          - - -| | | -|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Why don't employees see their Favorites in the Application Guard Edge session? | -| **A:** | To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. | - -
          - - -| | | -|--------|---------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Why aren’t employees able to see their Extensions in the Application Guard Edge session? | -| **A:** | Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. | - -
          - - -| | | -|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | How do I configure WDAG to work with my network proxy (IP-Literal Addresses)? | -| **A:** | WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. | - -
          - - -| | | -|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? | -| **A:** | This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. | - -
          - +Please see [Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md) for common user-submitted questions. | | | |--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | What is the WDAGUtilityAccount local account? | -| **A:** | This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. | +| **Q:** | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? | +| **A:** | When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). |
          diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 29ed15335f..7ed8ec4621 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -53,6 +53,8 @@ For more information about disabling local list merging, see [Prevent or allow u >If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. >If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. +>If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive. + ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 0f4d7ee1dc..07172573b3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -183,7 +183,7 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f > The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. > [!NOTE] -> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1709. +> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803. The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 61220879a8..4d7e28279c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -88,7 +88,7 @@ Where: For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: ```PowerShell -Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode ``` You can disable audit mode by replacing `-Enable` with `-Disable`. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index dc0bab469f..875fd5bfae 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -56,7 +56,9 @@ This can only be done in Group Policy. > >You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576). + +2. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -86,7 +88,18 @@ This can only be done in Group Policy. 6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). +7. Use the following registry key and DWORD value to **Hide all notifications**. + + **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** + **"DisableNotifications"=dword:00000001** + +8. Use the following registry key and DWORD value to **Hide not-critical notifications** + + **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** + **"DisableEnhancedNotifications"=dword:00000001** + +9. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). + ## Notifications @@ -136,3 +149,4 @@ This can only be done in Group Policy. | Dynamic lock on, bluetooth on, but unable to detect device | | | No | | NoPa or federated no hello | | | No | | NoPa or federated hello broken | | | No | + diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index 027d92a3b4..9d214a2b3c 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: manager: dansimp -ms.author: mjcaparas +ms.author: macapara --- # Windows Defender SmartScreen diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index f9fb884957..ca7c0039c1 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium ms.date: 10/13/2017 ms.reviewer: manager: dansimp -ms.author: mjcaparas +ms.author: macapara --- # Set up and use Windows Defender SmartScreen on individual devices diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 8de4021830..bf20974a75 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -123,8 +123,8 @@ Default is Any address. [Learn more](https://aka.ms/intunefirewallremotaddressrule) -## Edge traversal (coming soon) -Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. +## Edge traversal (UI coming soon) +Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. This setting can only be configured via Intune Graph at this time. [Learn more](https://aka.ms/intunefirewalledgetraversal) diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 9c6966b525..5ded02bd51 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -80,7 +80,7 @@ This script does the following: Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. -``` syntax +```powershell # Create a Security Group for the computers that will get the policy $pathname = (Get-ADDomain).distinguishedname New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" ` @@ -120,7 +120,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. -``` syntax +```powershell #Set up the certificate $certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" $myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop @@ -173,7 +173,7 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: 6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: - ``` syntax + ```xml ERROR_IPSEC_IKE_NO_CERT 32 diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 79ee3e58bd..4daaa5d367 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -67,7 +67,7 @@ netsh advfirewall set allprofiles state on **Windows PowerShell** -``` syntax +```powershell Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True ``` @@ -88,7 +88,7 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile Windows PowerShell -``` syntax +```powershell Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` @@ -140,7 +140,7 @@ netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program= Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow ``` @@ -157,7 +157,7 @@ netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name ``` @@ -169,7 +169,7 @@ The following performs the same actions as the previous example (by adding a Tel Windows PowerShell -``` syntax +```powershell $gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo Save-NetGPO –GPOSession $gpo @@ -191,7 +191,7 @@ netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2 Windows PowerShell -``` syntax +```powershell Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2 ``` @@ -205,7 +205,7 @@ In the following example, we assume the query returns a single firewall rule, wh Windows PowerShell -``` syntax +```powershell Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2 ``` @@ -213,7 +213,7 @@ You can also query for rules using the wildcard character. The following example Windows PowerShell -``` syntax +```powershell Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule ``` @@ -223,7 +223,7 @@ In the following example, we add both inbound and outbound Telnet firewall rules Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” ``` @@ -232,7 +232,7 @@ If the group is not specified at rule creation time, the rule can be added to th Windows PowerShell -``` syntax +```powershell $rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet” $rule.Group = “Telnet Management” $rule | Set-NetFirewallRule @@ -250,7 +250,7 @@ netsh advfirewall firewall set rule group="Windows Defender Firewall remote mana Windows PowerShell -``` syntax +```powershell Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True ``` @@ -258,7 +258,7 @@ There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by g Windows PowerShell -``` syntax +```powershell Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose ``` @@ -276,7 +276,7 @@ netsh advfirewall firewall delete rule name=“Allow Web 80” Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Allow Web 80” ``` @@ -284,7 +284,7 @@ Like with other cmdlets, you can also query for rules to be removed. Here, all b Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –Action Block ``` @@ -292,7 +292,7 @@ Note that it may be safer to query the rules with the **Get** command and save i Windows PowerShell -``` syntax +```powershell $x = Get-NetFirewallRule –Action Block $x $x[0-3] | Remove-NetFirewallRule @@ -306,7 +306,7 @@ The following example returns all firewall rules of the persistent store on a de Windows PowerShell -``` syntax +```powershell Get-NetFirewallRule –CimSession RemoteDevice ``` @@ -314,7 +314,7 @@ We can perform any modifications or view rules on remote devices by simply usin Windows PowerShell -``` syntax +```powershell $RemoteSession = New-CimSession –ComputerName RemoteDevice Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm ``` @@ -342,7 +342,7 @@ netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint Windows PowerShell -``` syntax +```powershell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name ``` @@ -365,7 +365,7 @@ netsh advfirewall consec add rule name="Require Outbound Authentication" endpoin Windows PowerShell -``` syntax +```powershell $AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name @@ -379,7 +379,7 @@ You can leverage IKEv2 capabilities in Windows Server 2012 by simply specifying Windows PowerShell -``` syntax +```powershell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway ``` @@ -395,7 +395,7 @@ Copying individual rules is a task that is not possible through the Netsh interf Windows PowerShell -``` syntax +```powershell $Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication” $Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name $Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name @@ -407,7 +407,7 @@ To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAc Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue ``` @@ -415,7 +415,7 @@ Note that the use of wildcards can also suppress errors, but they could potentia Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” ``` @@ -423,7 +423,7 @@ When using wildcards, if you want to double-check the set of rules that is match Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf ``` @@ -431,7 +431,7 @@ If you only want to delete some of the matched rules, you can use the *–Confir Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm ``` @@ -439,7 +439,7 @@ You can also just perform the whole operation, displaying the name of each rule Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose ``` @@ -457,7 +457,7 @@ netsh advfirewall consec show rule name=all Windows PowerShell -``` syntax +```powershell Show-NetIPsecRule –PolicyStore ActiveStore ``` @@ -473,7 +473,7 @@ netsh advfirewall monitor show mmsa all Windows PowerShell -``` syntax +```powershell Get-NetIPsecMainModeSA ``` @@ -485,7 +485,7 @@ For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is sp Windows PowerShell -``` syntax +```powershell Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore ``` @@ -506,7 +506,7 @@ netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profi Windows PowerShell -``` syntax +```powershell $kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos $Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation @@ -524,7 +524,7 @@ netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0. Windows PowerShell -``` syntax +```powershell $QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name @@ -548,7 +548,7 @@ netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in pro Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow ``` @@ -562,7 +562,7 @@ netsh advfirewall consec add rule name="Authenticate Both Computer and User" end Windows PowerShell -``` syntax +```powershell $mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos $mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM $P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop @@ -593,7 +593,7 @@ The following example shows you how to create an SDDL string that represents sec Windows PowerShell -``` syntax +```powershell $user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”) $SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value $secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)" @@ -603,7 +603,7 @@ By using the previous scriptlet, you can also get the SDDL string for a secure c Windows PowerShell -``` syntax +```powershell $secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)" ``` @@ -622,7 +622,7 @@ netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Gr Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation ``` @@ -634,7 +634,7 @@ In this example, we set the global IPsec setting to only allow transport mode tr Windows PowerShell -``` syntax +```powershell Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup ``` @@ -653,7 +653,7 @@ netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in sec Windows PowerShell -``` syntax +```powershell New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation ``` diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json index 12bbd676fa..d4d30ecdba 100644 --- a/windows/threat-protection/docfx.json +++ b/windows/threat-protection/docfx.json @@ -34,6 +34,7 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", + "audience": "ITPro", "ms.date": "04/05/2017", "_op_documentIdPathDepotMapping": { "./": { diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index 2991f9ac65..fa56ce48c7 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -5,4 +5,4 @@ ## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) ## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) -## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) \ No newline at end of file +## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index b86924bf53..8d403d8128 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -34,6 +34,7 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", + "audience": "ITPro", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 43bca2f54c..27d454fa86 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -1,38 +1,38 @@ ---- -title: What's new in Windows 10 (Windows 10) -description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. -ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 -keywords: ["What's new in Windows 10", "Windows 10"] -ms.prod: w10 -author: greg-lindsay -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# What's new in Windows 10 - -Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. - -## In this section - -- [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) -- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) -- [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) -- [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) -- [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) -- [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) -- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) - -## Learn more - -- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) -- [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) -- [Windows 10 content from Microsoft Ignite](https://go.microsoft.com/fwlink/p/?LinkId=613210) -- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) - -## See also - -[Windows 10 Enterprise LTSC](ltsc/index.md)
          -[Edit an existing topic using the Edit link](contribute-to-a-topic.md) - +--- +title: What's new in Windows 10 (Windows 10) +description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. +ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 +keywords: ["What's new in Windows 10", "Windows 10"] +ms.prod: w10 +audience: itpro author: greg-lindsay +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10 + +Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. + +## In this section + +- [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) +- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) +- [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) +- [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) +- [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) +- [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) +- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) + +## Learn more + +- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) +- [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) +- [Windows 10 content from Microsoft Ignite](https://go.microsoft.com/fwlink/p/?LinkId=613210) +- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) + +## See also + +[Windows 10 Enterprise LTSC](ltsc/index.md)
          +[Edit an existing topic using the Edit link](contribute-to-a-topic.md) + diff --git a/windows/whats-new/ltsc/TOC.md b/windows/whats-new/ltsc/TOC.md index 6dfee34a97..e49aee21fc 100644 --- a/windows/whats-new/ltsc/TOC.md +++ b/windows/whats-new/ltsc/TOC.md @@ -1,4 +1,4 @@ # [Windows 10 Enterprise LTSC](index.md) ## [What's new in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md) ## [What's new in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md) -## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) \ No newline at end of file +## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index d90f6985d2..fa6b259b1c 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -1,50 +1,50 @@ ---- -title: Windows 10 Enterprise LTSC -description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -manager: laurawi -ms.localizationpriority: low -ms.topic: article ---- - -# Windows 10 Enterprise LTSC - -**Applies to** -- Windows 10 Enterprise LTSC - -## In this topic - -This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. - -[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
          -[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
          -[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) - -## The Long Term Servicing Channel (LTSC) - -The following table summarizes equivalent feature update versions of Windows 10 LTSC and semi-annual channel (SAC) releases. - -| LTSC release | Equivalent SAC release | Availability date | -| --- | --- | --- | -| Windows 10 Enterprise 2015 LTSC | Windows 10, Version 1507 | 7/29/2015 | -| Windows 10 Enterprise 2016 LTSC | Windows 10, Version 1607 | 8/2/2016 | -| Windows 10 Enterprise 2019 LTSC | Windows 10, Version 1809 | 11/13/2018 | - ->[!NOTE] ->The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. - -With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. - ->[!IMPORTANT] ->The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). - -For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview). - -## See Also - -[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
          -[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option. +--- +title: Windows 10 Enterprise LTSC +description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +manager: laurawi +ms.localizationpriority: low +ms.topic: article +--- + +# Windows 10 Enterprise LTSC + +**Applies to** +- Windows 10 Enterprise LTSC + +## In this topic + +This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. + +[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
          +[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
          +[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) + +## The Long Term Servicing Channel (LTSC) + +The following table summarizes equivalent feature update versions of Windows 10 LTSC and semi-annual channel (SAC) releases. + +| LTSC release | Equivalent SAC release | Availability date | +| --- | --- | --- | +| Windows 10 Enterprise 2015 LTSC | Windows 10, Version 1507 | 7/29/2015 | +| Windows 10 Enterprise 2016 LTSC | Windows 10, Version 1607 | 8/2/2016 | +| Windows 10 Enterprise 2019 LTSC | Windows 10, Version 1809 | 11/13/2018 | + +>[!NOTE] +>The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. + +With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. + +>[!IMPORTANT] +>The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). + +For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview). + +## See Also + +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
          +[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 581fc39b20..b2e5edb37f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -1,298 +1,298 @@ ---- -title: What's new in Windows 10 Enterprise 2015 LTSC -ms.reviewer: -manager: laurawi -ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: low -ms.topic: article ---- - -# What's new in Windows 10 Enterprise 2015 LTSC - -**Applies to** -- Windows 10 Enterprise 2015 LTSC - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). - ->[!NOTE] ->Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). - -## Deployment - -### Provisioning devices using Windows Imaging and Configuration Designer (ICD) - -With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. - -[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) - -## Security - -### Applocker - -Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. - -Enhancements to Applocker in Windows 10 include: - -- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. -- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). - -[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). - -### Bitlocker - -Enhancements to Applocker in Windows 10 include: - -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. -- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. -- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." - -[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). - -### Certificate management - -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) - -### Microsoft Passport - -In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. - -Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. - -### Security auditing - -In Windows 10, security auditing has added some improvements: -- [New audit subcategories](#bkmk-auditsubcat) -- [More info added to existing audit events](#bkmk-moreinfo) - -#### New audit subcategories - -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: -- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. -- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. - Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. - -#### More info added to existing audit events - -With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: -- [Changed the kernel default audit policy](#bkmk-kdal) -- [Added a default process SACL to LSASS.exe](#bkmk-lsass) -- [Added new fields in the logon event](#bkmk-logon) -- [Added new fields in the process creation event](#bkmk-logon) -- [Added new Security Account Manager events](#bkmk-sam) -- [Added new BCD events](#bkmk-bcd) -- [Added new PNP events](#bkmk-pnp) - -#### Changed the kernel default audit policy - -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. - -#### Added a default process SACL to LSASS.exe - -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. -This can help identify attacks that steal credentials from the memory of a process. - -#### New fields in the logon event - -The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: -1. **MachineLogon** String: yes or no - If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. -2. **ElevatedToken** String: yes or no - If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. -3. **TargetOutboundUserName** String - **TargetOutboundUserDomain** String - The username and domain of the identity that was created by the LogonUser method for outbound traffic. -4. **VirtualAccount** String: yes or no - If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. -5. **GroupMembership** String - A list of all of the groups in the user's token. -6. **RestrictedAdminMode** String: yes or no - If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. - For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). - -#### New fields in the process creation event - -The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: -1. **TargetUserSid** String - The SID of the target principal. -2. **TargetUserName** String - The account name of the target user. -3. **TargetDomainName** String - The domain of the target user.. -4. **TargetLogonId** String - The logon ID of the target user. -5. **ParentProcessName** String - The name of the creator process. -6. **ParentProcessId** String - A pointer to the actual parent process if it's different from the creator process. - -#### New Security Account Manager events - -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: -- SamrEnumerateGroupsInDomain -- SamrEnumerateUsersInDomain -- SamrEnumerateAliasesInDomain -- SamrGetAliasMembership -- SamrLookupNamesInDomain -- SamrLookupIdsInDomain -- SamrQueryInformationUser -- SamrQueryInformationGroup -- SamrQueryInformationUserAlias -- SamrGetMembersInGroup -- SamrGetMembersInAlias -- SamrGetUserDomainPasswordInformation - -#### New BCD events - -Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): -- DEP/NEX settings -- Test signing -- PCAT SB simulation -- Debug -- Boot debug -- Integrity Services -- Disable Winload debugging menu - -#### New PNP events - -Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. - -[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). - -### Trusted Platform Module - -#### New TPM features in Windows 10 - -The following sections describe the new and changed functionality in the TPM for Windows 10: -- [Device health attestation](#bkmk-dha) -- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support -- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support -- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support - -### Device health attestation - -Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device are: -- Is Data Execution Prevention supported and enabled? -- Is BitLocker Drive Encryption supported and enabled? -- Is SecureBoot supported and enabled? - -> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. - -[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). - -### User Account Control - -User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. - -You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. - -For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). - -In Windows 10, User Account Control has added some improvements: - -- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. - -[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). - -### VPN profile options - -Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: - -- Always-on auto connection behavior -- App=triggered VPN -- VPN traffic filters -- Lock down VPN -- Integration with Microsoft Passport for Work - -[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) - - -## Management - -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. - -### MDM support - -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. - -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. - -Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172) - -### Unenrollment - -When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. - -When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. - -### Infrastructure - -Enterprises have the following identity and management choices. - -| Area | Choices | -|---|---| -| Identity | Active Directory; Azure AD | -| Grouping | Domain join; Workgroup; Azure AD join | -| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - - > **Note**   -With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). - - -### Device lockdown - - -Do you need a computer that can only do one thing? For example: - -- A device in the lobby that customers can use to view your product catalog. -- A portable device that drivers can use to check a route on a map. -- A device that a temporary worker uses to enter data. - -You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. - -You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. - -Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). - -### Customized Start layout - -A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). - -Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). - -## Updates - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. - -By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). - -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. - -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). - - -Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). - -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). - -## Microsoft Edge - -Microsoft Edge is not available in the LTSC release of Windows 10. - -## See Also - -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. - +--- +title: What's new in Windows 10 Enterprise 2015 LTSC +ms.reviewer: +manager: laurawi +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise 2015 LTSC + +**Applies to** +- Windows 10 Enterprise 2015 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). + +## Deployment + +### Provisioning devices using Windows Imaging and Configuration Designer (ICD) + +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) + +## Security + +### Applocker + +Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. + +Enhancements to Applocker in Windows 10 include: + +- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. +- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. +- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). + +[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). + +### Bitlocker + +Enhancements to Applocker in Windows 10 include: + +- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. +- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. +- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." + +[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). + +### Certificate management + +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) + +### Microsoft Passport + +In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. + +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. + +### Security auditing + +In Windows 10, security auditing has added some improvements: +- [New audit subcategories](#bkmk-auditsubcat) +- [More info added to existing audit events](#bkmk-moreinfo) + +#### New audit subcategories + +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. + When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. +- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. + Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. + +#### More info added to existing audit events + +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +- [Changed the kernel default audit policy](#bkmk-kdal) +- [Added a default process SACL to LSASS.exe](#bkmk-lsass) +- [Added new fields in the logon event](#bkmk-logon) +- [Added new fields in the process creation event](#bkmk-logon) +- [Added new Security Account Manager events](#bkmk-sam) +- [Added new BCD events](#bkmk-bcd) +- [Added new PNP events](#bkmk-pnp) + +#### Changed the kernel default audit policy + +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. + +#### Added a default process SACL to LSASS.exe + +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +This can help identify attacks that steal credentials from the memory of a process. + +#### New fields in the logon event + +The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: +1. **MachineLogon** String: yes or no + If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. +2. **ElevatedToken** String: yes or no + If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. +3. **TargetOutboundUserName** String + **TargetOutboundUserDomain** String + The username and domain of the identity that was created by the LogonUser method for outbound traffic. +4. **VirtualAccount** String: yes or no + If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. +5. **GroupMembership** String + A list of all of the groups in the user's token. +6. **RestrictedAdminMode** String: yes or no + If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. + For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). + +#### New fields in the process creation event + +The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: +1. **TargetUserSid** String + The SID of the target principal. +2. **TargetUserName** String + The account name of the target user. +3. **TargetDomainName** String + The domain of the target user.. +4. **TargetLogonId** String + The logon ID of the target user. +5. **ParentProcessName** String + The name of the creator process. +6. **ParentProcessId** String + A pointer to the actual parent process if it's different from the creator process. + +#### New Security Account Manager events + +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +- SamrEnumerateGroupsInDomain +- SamrEnumerateUsersInDomain +- SamrEnumerateAliasesInDomain +- SamrGetAliasMembership +- SamrLookupNamesInDomain +- SamrLookupIdsInDomain +- SamrQueryInformationUser +- SamrQueryInformationGroup +- SamrQueryInformationUserAlias +- SamrGetMembersInGroup +- SamrGetMembersInAlias +- SamrGetUserDomainPasswordInformation + +#### New BCD events + +Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): +- DEP/NEX settings +- Test signing +- PCAT SB simulation +- Debug +- Boot debug +- Integrity Services +- Disable Winload debugging menu + +#### New PNP events + +Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. + +[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). + +### Trusted Platform Module + +#### New TPM features in Windows 10 + +The following sections describe the new and changed functionality in the TPM for Windows 10: +- [Device health attestation](#bkmk-dha) +- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support +- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support +- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support + +### Device health attestation + +Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. +Some things that you can check on the device are: +- Is Data Execution Prevention supported and enabled? +- Is BitLocker Drive Encryption supported and enabled? +- Is SecureBoot supported and enabled? + +> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. + +[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). + +### User Account Control + +User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. + +You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. + +For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). + +In Windows 10, User Account Control has added some improvements: + +- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. + +[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). + +### VPN profile options + +Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: + +- Always-on auto connection behavior +- App=triggered VPN +- VPN traffic filters +- Lock down VPN +- Integration with Microsoft Passport for Work + +[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) + + +## Management + +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. + +### MDM support + +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. + +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. + +Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172) + +### Unenrollment + +When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. + +When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. + +### Infrastructure + +Enterprises have the following identity and management choices. + +| Area | Choices | +|---|---| +| Identity | Active Directory; Azure AD | +| Grouping | Domain join; Workgroup; Azure AD join | +| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | + + > **Note**   +With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). + + +### Device lockdown + + +Do you need a computer that can only do one thing? For example: + +- A device in the lobby that customers can use to view your product catalog. +- A portable device that drivers can use to check a route on a map. +- A device that a temporary worker uses to enter data. + +You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. + +You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. + +Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). + +### Customized Start layout + +A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). + +Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). + +## Updates + +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. + +By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: + +- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). + +- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. + +- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). + +Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). + + +Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). + +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). + +## Microsoft Edge + +Microsoft Edge is not available in the LTSC release of Windows 10. + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index ebf6fb48d9..683b980e8f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -1,178 +1,178 @@ ---- -title: What's new in Windows 10 Enterprise 2016 LTSC -ms.reviewer: -manager: laurawi -ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: low -ms.topic: article ---- - -# What's new in Windows 10 Enterprise 2016 LTSC - -**Applies to** -- Windows 10 Enterprise 2016 LTSC - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). - ->[!NOTE] ->Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. - -## Deployment - -### Windows Imaging and Configuration Designer (ICD) - -In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) - -Windows ICD now includes simplified workflows for creating provisioning packages: - -- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) -- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) -- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) - -[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) - -### Windows Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. - -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. - -[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -## Security - -### Credential Guard and Device Guard - -Isolated User Mode is now included with Hyper-V so you don't have to install it separately. - -### Windows Hello for Business - -When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: - -- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. -- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. -- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. - - -[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) - -### Bitlocker - -#### New Bitlocker features - -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. - It provides the following benefits: - - The algorithm is FIPS-compliant. - - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. - -### Security auditing - -#### New Security auditing features - -- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. - -### Trusted Platform Module - -#### New TPM features - -- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). - -### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) - -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. - -Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. - -- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) -- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) - -[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) - -### Windows Defender - -Several new features and management options have been added to Windows Defender in this version of Windows 10. - -- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. -- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. -- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). -- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. - -### Windows Defender Advanced Threat Protection (ATP) - -With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. - -[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). - -### VPN security - -- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. -- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. -- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) -- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. - -## Management - -### Use Remote Desktop Connection for PCs joined to Azure Active Directory - -From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) - -### Taskbar configuration - -Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) - -### Mobile device management and configuration service providers (CSPs) - -Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). - -### Shared PC mode - -This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) - -### Application Virtualization (App-V) for Windows 10 - -Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. - -With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. - -[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) - -### User Experience Virtualization (UE-V) for Windows 10 - -Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. - -With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. - -With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. - -[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) - -## See Also - -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. - +--- +title: What's new in Windows 10 Enterprise 2016 LTSC +ms.reviewer: +manager: laurawi +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise 2016 LTSC + +**Applies to** +- Windows 10 Enterprise 2016 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. + +## Deployment + +### Windows Imaging and Configuration Designer (ICD) + +In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) + +Windows ICD now includes simplified workflows for creating provisioning packages: + +- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) +- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) +- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) + +[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) + +### Windows Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. + +[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +## Security + +### Credential Guard and Device Guard + +Isolated User Mode is now included with Hyper-V so you don't have to install it separately. + +### Windows Hello for Business + +When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: + +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. +- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. +- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. + + +[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) + +### Bitlocker + +#### New Bitlocker features + +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. + +### Security auditing + +#### New Security auditing features + +- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. + +### Trusted Platform Module + +#### New TPM features + +- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). + +### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) + +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. + +Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. + +- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) + +[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) + +### Windows Defender + +Several new features and management options have been added to Windows Defender in this version of Windows 10. + +- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. + +### Windows Defender Advanced Threat Protection (ATP) + +With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. + +[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +### VPN security + +- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. +- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. +- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) +- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. + +## Management + +### Use Remote Desktop Connection for PCs joined to Azure Active Directory + +From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) + +### Taskbar configuration + +Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) + +### Mobile device management and configuration service providers (CSPs) + +Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). + +### Shared PC mode + +This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) + +### Application Virtualization (App-V) for Windows 10 + +Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. + +With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. + +[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) + +### User Experience Virtualization (UE-V) for Windows 10 + +Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. + +With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. + +With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. + +[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index dad076a535..129309368a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -1,631 +1,631 @@ ---- -title: What's new in Windows 10 Enterprise 2019 LTSC -ms.reviewer: -manager: laurawi -ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -ms.localizationpriority: low -ms.topic: article ---- - -# What's new in Windows 10 Enterprise 2019 LTSC - -**Applies to** -- Windows 10 Enterprise 2019 LTSC - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). - ->[!NOTE] ->Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. - -Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: - - Advanced protection against modern security threats - - Full flexibility of OS deployment - - Updating and support options - - Comprehensive device and app management and control capabilities - -The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. - ->[!IMPORTANT] ->The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. - -## Microsoft Intune - ->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. - -## Security - -This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. - -### Threat protection - -#### Windows Defender ATP - -The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. - -![Windows Defender ATP](../images/wdatp.png) - -##### Attack surface reduction - -Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). - - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. - - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. - -###### Windows Defender Firewall - -Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). - -##### Windows Defender Device Guard - -[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: -- Software-based protection provided by code integrity policies -- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) - -But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). - -### Next-gen protection - -#### Office 365 Ransomware Detection - -For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) - -### Endpoint detection and response - -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. - - Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). - - We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: -- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) -- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) -- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) -- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) -- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) - - Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). - - New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: -- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) -- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) -- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) - - We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). - - **Endpoint detection and response** is also enhanced. New **detection** capabilities include: -- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. - - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. - - Upgraded detections of ransomware and other advanced attacks. - - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. - - **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: -- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. - -Additional capabilities have been added to help you gain a holistic view on **investigations** include: - - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) - - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) - - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. - - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. - - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. - -Other enhanced security features include: -- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. -- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. -- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. -- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) - -We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. - -We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. - -This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). - -You can read more about ransomware mitigations and detection capability at: -- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) -- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) -- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) - -Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) - -Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). - -For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). - -### Information protection - -Improvements have been added to Windows Information Protection and BitLocker. - -#### Windows Information Protection - -Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). - -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). - -You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). - -This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). - -### BitLocker - -The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). - -#### Silent enforcement on fixed drives - -Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. - -This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. - -This feature will soon be enabled on Olympia Corp as an optional feature. - -#### Delivering BitLocker policy to AutoPilot devices during OOBE - -You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. - -For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. - -To achieve this: - -1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. -2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. - - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. -3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. - -### Identity protection - -Improvements have been added are to Windows Hello for Business and Credential Guard. - -#### Windows Hello for Business - -New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. - -New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: -- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). -- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. -- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). - -[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. -- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). -- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. -- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. -- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. -- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. -- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). - -For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) - -#### Windows Defender Credential Guard - -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. - -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. - -For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). - -### Other security improvments - -#### Windows security baselines - -Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). - -**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). - -The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. - -#### SMBLoris vulnerability - -An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. - -#### Windows Security Center - -Windows Defender Security Center is now called **Windows Security Center**. - -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. - -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. - -WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. - -![alt text](../images/defender.png "Windows Security Center") - -#### Group Policy Security Options - -The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. - -A new security policy setting -[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. - -#### Windows 10 in S mode - -We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: - -![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") - -## Deployment - -### Windows Autopilot - -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. - -Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. - -Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. - -You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). - -#### Windows Autopilot self-deploying mode - -Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. - -This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. - -You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. - -To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). - - -#### Autopilot Reset - -IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). - -### MBR2GPT.EXE - -MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). - -The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. - -Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. - -For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). - -### DISM - -The following new DISM commands have been added to manage feature updates: - - DISM /Online /Initiate-OSUninstall - – Initiates a OS uninstall to take the computer back to the previous installation of windows. - DISM /Online /Remove-OSUninstall - – Removes the OS uninstall capability from the computer. - DISM /Online /Get-OSUninstallWindow - – Displays the number of days after upgrade during which uninstall can be performed. - DISM /Online /Set-OSUninstallWindow - – Sets the number of days after upgrade during which uninstall can be performed. - -For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). - -### Windows Setup - -You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. - -Prerequisites: -- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. -- Windows 10 Enterprise or Pro - -For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). - -It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. - - /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] - -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) - -New command-line switches are also available to control BitLocker: - - Setup.exe /BitLocker AlwaysSuspend - – Always suspend bitlocker during upgrade. - Setup.exe /BitLocker TryKeepActive - – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. - Setup.exe /BitLocker ForceKeepActive - – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. - -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) - -### Feature update improvements - -Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). - -### SetupDiag - -[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. - -SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. - -## Sign-in - -### Faster sign-in to a Windows 10 shared pc - -If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! - -**To enable fast sign-in:** -1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. -2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. -3. Sign-in to a shared PC with your account. You'll notice the difference! - - ![fast sign-in](../images/fastsignin.png "fast sign-in") - -### Web sign-in to Windows 10 - -Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). - -**To try out web sign-in:** -1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). -2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. -3. On the lock screen, select web sign-in under sign-in options. -4. Click the “Sign in” button to continue. - -![Web sign-in](../images/websignin.png "web sign-in") - -## Windows Analytics - -### Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. - -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. - -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. - -For more information about Upgrade Readiness, see the following topics: - -- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) -- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -### Update Compliance - -Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. - -Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. - -For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). - -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). - -### Device Health - -Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). - -## Accessibility and Privacy - -### Accessibility - -"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. - -### Privacy - -In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. - -## Configuration - -### Kiosk configuration - -Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. - -If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel. - -### Co-management - -Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. - -For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) - -### OS uninstall period - -The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. - -### Azure Active Directory join in bulk - -Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. - -![get bulk token action in wizard](../images/bulk-token.png) - -### Windows Spotlight - -The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: - -- **Turn off the Windows Spotlight on Action Center** -- **Do not use diagnostic data for tailored experiences** -- **Turn off the Windows Welcome Experience** - -[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) - -### Start and taskbar layout - -Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). - -[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - -- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) -- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) -- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). - -## Windows Update - -### Windows Update for Business - -Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). - -The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). - - -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. - -WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). - -Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). - -The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). - - -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. - -WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). - -### Windows Insider for Business - -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). - -You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). - - -### Optimize update delivery - -With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. - ->[!NOTE] -> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. - -Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. - -Added policies include: -- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) -- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) -- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) -- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) -- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) - -To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) - -### Uninstalled in-box apps no longer automatically reinstall - -Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. - -Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. - -## Management - -### New MDM capabilities - -Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). - -Some of the other new CSPs are: - -- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. - -- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. - -- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. - -- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. - -- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). - -- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. - -IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. - -[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) - -MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). - -Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). - -### Mobile application management support for Windows 10 - -The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. - -For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). - -### MDM diagnostics - -In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. - -### Application Virtualization for Windows (App-V) - -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. - -For more info, see the following topics: -- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) -- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) -- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) -- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) - -### Windows diagnostic data - -Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. - -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) -- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) - -### Group Policy spreadsheet - -Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. - -- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) - -### Mixed Reality Apps - -This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality). - -## Networking - -### Network stack - -Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). - -### Miracast over Infrastructure - -In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). - -How it works: - -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. - -Miracast over Infrastructure offers a number of benefits: - -- Windows automatically detects when sending the video stream over this path is applicable. -- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. -- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. -- No changes to current wireless drivers or PC hardware are required. -- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. -- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. - -Enabling Miracast over Infrastructure: - -If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: - -- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. -- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. -- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. - -It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. - -## Registry editor improvements - -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. - -![Registry editor dropdown](../images/regeditor.png "Registry editor dropdown") - -## Remote Desktop with Biometrics - -Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. - -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. - -- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. -- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. - -See the following example: - -![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") -![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") - -## See Also - -[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. +--- +title: What's new in Windows 10 Enterprise 2019 LTSC +ms.reviewer: +manager: laurawi +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise 2019 LTSC + +**Applies to** +- Windows 10 Enterprise 2019 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. + +Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: + - Advanced protection against modern security threats + - Full flexibility of OS deployment + - Updating and support options + - Comprehensive device and app management and control capabilities + +The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. + +>[!IMPORTANT] +>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. + +## Microsoft Intune + +>Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. + +## Security + +This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. + +### Threat protection + +#### Windows Defender ATP + +The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. + +![Windows Defender ATP](../images/wdatp.png) + +##### Attack surface reduction + +Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). + - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. + - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. + +###### Windows Defender Firewall + +Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). + +##### Windows Defender Device Guard + +[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: +- Software-based protection provided by code integrity policies +- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) + +But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). + +### Next-gen protection + +#### Office 365 Ransomware Detection + +For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) + +### Endpoint detection and response + +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. + + Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). + + We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: +- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) +- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) +- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) +- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) +- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) + + Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). + + New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: +- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) +- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) +- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) + + We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + + **Endpoint detection and response** is also enhanced. New **detection** capabilities include: +- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. + - Upgraded detections of ransomware and other advanced attacks. + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. + + **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: +- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + +Additional capabilities have been added to help you gain a holistic view on **investigations** include: + - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) + - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) + - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. + +Other enhanced security features include: +- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. +- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) + +We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. + +We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. + +This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). + +You can read more about ransomware mitigations and detection capability at: +- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) +- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) + +Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) + +Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). + +### Information protection + +Improvements have been added to Windows Information Protection and BitLocker. + +#### Windows Information Protection + +Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). + +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). + +You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). + +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). + +### BitLocker + +The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). + +#### Silent enforcement on fixed drives + +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. + +This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. + +This feature will soon be enabled on Olympia Corp as an optional feature. + +#### Delivering BitLocker policy to AutoPilot devices during OOBE + +You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. + +For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. + +To achieve this: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. + - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + +### Identity protection + +Improvements have been added are to Windows Hello for Business and Credential Guard. + +#### Windows Hello for Business + +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. + +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: +- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). +- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). + +[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. +- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. +- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). + +For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) + +#### Windows Defender Credential Guard + +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. + +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. + +For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). + +### Other security improvments + +#### Windows security baselines + +Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. + +#### SMBLoris vulnerability + +An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. + +#### Windows Security Center + +Windows Defender Security Center is now called **Windows Security Center**. + +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. + +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. + +WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. + +![alt text](../images/defender.png "Windows Security Center") + +#### Group Policy Security Options + +The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. + +A new security policy setting +[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. + +#### Windows 10 in S mode + +We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: + +![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") + +## Deployment + +### Windows Autopilot + +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. + +Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. + +Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. + +You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). + +#### Windows Autopilot self-deploying mode + +Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. + +This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. + +You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. + +To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). + + +#### Autopilot Reset + +IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). + +### MBR2GPT.EXE + +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. + +Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). + +### DISM + +The following new DISM commands have been added to manage feature updates: + + DISM /Online /Initiate-OSUninstall + – Initiates a OS uninstall to take the computer back to the previous installation of windows. + DISM /Online /Remove-OSUninstall + – Removes the OS uninstall capability from the computer. + DISM /Online /Get-OSUninstallWindow + – Displays the number of days after upgrade during which uninstall can be performed. + DISM /Online /Set-OSUninstallWindow + – Sets the number of days after upgrade during which uninstall can be performed. + +For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). + +### Windows Setup + +You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. + +Prerequisites: +- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. +- Windows 10 Enterprise or Pro + +For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). + +It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. + + /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) + +New command-line switches are also available to control BitLocker: + + Setup.exe /BitLocker AlwaysSuspend + – Always suspend bitlocker during upgrade. + Setup.exe /BitLocker TryKeepActive + – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. + Setup.exe /BitLocker ForceKeepActive + – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) + +### Feature update improvements + +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). + +### SetupDiag + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. + +SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +## Sign-in + +### Faster sign-in to a Windows 10 shared pc + +If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! + +**To enable fast sign-in:** +1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. +2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. +3. Sign-in to a shared PC with your account. You'll notice the difference! + + ![fast sign-in](../images/fastsignin.png "fast sign-in") + +### Web sign-in to Windows 10 + +Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). + +**To try out web sign-in:** +1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). +2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. +3. On the lock screen, select web sign-in under sign-in options. +4. Click the “Sign in” button to continue. + +![Web sign-in](../images/websignin.png "web sign-in") + +## Windows Analytics + +### Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. + +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. + +For more information about Upgrade Readiness, see the following topics: + +- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) +- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +### Update Compliance + +Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. + +Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. + +For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). + +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). + +### Device Health + +Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). + +## Accessibility and Privacy + +### Accessibility + +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. + +### Privacy + +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. + +## Configuration + +### Kiosk configuration + +Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. + +If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel. + +### Co-management + +Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. + +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) + +### OS uninstall period + +The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. + +### Azure Active Directory join in bulk + +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. + +![get bulk token action in wizard](../images/bulk-token.png) + +### Windows Spotlight + +The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: + +- **Turn off the Windows Spotlight on Action Center** +- **Do not use diagnostic data for tailored experiences** +- **Turn off the Windows Welcome Experience** + +[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) + +### Start and taskbar layout + +Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). + +[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: + +- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) +- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) +- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). + +## Windows Update + +### Windows Update for Business + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +### Windows Insider for Business + +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). + +You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). + + +### Optimize update delivery + +With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. + +>[!NOTE] +> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. + +Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. + +Added policies include: +- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) + +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) + +### Uninstalled in-box apps no longer automatically reinstall + +Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. + +Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. + +## Management + +### New MDM capabilities + +Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + +Some of the other new CSPs are: + +- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. + +- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. + +- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. + +- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. + +- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). + +- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. + +IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. + +[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) + +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). + +Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). + +### Mobile application management support for Windows 10 + +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. + +For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). + +### MDM diagnostics + +In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. + +### Application Virtualization for Windows (App-V) + +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +For more info, see the following topics: +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) +- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) + +### Windows diagnostic data + +Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. + +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) + +### Group Policy spreadsheet + +Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. + +- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) + +### Mixed Reality Apps + +This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality). + +## Networking + +### Network stack + +Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). + +### Miracast over Infrastructure + +In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). + +How it works: + +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + +Miracast over Infrastructure offers a number of benefits: + +- Windows automatically detects when sending the video stream over this path is applicable. +- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. +- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- No changes to current wireless drivers or PC hardware are required. +- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. +- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. + +Enabling Miracast over Infrastructure: + +If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: + +- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. +- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. + +It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](../images/regeditor.png "Registry editor dropdown") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. + +- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. +- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index bd6b7f1df1..0301b62f00 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -1,151 +1,151 @@ ---- -title: What's new in Windows 10, version 1903 -description: New and updated IT Pro content about new features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: greg-lindsay -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# What's new in Windows 10, version 1903 IT Pro content - -**Applies to** -- Windows 10, version 1903 - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809. - ->[!NOTE] ->New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don’t meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage). - -## Deployment - -### Windows Autopilot - -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later: - -- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. -- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. -- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. -- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. -- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. - -### Windows 10 Subscription Activation - -Windows 10 Education support has been added to Windows 10 Subscription Activation. - -With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation). - -### SetupDiag - -[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) version 1.4.1 is available. - -SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. - -### Reserved storage - -[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. - -## Servicing - -- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. -- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. -- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. -- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. -- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. -- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. - -## Security - -### Windows Information Protection - -With this release, Windows Defender ATP extends discovery and protection of sensitive information with [Auto Labeling](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). - -### Security configuration framework - -With this release of Windows 10, Microsoft is introducing a [new taxonomy for security configurations](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework), called the **SECCON framework**, comprised of 5 device security configurations. - -### Security baseline for Windows 10 and Windows Server - -The draft release of the [security configuration baseline settings](https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/) for Windows 10, version 1903 and for Windows Server version 1903 is available. - -### Intune security baselines - -[Intune Security Baselines](https://docs.microsoft.com/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams. - -### Microsoft Defender Advanced Threat Protection (ATP): - -- [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. -- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. - - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers. -- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. - -### Microsoft Defender ATP next-gen protection technologies: - -- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. -- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected. -- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place. -- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies. - -### Threat Protection - -- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. -- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone. - -- [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: - - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. - - To try this extension: - 1. Configure WDAG policies on your device. - 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. - 3. Follow any additional configuration steps on the extension setup page. - 4. Reboot the device. - 5. Navigate to an untrusted site in Chrome and Firefox. - - - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. - -- [Windows Defender Application Control (WDAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker. - - [Multiple Policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy. - - [Path-Based Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
          - This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker. - - [Allow COM Object Registration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. - -#### System Guard - -[System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months. - -This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly: - -![System Guard](images/system-guard.png "SMM Firmware Measurement") - -### Identity Protection - -- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. -- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. -- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! -- [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. - -### Security management - -- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. -- [Windows Security app](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. -- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. - -## Microsoft Edge - -Several new features are coming in the next version of Edge. See the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97) for more information. - -## See Also - -[What's New in Windows Server, version 1903](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
          -[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
          -[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
          -[What's new in Windows 10](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
          -[What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers. +--- +title: What's new in Windows 10, version 1903 +description: New and updated IT Pro content about new features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). +keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro author: greg-lindsay +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10, version 1903 IT Pro content + +**Applies to** +- Windows 10, version 1903 + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809. + +>[!NOTE] +>New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don’t meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage). + +## Deployment + +### Windows Autopilot + +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later: + +- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. +- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. +- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. +- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. +- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. + +### Windows 10 Subscription Activation + +Windows 10 Education support has been added to Windows 10 Subscription Activation. + +With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation). + +### SetupDiag + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) version 1.4.1 is available. + +SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +### Reserved storage + +[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. + +## Servicing + +- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. +- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. +- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. +- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. +- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. + +## Security + +### Windows Information Protection + +With this release, Windows Defender ATP extends discovery and protection of sensitive information with [Auto Labeling](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). + +### Security configuration framework + +With this release of Windows 10, Microsoft is introducing a [new taxonomy for security configurations](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework), called the **SECCON framework**, comprised of 5 device security configurations. + +### Security baseline for Windows 10 and Windows Server + +The draft release of the [security configuration baseline settings](https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/) for Windows 10, version 1903 and for Windows Server version 1903 is available. + +### Intune security baselines + +[Intune Security Baselines](https://docs.microsoft.com/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams. + +### Microsoft Defender Advanced Threat Protection (ATP): + +- [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. +- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. + - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. + - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers. +- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. + +### Microsoft Defender ATP next-gen protection technologies: + +- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. +- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected. +- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place. +- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies. + +### Threat Protection + +- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. +- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone. + +- [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: + - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. + - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + + To try this extension: + 1. Configure WDAG policies on your device. + 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. + 3. Follow any additional configuration steps on the extension setup page. + 4. Reboot the device. + 5. Navigate to an untrusted site in Chrome and Firefox. + + - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. + +- [Windows Defender Application Control (WDAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker. + - [Multiple Policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy. + - [Path-Based Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
          + This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker. + - [Allow COM Object Registration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. + +#### System Guard + +[System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months. + +This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly: + +![System Guard](images/system-guard.png "SMM Firmware Measurement") + +### Identity Protection + +- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. +- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. +- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! +- [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +### Security management + +- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. +- [Windows Security app](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. +- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. + +## Microsoft Edge + +Several new features are coming in the next version of Edge. See the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97) for more information. + +## See Also + +[What's New in Windows Server, version 1903](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
          +[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
          +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
          +[What's new in Windows 10](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
          +[What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.