| Expand a category. |  |
| Select a setting. |  |
| Enter a value for the setting. Click **Add** if the button is displayed. |  |
| Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed. |  |
| When the setting is configured, it is displayed in the **Selected customizations** pane. |  |
The receiving device uses this information to understand information in the Data field. | +| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. | + + + +### NFC provisioning helper + +The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format: + +
| **Version**(1 byte) | **Leading** (1 byte) | **Order**(1 byte) | **Total**(1 byte) | **Chunk payload**(N bytes) |
+
+
+
+
+
+
+## About MDT
+
+MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
+- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
+- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
+- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager.
+
+## Install MDT
+
+1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
+ Stop-Process -Name Explorer
+ ```
+2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/en-us/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
+
+3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1607. Installation might require several minutes to acquire all components.
+
+3. If desired, re-enable IE Enhanced Security Configuration:
+
+ ```
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
+ Stop-Process -Name Explorer
+ ```
+
+## Create a deployment share and reference image
+
+A reference image serves as the foundation for Windows 10 devices in your organization.
+
+1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
+ ```
+2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
+
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+
+4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**.
+
+5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+
+6. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTBuildLab**| Topic | Description | Time + + |
| [About MDT](#about-mdt) | A high-level overview of the Microsoft Deployment Toolkit (MDT). | Informational + |
| [Install MDT](#install-mdt) | Download and install MDT. | 40 minutes + |
| [Create a deployment share and reference image](#create-a-deployment-share-and-reference-image) | A reference image is created to serve as the template for deploying new images. | 90 minutes + |
| [Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt) | The reference image is deployed in the PoC environment. | 60 minutes + |
| [Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10) | Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. | 60 minutes + |
| [Replace a computer with Windows 10](#replace-a-computer-with-windows-10) | Back up an existing client computer, then restore this backup to a new computer. | 60 minutes + |
| [Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities) | Log locations and troubleshooting hints. | Informational + |
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + + +7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +10. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next** + - Progress: wait for files to be copied + - Confirmation: click **Finish** + + >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library. + +11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + + +12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. + +14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. + +15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +18. Click **OK** to complete editing the task sequence. + +19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. + +20. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +22. Click **OK** to complete the configuration of the deployment share. + +23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + +
+
+
+ The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
+
+27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
+
+28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
+
+ Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
+
+ - Install the Windows 10 Enterprise operating system.
+ - Install added applications, roles, and features.
+ - Update the operating system using Windows Update (or WSUS if optionally specified).
+ - Stage Windows PE on the local disk.
+ - Run System Preparation (Sysprep) and reboot into Windows PE.
+ - Capture the installation to a Windows Imaging (WIM) file.
+ - Turn off the virtual machine.+ + New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 ++
+ + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. + +## Deploy a Windows 10 image using MDT + +This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. + +1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: + - **Deployment share path**: C:\MDTProd + - **Share name**: MDTProd$ + - **Deployment share description**: MDT Production + - **Options**: accept the default + + +2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. + +3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. + +4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +5. On the **OS Type** page, choose **Custom image file** and then click **Next**. + +6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. + +7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. + +8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. + +9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. + +10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: + +  + + +### Create the deployment task sequence + +1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. + +2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 + - Task sequence name: Windows 10 Enterprise x64 Custom Image + - Task sequence comments: Production Image + - Select Template: Standard Client Task Sequence + - Select OS: Windows 10 Enterprise x64 Custom Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: http://www.contoso.com + - Admin Password: pass@word1 + +### Configure the MDT production deployment share + +1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + ``` + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force + ``` +2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. + +3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + AdminPassword=pass@word1 + JoinDomain=contoso.com + DomainAdmin=administrator + DomainAdminDomain=CONTOSO + DomainAdminPassword=pass@word1 + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + EventService=http://SRV1:9800 + ``` + **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. + + >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. + + If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): + + ``` + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + ``` + + For example, to migrate **all** users on the computer, replace this line with the following: + + ``` + ScanStateArgs=/all + ``` + + For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). + +4. Click **Edit Bootstap.ini** and replace text in the file with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTProd$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` +5. Click **OK** when finished. + +### Update the deployment share + +1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. + +2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. + +3. Click **Finish** when the update is complete. + +### Enable deployment monitoring + +1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. + +2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). + +4. Close Internet Explorer. + +### Configure Windows Deployment Services + +1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" + WDSUTIL /Set-Server /AnswerClients:All + ``` + +2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. + +3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. + +4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. + +### Deploy the client image + +1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. + + >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** + + Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + +2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 + ``` + >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. + +3. Start the new VM and connect to it: + + ``` + Start-VM PC2 + vmconnect localhost PC2 + ``` +4. When prompted, hit ENTER to start the network boot process. + +5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. +8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. + +  + + +This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. + +## Refresh a computer with Windows 10 + +This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). + +If the PC1 VM is not already running, then start and connect to it: + + ``` + Start-VM PC1 + vmconnect localhost PC1 + ``` + +1. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +2. Sign on to PC1 using the CONTOSO\Administrator account. + + >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. + +3. Open an elevated command prompt on PC1 and type the following: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` + + **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. + +4. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +5. Choose **Do not back up the existing computer** and click **Next**. + + **Note**: The USMT will still back up the computer. + +6. Lite Touch Installation will perform the following actions: + - Back up user settings and data using USMT. + - Install the Windows 10 Enterprise X64 operating system. + - Update the operating system via Windows Update. + - Restore user settings and data using USMT. + + You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. + +7. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). + +8. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName RefreshState + ``` + +9. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false + Start-VM PC1 + vmconnect localhost PC1 + ``` + +10. Sign in to PC1 using the contoso\administrator account. + +## Replace a computer with Windows 10 + +At a high level, the computer replace process consists of:
+- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
+- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. + +### Create a backup-only task sequence + +1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. +2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. +3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -Path C:\MigData -ItemType directory + New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE + icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' + ``` +4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. +5. Name the new folder **Other**, and complete the wizard using default options. +6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: + - **Task sequence ID**: REPLACE-001 + - **Task sequence name**: Backup Only Task Sequence + - **Task sequence comments**: Run USMT to back up user data and settings + - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) +7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. +8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. + +### Run the backup-only task sequence + +1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: + + ``` + whoami + ``` +2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: + + ``` + Remove-Item c:\minint -recurse + Remove-Item c:\_SMSTaskSequence -recurse + Restart-Computer + ``` +2. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` +3. Complete the deployment wizard using the following: + - **Task Sequence**: Backup Only Task Sequence + - **User Data**: Specify a location: **\\SRV1\MigData$\PC1** + - **Computer Backup**: Do not back up the existing computer. +4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. +5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: + + ``` + PS C:\> dir C:\MigData\PC1\USMT + + Directory: C:\MigData\PC1\USMT + + Mode LastWriteTime Length Name + ---- ------------- ------ ---- + -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG + ``` +### Deploy PC3 + +1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + ``` +2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` +3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Start-VM PC3 + vmconnect localhost PC3 + ``` +4. When prompted, press ENTER for network boot. + +6. On PC3, ue the following settings for the Windows Deployment Wizard: + - **Task Sequence**: Windows 10 Enterprise x64 Custom Image + - **Move Data and Settings**: Do not move user data and settings + - **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1** +5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. + +8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. + +9. Verify that settings have been migrated from PC1, and then shut down PC3 in preparation for the next procedure. + +## Troubleshooting logs, events, and utilities + +Deployment logs are available on the client computer in the following locations: +- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS +- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS +- After deployment: %WINDIR%\TEMP\DeploymentLogs + +You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. + +Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012) + +Also see [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. + +## Related Topics + +[Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)
+[Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md) + + + + + + + diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md new file mode 100644 index 0000000000..d9278a15c5 --- /dev/null +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -0,0 +1,1040 @@ +--- +title: Deploy Windows 10 using System Center Configuration Manager +description: Deploy Windows 10 in a test lab using System Center Configuration Manager +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +--- + +# Deploy Windows 10 in a test lab using System Center Configuration Manager + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: +- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) +- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) + +Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. + +This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. + +## In this guide + +This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
+
+
+
+
+
+
+## Install prerequisites
+
+1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
+ ```
+
+ >If the request to add features fails, retry the installation by typing the command again.
+
+2. Download [SQL Server 2012 SP2](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
+3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
+ ```
+
+ This command mounts the .ISO file to drive D on SRV1.
+
+4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server 2012 SP2:
+
+ ```
+ D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
+ ```
+ Installation will take several minutes. When installation is complete, the following output will be displayed:
+
+ ```
+ Microsoft (R) SQL Server 2014 12.00.5000.00
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ Microsoft (R) .NET Framework CasPol 2.0.50727.7905
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ Success
+ Microsoft (R) .NET Framework CasPol 2.0.50727.7905
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ Success
+ One or more affected files have operations pending.
+ You should restart your computer to complete this process.
+ PS C:\>
+ ```
+5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
+ ```
+
+7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1607. Installation might require several minutes to acquire all components.
+
+## Install System Center Configuration Manager
+
+1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
+ Stop-Process -Name Explorer
+ ```
+
+2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+
+3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
+
+ ```
+ Get-Service Winmgmt
+
+ Status Name DisplayName
+ ------ ---- -----------
+ Running Winmgmt Windows Management Instrumentation
+
+ Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed
+
+ ComputerName : 192.168.0.2
+ RemoteAddress : 192.168.0.2
+ RemotePort : 135
+ AllNameResolutionResults :
+ MatchingIPsecRules :
+ NetworkIsolationContext : Internet
+ InterfaceAlias : Ethernet
+ SourceAddress : 192.168.0.2
+ NetRoute (NextHop) : 0.0.0.0
+ PingSucceeded : True
+ PingReplyDetails (RTT) : 0 ms
+ TcpTestSucceeded : True
+ ```
+ You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
+
+ If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
+
+4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
+
+ ```
+ cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
+ ```
+
+5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
+
+ ```
+ adsiedit.msc
+ ```
+
+6. Right-click **ADSI Edit**, click **Connect to**, select **Default** under **Computer** and then click **OK**.
+7. Expand **Default naming context**>**DC=contoso,DC=com**, right-click **CN=System**, point to **New**, and then click **Object**.
+8. Click **container** and then click **Next**.
+9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**.
+10. Right-click **CN=system Management** and then click **Properties**.
+11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**.
+12. Under **Enter the object names to select**, type **SRV1** and click **OK**.
+13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
+14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**.
+15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times.
+16. Close the ADSI Edit console and switch back to SRV1.
+17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
+ ```
+18. Provide the following in the System Center Configuration Manager Setup Wizard:
+ - **Before You Begin**: Read the text and click *Next*.
+ - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
+ - Click **Yes** in response to the popup window.
+ - **Product Key**: Choose **Install the evaluation edition of this Product**.
+ - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox.
+ - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page.
+ - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**.
+ - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**.
+ - use default settings for all other options
+ - **Usage Data**: Read the text and click **Next**.
+ - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use).
+ - **Settings Summary**: Review settings and click **Next**.
+ - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**.
+
+ >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored.
+
+ Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete.
+
+19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
+
+ ```
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
+ Stop-Process -Name Explorer
+ ```
+
+## Download MDOP and install DaRT
+
+1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso) to the C:\VHD directory on the Hyper-V host.
+
+2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
+ ```
+3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
+ ```
+4. Install DaRT 10 using default settings.
+5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
+ Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86"
+ ```
+
+## Prepare for Zero Touch installation
+
+This section contains several procedures to support Zero Touch installation with System Center Configuration Manager.
+
+### Create a folder structure
+
+1. Type the following commands at a Windows PowerShell prompt on SRV1:
+
+ ```
+ New-Item -ItemType Directory -Path "C:Sources\OSD\Boot"
+ New-Item -ItemType Directory -Path "C:Sources\OSD\OS"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT"
+ New-Item -ItemType Directory -Path "C:\Logs"
+ New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE
+ New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE
+ ```
+
+### Enable MDT ConfigMgr integration
+
+1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**.
+2. Type **PS1** next to **Site code**, and then click **Next**.
+3. Verify **The process completed successfully** is displayed, and then click **Finish**.
+
+### Configure client settings
+
+1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**.
+2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar.
+3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab.
+4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**.
+5. In the display pane, double-click **Default Client Settings**.
+6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**.
+
+### Configure the network access account
+
+1. In the Administration workspace, expand **Site Configuration** and click **Sites**.
+2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**.
+3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
+4. Click the yellow starburst and then click **New Account**.
+5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
+6. Next to **Password** and **Confirm Password**, type **pass@word1**, and then click **OK** twice.
+
+### Configure a boundary group
+
+1. In the Administration workspace, expand **Hierary Configuration**, right-click **Boundaries** and then click **Create Boundary**.
+2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**.
+3. Choose **Default-First-Site-Name** and then click **OK** twice.
+4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**.
+5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**.
+6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox.
+7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice.
+
+### Enable PXE on the distribution point
+
+1. Deterime the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ (Get-NetAdapter "Ethernet").MacAddress
+ ```
+ >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
+
+2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**.
+3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
+4. On the PXE tab, select the following settings:
+ - Enable PXE support for clients. Click **Yes** in the popup that appears.
+ - Allow this distribution point to respond to incoming PXE requests
+ - Enable unknown computer support. Click **OK** in the popup that appears.
+ - Require a password when computers use PXE
+ - Password and Confirm password: pass@word1
+ - Respond to PXE requests on specific network interfaces: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
+
+ See the following example:
+
+ | Topic | Description | Time + + |
| [Install prerequisites](#install-prerequisites) | Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK. | 60 minutes + |
| [Install System Center Configuration Manager](#install-system-center-configuration-manager) | Download System Center Configuration Manager, configure prerequisites, and install the package. | 45 minutes + |
| [Download MDOP and install DaRT](#download-mdop-and-install-dart) | Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10. | 15 minutes + |
| [Prepare for Zero Touch installation](#prepare-for-zero-touch-installation) | Prerequisite procedures to support Zero Touch installation. | 60 minutes + |
| [Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager) | Use the MDT wizard to create the boot image in Configuration Manager. | 20 minutes + |
| [Create a Windows 10 reference image](#create-a-windows-10-reference-image) | This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image. | 0-60 minutes + |
| [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image) | Add a Windows 10 operating system image and distribute it. | 10 minutes + |
| [Create a task sequence](#Create a task sequence) | Create a Configuration Manager task sequence with MDT integration using the MDT wizard | 15 minutes + |
| [Finalize the operating system configuration](#finalize-the-operating-system-configuration) | Enable monitoring, configure rules, and distribute content. | 30 minutes + |
| [Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager) | Deploy Windows 10 using Configuration Manager deployment packages and task sequences. | 60 minutes + |
| [Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager) | Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT | 90 minutes + |
| [Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager) | Replace a client computer with Windows 10 using Configuration Manager. | 90 minutes + + |
+
+5. Click **OK**.
+6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+
+ ```
+ cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
+
+ abortpxe.com
+ bootmgfw.efi
+ bootmgr.exe
+ pxeboot.com
+ pxeboot.n12
+ wdsmgfw.efi
+ wdsnbp.com
+ ```
+ >If these files are not present, type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+
+ The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the C:\RemoteInstall\SMSBoot\x64 directory. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the C:\RemoteInstall directory is being populated with necessary files:
+
+ Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
+
+ Once the files are present in C:\RemoteInstall, you can close the cmtrace tool.
+
+### Create a branding image file
+
+1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
+2. Type the following command at an elevated Windows PowerShell prompt:
+
+ ```
+ copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
+ ```
+ >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
+
+
+## Create a boot image for Configuration Manager
+
+1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
+2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
+ - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
+3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
+4. On the Options page, under **Platform** choose **x64**, and click **Next**.
+5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
+6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
+7. Click **Finish**.
+8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
+9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
+10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+ >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
+
+ ```
+ STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C)
+ ```
+11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Doublt-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
+13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
+14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
+
+ ```
+ cmd /c dir /s /b C:\RemoteInstall\SMSImages
+
+ C:\RemoteInstall\SMSImages\PS100004
+ C:\RemoteInstall\SMSImages\PS100005
+ C:\RemoteInstall\SMSImages\PS100006
+ C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
+ C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
+ C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
+ ```
+
+ >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
+
+## Create a Windows 10 reference image
+
+If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
+
+1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
+ ```
+2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
+
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+
+4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+
+5. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTBuildLab**+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +8. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next** + - Confirmation: click **Finish** + +9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library. + +10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + +11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. + +13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. + +14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +17. Click **OK** to complete editing the task sequence. + +18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. + +19. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard TimeZoneName + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +21. Click **OK** to complete the configuration of the deployment share. + +22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + + ``` + New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 + ``` +26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine. + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. + +## Add a Windows 10 operating system image + +1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:Sources\OSD\OS\Windows 10 Enterprise x64" + cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + ``` + +2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. + +3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. + +4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. + +5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. + +6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. + + >If content distribution is not successful, verify that sufficient disk space is available. + +## Create a task sequence + +>Complete this section slowly. There are a large number of similar settings from which to choose. + +1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. + +3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. + +4. On the Details page, enter the following settings:
+ - Join a domain: contoso.com
+ - Account: click **Set**
+ - User name: contoso\CM_JD
+ - Password: pass@word1
+ - Confirm password: pass@word1
+ - Click **OK**
+ - Windows Settings
+ - User name: Contoso
+ - Organization name: Contoso
+ - Product key: \
+ - Administrator Account: Enable the account and specify the local administrator password
+ - Password: pass@word1
+ - Confirm password: pass@word1
+ - Click Next
+ +5. On the Capture Settings page, accept the default settings and click **Next**. + +6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package and then click **Next**. + +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT 2013**, and then click **Next**. + +8. On the MDT Details page, next to **Name:** type **MDT 2013** and then click **Next**. + +9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, and then click **Next**. + +10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. + +11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package** and then click **Next**. + +12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 8 10.0.14393.0** package, and then click **Next**. + +13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. + +14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. + +15. On the Sysprep Package page, click **Next** twice. + +16. On the Confirmation page, click **Finish**. + +### Edit the task sequence + +1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**. + +2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action. + +3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**. + +4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. + +5. Configure the **Request State Store** action that was just added with the following settings:
+ - Request state storage location to: **Restore state from another computer**
+ - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **Apply**
. + +6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. + +7. Configure the **Release State Store** action that was just added with the following settings:
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **OK**
. + + +## Finalize the operating system configuration + +>If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. + +1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. + +2. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTProduction**
+ - Share name: **MDTProduction$**
+ - Deployment share description: **MDT Production**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + +3. Right-click the **MDT Production** deployment share, and click **Properties**. + +4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +5. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" + ``` +6. Replace the contents of the file with the following text, and then save the file: + + ``` + [Settings] + Priority=Default + Properties=OSDMigrateConfigFiles,OSDMigrateMode + + [Default] + DoCapture=NO + ComputerBackupLocation=NONE + OSDMigrateMode=Advanced + OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* + OSDMigrateConfigFiles=Miguser.xml,Migapp.xml + SLSHARE=\\SRV1\Logs$ + EventService=http://SRV1:9800 + ApplyGPOPack=NO + ``` +7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. + +8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. + +9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. + +### Create a deployment for the task sequence + +1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. + +2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. + +3. On the Deployment Settings page, use the following settings:
+ - Purpose: **Available**
+ - Make available to the following: **Only media and PXE**
+ - Click **Next**.
+4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. + +5. Click **Close**. + +## Deploy Windows 10 using PXE and Configuration Manager + +1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + Start-VM PC4 + vmconnect localhost PC4 + ``` + +2. Press ENTER when prompted to start the network boot service. + +3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**. + +4. Before you click Next in the Task Sequence Wizard, press the **F8** key. A command prompt will open. + +5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. + +6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: + - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. + - x:\smstslog\smsts.log after disks are formatted. + - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\smsts.log when the task sequence is complete. + + Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. + +7. In the explorer window, click **Tools** and then click **Map Network Drive**. + +8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. + +9. Close the Map Network Drive window, the Explorer window, and the command prompt. + +10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. + +11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: + - Install Windows 10 + - Install the Configuration Manager client and hotfix + - Join the computer to the contoso.com domain + - Install any applications that were specified in the reference image + +12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. + +13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click Turn Windows features on or off, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. + +14. Shut down the PC4 VM. + +## Refresh a client with Windows 10 using Configuration Manager + +>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console to remove stale entries under contoto.com\Computers, but **do not delete the computer account (hostname) for PC1**. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. + +### Install the Configuration Manager client on PC1 + +1. Verify that PC1 is in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). + +2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` +3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarcy Configuration** and click on **Discovery Methods**. +4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. +5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. +6. When a popup dialog box asks if you want to run full discovery, click **Yes**. +7. In the Assets and Compliance workspace, expand **Devices** and click **All Systems**. Verify that a computer account for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the hostname of PC1 in this example): + +  + + >If you only see the **Devices** parent node, you can add and view device collections in the tree by clicking **Device Collections** and then double-clicking a device collection. + + The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. + +8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists: + + ``` + sc stop ccmsetup + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall + ``` + >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). + +9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: + + ``` + net stop wuauserv + net stop BITS + ``` + + Verify that both services were stopped successfully, then type the following at an elevated command prompt: + + ``` + del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + net start BITSexit + bitsadmin /list /allusers + ``` + + Verify that BITSAdmin displays 0 jobs. + +10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: + + ``` + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 + ``` +11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. +12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: + + ``` + Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait + ``` + + Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation. A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. + +13. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` + +14. Click the **Site** tab and click **Find Site**. The client will report that it has found the PS1 site. See the following example: + +  + + If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. + +15. On SRV1, in the Assets and Compliance workspace, click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: + +  + + >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. + +### Create a device collection and deployment + +1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. + +2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **Install Windows 10 Enterprise x64**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM
+ - Click **Next** twice and then click **Close** in both windows. + +3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. + +4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. + +5. Use the following settings in the Deploy Sofware wizard: + - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
+ - Deployment Settings > Purpose: **Available**
+ - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
+ - Scheduling > Click **Next**
+ - User Experience > Click **Next**
+ - Alerts > Click **Next**
+ - Distribution Points > Click **Next**
+ - Summary > Click **Next**
+ - Verify that the wizard completed successfully and then click **Close** + +6. **Important** Before initiating a computer refresh, save a checkpoint for all three computers: PC1, SRV1, and DC1. This ensures that we can restore all computers, including Active Directory and the Configuration Manager client status to the pre-Windows 10 installation state prior to running the replace procedure. To save checkpoints, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName cm-start + Checkpoint-VM -Name SRV1 -SnapshotName cm-start + Checkpoint-VM -Name DC1 -SnapshotName cm-start + ``` + +### Initiate the computer refresh + +1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. +3. On PC1, in the notification area, click **New sofware is available** and then click **Open Sofware Center**. +4. In the Sofware Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: + +  + + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: + +  + + You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. + + When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. + +  + +5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required. To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name DC1 -SnapshotName cm-refresh + Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh + Checkpoint-VM -Name PC1 -SnapshotName cm-refresh + ``` + +## Replace a client with Windows 10 using Configuration Manager + +Before starting the replace procedure, restore all three VMs using the checkpoints created in the previous procedure. To restore the checkpoints and connect to the VMs again, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +``` +Restore-VMSnapshot -VMName DC1 -Name cm-start -Confirm:$false +Restore-VMSnapshot -VMName SRV1 -Name cm-start -Confirm:$false +Restore-VMSnapshot -VMName PC1 -Name cm-start -Confirm:$false +Start-VM DC1 +vmconnect localhost DC1 +Start-VM SRV1 +vmconnect localhost SRV1 +Start-VM PC1 +vmconnect localhost PC1 +``` + +>If resources are limited in the Hyper-V environment, SRV1 can require several minutes for all services to start and present the sign-in screen after restoring VMs. Verify that all required services are running, and start any service that are not running. Use the Server Manager dashboard to view and start services. When all services are running, open the Configuration Manager console. + +### Create a replace task sequence + +1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. + +3. On the General page, type the following: + - Task sequence name: **Replace Task Sequence** + - Task sequence comments: **USMT backup only** + +4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT 2013** package. Click **OK** and then click **Next** to continue. +6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. +7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. +8. On the Summary page, review the details and then click **Next**. +9. On the Confirmation page, click **Finish**. + +>If you receive an error at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. + +### Deploy PC4 + +Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +``` +New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 +Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 +Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF +``` + +>Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. + +### Associate PC4 with PC1 + +1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. + +2. On the Select Source page, choose **Import single computer** and click **Next**. + +3. On the Single Computer page, use the following settings: + - Computer Name: **PC4** + - MAC Address: **00:15:5D:83:26:FF** + - Source Computer:
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM.
+ - Click **Next** twice and then click **Close** in both windows. + +3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. + +### Create a new deployment + +In the Configuration Manager console, in the Software Library workspace, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: +- General > Collection: **USMT Backup (Replace)**
+- Deployment Settings > Purpose: **Available**
+- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
+- Scheduling: Click **Next**
+- User Experience: Click **Next**
+- Alerts: Click **Next**
+- Distribution Points: Click **Next**
+- Click **Next** and then click **Close**. + +### Verify the backup + +1. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` +2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is another method that can be used in addition to the Client Notification method used previously. + +3. Using the Software Center as was done in the previous procedure, click **Operating Systems** and then click **Replace Task Sequence**. See the following example: + +  + +4. Click **Install** and then click **INSTALL OPERATING SYSTEM**. +5. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. + +### Deploy the new computer + +1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: + + ``` + Start-VM PC4 + vmconnect localhost PC4 + ``` +2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and click **Next**. +3. Choose the **Windows 10 Enterprise X64** image. +4. Setup will install the operating system, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. + + +## Related Topics + +[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) + + + + + + + diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md new file mode 100644 index 0000000000..74b8d0f352 --- /dev/null +++ b/windows/deploy/windows-10-poc.md @@ -0,0 +1,1090 @@ +--- +title: Configure a test lab to deploy Windows 10 +description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +--- + +# Step by step guide: Configure a test lab to deploy Windows 10 + +**Applies to** + +- Windows 10 + +This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: + +- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
+- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+ +The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. + +Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. + +Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. + +>Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. + +>A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. + +Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-in-this-guide) used in this guide before starting. + +## In this guide + +This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. + +After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
+
+
+
+
+
+
+## Hardware and software requirements
+
+One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
+
+- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
+- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2.
+
+Harware requirements are displayed below:
+
+| Topic | Description | Time + + |
| [Hardware and software requirements](#hardware-and-software-requirements) | Prerequisites to complete this guide. | Informational + |
| [Lab setup](#lab-setup) | A description and diagram of the PoC environment. | Informational + |
| [Configure the PoC environment](#configure-the-poc-environment) | Parent topic for procedures. | Informational + |
| [Verify support and install Hyper-V](#verify-support-and-install-hyper-v) | Verify that installation of Hyper-V is supported, and install the Hyper-V server role. | 10 minutes + |
| [Download VHD and ISO files](#download-vhd-and-iso-files) | Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host. | 30 minutes + |
| [Convert PC to VM](#convert-pc-to-vm) | Convert a physical computer on your network to a VM hosted in Hyper-V. | 30 minutes + |
| [Resize VHD](#resize-vhd) | Increase the storage capacity for one of the Windows Server VMs. | 5 minutes + |
| [Configure Hyper-V](#configure-hyper-v) | Create virtual switches, determine available RAM for virtual machines, and add virtual machines. | 15 minutes + |
| [Configure VHDs](#configure-vhds) | Start virtual machines and configure all services and settings. | 60 minutes + |
| [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) | Verify and troubleshoot network connectivity and services in the PoC environment. | 30 minutes + |
| [Appendix B: Terminology in this guide](#appendix-d-terminology-in-this-guide) | Terms used in this guide. | Informational + |
+
+
+
+
+
+*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.
+
+
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. + +
+
+## Lab setup
+
+The lab architecture is summarized in the following diagram:
+
+
+
+- Computer 1 is configured to host four VMs on a private, PoC network.
+ - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
+ - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
+
+>If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
+
+The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts.
+
+## Configure the PoC environment
+
+>**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**.
+
+### Procedures in this section
+
+[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)| + | **Computer 1** (required) | +**Computer 2** (recommended) | +
| **Role** | +Hyper-V host | +Client computer | +
| **Description** | +This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module. | +This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process. | +
| **OS** | +Windows 8.1/10 or Windows Server 2012/2012 R2/2016* | +Windows 7 or a later | +
| **Edition** | +Enterprise, Professional, or Education | +Any | +
| **Architecture** | +64-bit | +Any Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade. |
+
| **RAM** | +8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
+ 16 GB RAM to test Windows 10 deployment with System Center Configuration Manager. |
+ Any | +
| **Disk** | +200 GB available hard disk space, any format. | +Any size, MBR formatted. | +
| **CPU** | +SLAT-Capable CPU | +Any | +
| **Network** | +Internet connection | +Any | +
+
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. + +
+[Download VHD and ISO files](#download-vhd-and-iso-files)
+[Convert PC to VM](#convert-pc-to-vm)
+[Resize VHD](#resize-vhd)
+[Configure Hyper-V](#configure-hyper-v)
+[Configure VMs](#configure-vms)
+ +### Verify support and install Hyper-V + +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. + +1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: + +
+ C:\>systeminfo + + ... + Hyper-V Requirements: VM Monitor Mode Extensions: Yes + Virtualization Enabled In Firmware: Yes + Second Level Address Translation: Yes + Data Execution Prevention Available: Yes ++ + In this example, the computer supports SLAT and Hyper-V. + + If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + + You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/en-us/library/cc731397.aspx) tool, or you can download the [coreinfo](http://technet.microsoft.com/en-us/sysinternals/cc835722) utility and run it, as shown in the following example: + +
+ C:\>coreinfo -v + + Coreinfo v3.31 - Dump information on system CPU and memory topology + Copyright (C) 2008-2014 Mark Russinovich + Sysinternals - www.sysinternals.com + + Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz + Intel64 Family 6 Model 42 Stepping 7, GenuineIntel + Microcode signature: 0000001B + HYPERVISOR - Hypervisor is present + VMX * Supports Intel hardware-assisted virtualization + EPT * Supports Intel extended page tables (SLAT) ++ + Note: A 64-bit operating system is required to run Hyper-V. + +2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: + +
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All+ + This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: + +
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools+ + When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. + + >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + +  + +  + +
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**. + +### Download VHD and ISO files + +When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account. + +1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. + + **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. + + After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. + +
|  |
+C:\>mkdir VHD +C:\>cd VHD +C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd +C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd + 1 file(s) copied. +C:\VHD ren *.iso w10-enterprise.iso +C:\VHD>dir /B +2012R2-poc-1.vhd +2012R2-poc-2.vhd +w10-enterprise.iso ++ +### Convert PC to VM + +>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. + +
|
+If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
+ +
|
+
+
+
+
+
+
+If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
+
+- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
+- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
+
+| + | Architecture | +Operating system | +Partition style | +
| Generation 1 | +32-bit or 64-bit | +Windows 7 or later | +MBR | +
| Generation 2 | +64-bit | +Windows 8 or later | +MBR or GPT | +
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type ++ +If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: + +
+PS C:\> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type + +SystemName Caption Type +---------- ------- ---- +USER-PC1 Disk #0, Partition #0 GPT: System +USER-PC1 Disk #0, Partition #1 GPT: Basic Data ++ +On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: + +
+PS C:\> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type + +SystemName Caption Type +---------- ------- ---- +PC-X1 Disk #0, Partition #0 GPT: Unknown +PC-X1 Disk #0, Partition #1 GPT: System +PC-X1 Disk #0, Partition #2 GPT: Basic Data +PC-X1 Disk #0, Partition #3 GPT: Basic Data +PC-X1 Disk #0, Partition #4 GPT: Basic Data + +PS C:\> Get-Disk + +Number Friendly Name OperationalStatus Total Size Partition Style +------ ------------- ----------------- ---------- --------------- +0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT ++ +**Choosing a VM generation** + +The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. + +
+
+
+
+
+
+
+Notes:| OS | +Partition style | +Architecture | +VM generation | +Procedure | +
| Windows 7 | +MBR | +32 | +1 | +[Prepare a generation 1 VM](#prepare-a-generation-1-vm) | +
| 64 | +1 | +[Prepare a generation 1 VM](#prepare-a-generation-1-vm) | +||
| GPT | +32 | +N/A | +N/A | +|
| 64 | +1 | +[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk) | +||
| Windows 8 or later | +MBR | +32 | +1 | +[Prepare a generation 1 VM](#prepare-a-generation-1-vm) | +
| 64 | +1, 2 | +[Prepare a generation 1 VM](#prepare-a-generation-1-vm) | +||
| GPT | +32 | +1 | +[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk) | +|
| 64 | +2 | +[Prepare a generation 2 VM](#prepare-a-generation-2-vm) | +
+
-
+
- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). +
- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the **mountvol** command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm). +
- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm). +
+ C:\vhd>dir /B + 2012R2-poc-1.vhd + 2012R2-poc-2.vhd + w10-enterprise.iso + w7.VHDX ++ +#### Prepare a generation 2 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, open an elevated command prompt and type the following command: + +
mountvol s: /s+ + This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). + +3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +4. Select the checkboxes next to the **C:\** and the **S:\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. + + **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. + +5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: + +  + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + +
+ C:\vhd>dir /B + 2012R2-poc-1.vhd + 2012R2-poc-2.vhd + w10-enterprise.iso + PC1.VHDX ++ +#### Prepare a generation 1 VM from a GPT disk + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkbox next to the **C:\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. +4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: + +  + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + +
+ C:\vhd>dir /B + 2012R2-poc-1.vhd + 2012R2-poc-2.vhd + w10-enterprise.iso + w7.VHD ++ + >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. + +### Resize VHD + +
+**Enhanced session mode** + +**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. + +To verify that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt: + +
Set-VMhost -EnableEnhancedSessionMode $TRUE+ +>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. + +
+ +The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. + +1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +
+ Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB + $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter + Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax ++ +2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: + +
+ Get-Volume -DriveLetter $x + Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd+ +### Configure Hyper-V + +1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": + + >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
+ A) Remove the existing external virtual switch, then add the poc-external switch
+ B) Rename the existing external switch to "poc-external"
+ C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ If you choose B) or C), then do not run the second command below. + +
+ New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
+ New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
+
+
+ **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host.
+
+ >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
+
+2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
+
+ + (Get-VMHostNumaNode).MemoryAvailable ++ + This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. + +3. Determine the available memory for VMs by dividing the available RAM by 4. For example: + +
+ (Get-VMHostNumaNode).MemoryAvailable/4 + 2775.5 ++ + In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. + +4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. + >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. + +
+ $maxRAM = 2700MB + New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal + Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1 + New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal + Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external" + Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1 ++ + **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. + +5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. + + To create a generation 1 VM (using c:\vhd\w7.vhdx): + +
+ New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal + Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1 ++ + To create a generation 2 VM (using c:\vhd\PC1.vhdx): + +
+ New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal + Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1 ++ + To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): + + >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. + + First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: + +
+ New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
+ Mount-VHD -Passthru |
+ Get-Disk -Number {$_.DiskNumber} |
+ Initialize-Disk -PartitionStyle MBR -PassThru |
+ New-Partition -UseMaximumSize |
+ Format-Volume -Confirm:$false -FileSystem NTFS -force
+ Dismount-VHD -Path c:\vhd\d.vhd
+
+
+ Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt):
+
+ + New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal + Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd + Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso + Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1 + Start-VM PC1 + vmconnect localhost PC1 ++ + The VM will automatically boot into Windows Setup. In the PC1 window: + + 1. Click **Next**. + 2. Click **Repair your computer**. + 3. Click **Troubleshoot**. + 4. Click **Command Prompt**. + 5. Type the following command to save an image of the OS drive: + +
+ dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C ++ + 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: + +
+ diskpart + select disk 0 + clean + convert MBR + create partition primary size=100 + format fs=ntfs quick + active + create partition primary + format fs=ntfs quick label=OS + assign letter=c + exit ++ + 7. Type the following commands to restore the OS image and boot files: + +
+ dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\ + bcdboot c:\windows + exit ++ + 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). + 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. + 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: + +
+ Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1 + Set-VMDvdDrive -VMName PC1 -Path $null ++ +### Configure VMs + +1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: + +
+ Start-VM DC1 + vmconnect localhost DC1 ++ +2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of **pass@word1**, and click **Finish**. +3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. +4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. +5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: + +
+ Rename-Computer DC1 + New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2 + Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2 ++ + >The default gateway at 192.168.0.2 will be configured later in this guide. + + >Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. + +6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: + +
+ Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools ++ +7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: + +
+ Restart-Computer ++ +8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: + +
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force + Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force ++ + Ignore any warnings that are displayed. The computer will automatically reboot upon completion. + +9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and supress the post-DHCP-install alert: + +
+ Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest + Add-WindowsFeature -Name DHCP -IncludeManagementTools + netsh dhcp add securitygroups + Restart-Service DHCPServer + Add-DhcpServerInDC dc1.contoso.com 192.168.0.1 + Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2 ++ +10. Next, add a DHCP scope and set option values: + +
+ Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active + Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force ++ + >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. + +11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: + +
+ Get-DnsServerForwarder ++ + The following output should be displayed: + +
+ UseRootHint : True + Timeout(s) : 3 + EnableReordering : True + IPAddress : 192.168.0.2 + ReorderedIPAddress : 192.168.0.2 ++ + If this output is not displayed, you can use the following command to add SRV1 as a forwarder: + +
+ Add-DnsServerForwarder -IPAddress 192.168.0.2 ++ +12. Minimize the DC1 VM window but **do not stop** the VM. + + Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. + +13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: + +
+ Start-VM PC1 + vmconnect localhost PC1 ++ +14. Sign in to PC1 using an account that has local administrator rights. + + >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. + +15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. + +  + + >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. + +16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. + +17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. + + To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: + + ``` + ipconfig + + Windows IP Configuration + + Ethernet adapter Local Area Connection 3: + Connection-specific DNS Suffix . : contoso.com + Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 + Ipv4 Address. . . . . . . . . . . : 192.168.0.101 + Subnet Mask . . . . . . . . . . . : 255.255.255.0 + Default Gateway . . . . . . . . . : 192.168.0.2 + + ping dc1.contoso.com + + Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + + nltest /dsgetdc:contoso.com + DC: \\DC1 + Address: \\192.168.0.1 + Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 + Dom Name: CONTOSO + Forest Name: contoso.com + Dc Site Name: Default-First-Site-Name + Our Site Name: Default-First-Site-Name + Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 + ``` + + >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. + +18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: + +
+ (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0) + $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force + $user = "contoso\administrator" + $cred = New-Object System.Management.Automation.PSCredential($user,$pass) + Add-Computer -DomainName contoso.com -Credential $cred + Restart-Computer ++ + >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. + + See the following example: + +  + +19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. +20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: + +
+ Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface" + Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1" –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host ++ + >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. + + If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. + +21. On PC1, type the following commands at an elevated Windows PowerShell prompt: + +
+ Get-Content c:\pc1.ps1 | powershell.exe -noprofile - ++ + >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. + +22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. + >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. +23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. +24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: + +
+ Start-VM SRV1 + vmconnect localhost SRV1 ++ +25. Accept the default settings, read license terms and accept them, provide an administrator password of **pass@word1**, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. +26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. +27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: + +
+ Rename-Computer SRV1 + New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24 + Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2 + Restart-Computer ++ +28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: + +
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force + $user = "contoso\administrator" + $cred = New-Object System.Management.Automation.PSCredential($user,$pass) + Add-Computer -DomainName contoso.com -Credential $cred + Restart-Computer ++ +29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: + +
+ Install-WindowsFeature -Name DNS -IncludeManagementTools + Install-WindowsFeature -Name WDS -IncludeManagementTools + Install-WindowsFeature -Name Routing -IncludeManagementTools ++ +30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. + + To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: + +
+ Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias + + IPAddress InterfaceAlias + --------- -------------- + 10.137.130.118 Ethernet 2 + 192.168.0.2 Ethernet ++ + In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. + +31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: + +
+ Install-RemoteAccess -VpnType Vpn + cmd /c netsh routing ip nat install + cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL + cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE + cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE ++ +32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: + +
+ Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1 ++ +33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: + +
+ ping www.microsoft.com ++ + If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. + + **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: + +
+ Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses ++ +34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): + +
+ PS C:\> ping www.microsoft.com + + Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data: + Reply from 23.222.146.170: bytes=32 time=3ms TTL=51 + Reply from 23.222.146.170: bytes=32 time=2ms TTL=51 + Reply from 23.222.146.170: bytes=32 time=2ms TTL=51 + Reply from 23.222.146.170: bytes=32 time=1ms TTL=51 + + Ping statistics for 23.222.146.170: + Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), + Approximate round trip times in milli-seconds: + Minimum = 1ms, Maximum = 3ms, Average = 2ms ++ +35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-b-verify-the-configuration) for more information. +36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: + +
+ runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm" + Restart-Computer ++ +### Configure service and user accounts + +Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + +>To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +On DC1, open an elevated Windows PowerShell prompt and type the following commands: + +
+New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true +New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true +New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true +New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true +Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA +Set-ADUser -Identity user1 -PasswordNeverExpires $true +Set-ADUser -Identity administrator -PasswordNeverExpires $true +Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true +Set-ADUser -Identity CM_JD -PasswordNeverExpires $true +Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true ++ +This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. + +## Appendix A: Verify the configuration + +Use the following procedures to verify that the PoC environment is configured properly and working as expected. + +1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: + +
+ Get-Service NTDS,DNS,DHCP + DCDiag -a + Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A + Get-DnsServerForwarder + Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com + Get-DhcpServerInDC + Get-DhcpServerv4Statistics + ipconfig /all ++ + **Get-Service** displays a status of "Running" for all three services.
+ **DCDiag** displays "passed test" for all tests.
+ **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
+ **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
+ **Resolve-DnsName** displays public IP address results for www.microsoft.com.
+ **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
+ **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
+ **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. + +2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + +
+ Get-Service DNS,RemoteAccess + Get-DnsServerForwarder + Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com + ipconfig /all + netsh int ipv4 show address ++ + **Get-Service** displays a status of "Running" for both services.
+ **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
+ **Resolve-DnsName** displays public IP address results for www.microsoft.com.
+ **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
+ **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. + +3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: + +
+ whoami + hostname + nslookup www.microsoft.com + ping -n 1 dc1.contoso.com + tracert www.microsoft.com ++ + **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
+ **hostname** displays the name of the local computer, for example W7PC-001.
+ **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
+ **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
+ **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. + + +## Appendix B: Terminology used in this guide + +
+ +
+
+
+
+
+
+
+## Related Topics
+
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+
+
+
+
+
+
+
+
diff --git a/windows/index.md b/windows/index.md
index d5e7f92b8a..31050c6bd6 100644
--- a/windows/index.md
+++ b/windows/index.md
@@ -3,6 +3,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10)
description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
ms.prod: w10
+localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index fb18c0081b..d687114889 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -31,6 +31,7 @@
##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
+#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md)
### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
@@ -196,7 +197,7 @@
###### [Monitor claim types](monitor-claim-types.md)
##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
###### [Audit Credential Validation](audit-credential-validation.md)
-####### [Event 4774 S: An account was mapped for logon.](event-4774.md)
+####### [Event 4774 S, F: An account was mapped for logon.](event-4774.md)
####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)
diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md
index 7e1f6c7414..89261d666c 100644
--- a/windows/keep-secure/bitlocker-countermeasures.md
+++ b/windows/keep-secure/bitlocker-countermeasures.md
@@ -23,9 +23,9 @@ The sections that follow provide more detailed information about the different t
### Protection before startup
-Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM andSecure Boot. Fortunately, many modern computers feature TPM.
+Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM and Secure Boot. Fortunately, many modern computers feature TPM.
-**Trusted Platform Module**
+#### Trusted Platform Module
Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify.
@@ -33,7 +33,7 @@ A TPM is a microchip designed to provide basic security-related functions, prima
By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md).
-**UEFI and Secure Boot**
+#### UEFI and Secure Boot
No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys.
@@ -53,7 +53,7 @@ Using the digital signature, UEFI verifies that the bootloader was signed using
If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed.
-All Windows 8–certified devices must meet several requirements related to UEFI-based Secure Boot:
+Starting with Windows 8, certified devices must meet several requirements related to UEFI-based Secure Boot:
- They must have Secure Boot enabled by default.
- They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).
diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md
index 89aea0f522..2ffb869b8f 100644
--- a/windows/keep-secure/bitlocker-overview.md
+++ b/windows/keep-secure/bitlocker-overview.md
@@ -42,7 +42,7 @@ BitLocker control panel, and they are appropriate to use for automated deploymen
## New and changed functionality
-To find out what's new in BitLocker for Windows 10, see [What's new in BitLocker?](../whats-new/bitlocker.md)
+To find out what's new in BitLocker for Windows 10, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."
## System requirements
@@ -74,6 +74,7 @@ When installing the BitLocker optional component on a server you will also need
| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. |
| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic for the IT professional describes how to use tools to manage BitLocker.|
| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. |
+| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker. |
| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.|
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 900762eca3..e5a7805ddf 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -15,6 +15,8 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
## January 2017
|New or changed topic |Description |
|---------------------|------------|
+|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |New |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. |
|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New |
|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |
diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
index 0293f672ae..241eadd7f7 100644
--- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
+++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
@@ -17,20 +17,105 @@ author: brianlic-msft
This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication.
-Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default
-settings.
+Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings.
-
+| Term | Definition + |
| GPT | GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. + |
| Hyper-V | Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. + |
| Hyper-V host | The computer where Hyper-V is installed. + |
| Hyper-V Manager | The user-interface console used to view and configure Hyper-V. + |
| MBR | Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. + |
| Proof of concept (PoC) | Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. + |
| Shadow copy | A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. + |
| Virtual machine (VM) | A VM is a virtual computer with its own operating system, running on the Hyper-V host. + |
| Virtual switch | A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. + |
| VM snapshot | A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. + |
| + |
+ Windows 8.1 |
+
+ Windows 8.1 Certified |
+
|
+ Bootkits and |
+Without TPM, boot integrity checking is not available |
+Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings |
+
|
+ Brute Force |
+Secure by default, and can be improved with account lockout Group Policy |
+Secure by default, and can be improved with account lockout and device lockout Group Policy settings |
+
|
+ DMA |
+If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in |
+If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in |
+
|
+ Hyberfil.sys |
+Secure by default; hyberfil.sys secured on encrypted volume |
+Secure by default; hyberfil.sys secured on encrypted volume |
+
|
+ Memory |
+Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication |
+Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication |
+
- +
| + |
+ Windows 10 |
+
+ Windows 10 Certified |
+
|
+ Bootkits and |
+Without TPM, boot integrity checking is not available |
+Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings |
+
|
+ Brute Force |
+Secure by default, and can be improved with account lockout Group Policy |
+Secure by default, and can be improved with account lockout and device lockout Group Policy settings |
+
|
+ DMA |
+If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in |
+Secure by default; certified devices do not expose vulnerable DMA busses. |
+
|
+ Hyberfil.sys |
+Secure by default; hyberfil.sys secured on encrypted volume |
+Secure by default; hyberfil.sys secured on encrypted volume |
+
|
+ Memory |
+Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication |
+Password protect the firmware and ensure Secure Boot is enabled. |
+
-```text -https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=
+ + An Azure login page appears. + > [!NOTE] + > - Replace *tenant ID* with your actual tenant ID. + > - Keep the *clientSecret* as is. This is a dummy value, but the parameter must appear. 15. Sign in with the credentials of a user from your tenant. @@ -80,7 +78,37 @@ An Azure login page appears. 23. Save the application changes. -After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use. +After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM. + +## Obtain a refresh token using an events URL +Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token. +>[!NOTE] +>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md). + +### Before you begin +Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: + + - OAuth 2 Client ID + - OAuth 2 Client secret + +You'll use these values to obtain a refresh token. + +>[!IMPORTANT] +>Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret. + +### Obtain a refresh token +1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=
- > **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector``` - > -- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. -- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet. -- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide. + - **client_ID**: OAuth 2 Client ID + - **client_secret**: OAuth 2 Client secret + - **auth_url**: ```https://login.microsoftonline.com/
For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). **To get your refresh token using the restutil tool:** a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\
-> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
> Starting in Widows 10, 1607, TPM 2.0 is required. @@ -61,7 +61,7 @@ The following tables provide more information about the hardware, firmware, and | Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Important**: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide. @@ -917,6 +917,7 @@ write-host $tmp -Foreground Red - [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel) - [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert) - [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode) +- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard) - [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382) - [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx) - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx) diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md index 2b626f9576..5d919fd37b 100644 --- a/windows/keep-secure/event-4774.md +++ b/windows/keep-secure/event-4774.md @@ -1,6 +1,6 @@ --- title: 4774(S) An account was mapped for logon. (Windows 10) -description: Describes security event 4774(S) An account was mapped for logon. +description: Describes security event 4774(S, F) An account was mapped for logon. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy @@ -8,14 +8,13 @@ ms.sitesec: library author: Mir0sh --- -# 4774(S): An account was mapped for logon. +# 4774(S, F): An account was mapped for logon. **Applies to** - Windows 10 - Windows Server 2016 - -It appears that this event never occurs. +Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx). ***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md) @@ -23,7 +22,7 @@ It appears that this event never occurs. *An account was mapped for logon.* -*Authentication Package:%1* +*Authentication Package:Schannel* *Account UPN:%2* diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md index 6a307acac3..2731ce37e8 100644 --- a/windows/keep-secure/how-to-configure-security-policy-settings.md +++ b/windows/keep-secure/how-to-configure-security-policy-settings.md @@ -31,9 +31,9 @@ When a local setting is inaccessible, it indicates that a GPO currently controls 3. When you find the policy setting in the details pane, double-click the security policy that you want to modify. 4. Modify the security policy setting, and then click **OK**. - **Note** - - Some security policy settings require that the device be restarted before the setting takes effect. - - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + > [!NOTE] + > - Some security policy settings require that the device be restarted before the setting takes effect. + > - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ## To configure a security policy setting using the Local Group Policy Editor console @@ -48,11 +48,13 @@ You must have the appropriate permissions to install and use the Microsoft Manag 4. In the details pane, double-click the security policy setting that you want to modify. - >**Note:** If this security policy has not yet been defined, select the **Define these policy settings** check box. + > [!NOTE] + > If this security policy has not yet been defined, select the **Define these policy settings** check box. 5. Modify the security policy setting, and then click **OK**. ->**Note:** If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console. +> [!NOTE] +> If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console. ## To configure a setting for a domain controller @@ -65,13 +67,15 @@ The following procedure describes how to configure a security policy setting for - Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**. 3. In the details pane, double-click the security policy that you want to modify. - >**Note** If this security policy has not yet been defined, select the **Define these policy settings** check box. + + > [!NOTE] + > If this security policy has not yet been defined, select the **Define these policy settings** check box. 4. Modify the security policy setting, and then click **OK**. -**Important** -- Always test a newly created policy in a test organizational unit before you apply it to your network. -- When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings. +> [!IMPORTANT] +> - Always test a newly created policy in a test organizational unit before you apply it to your network. +> - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings. ## Related topics diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 827fe72de7..c3595ae774 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -22,17 +22,18 @@ Credential Manager is a place where credentials in the OS are can be stored for For VPN, the VPN stack saves its credential as the session default. For WiFi, EAP does it. -The credentials are put in Credential Manager as a "`*Session`" credential. -A "`*Session`" credential implies that it is valid for the current user session. +The credentials are put in Credential Manager as a "\*Session" credential. +A "\*Session" credential implies that it is valid for the current user session. The credentials are also cleaned up when the WiFi or VPN connection is disconnected. -When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so WinInit.exe can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. +When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations). -WinInit.exe will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. +The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. If the app is not UWP, it does not matter. But if it is a UWP app, it will look at the device capability for Enterprise Authentication. -If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. +If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. +This behavior helps prevent credentials from being misused by untrusted third parties. ## Intranet zone @@ -68,9 +69,26 @@ The username should also include a domain that can be reached over the connectio If the credentials are certificate-based, then the elements in the following table need to be configured for the certificate templates to ensure they can also be used for Kerberos client authentication. -| TEmplate element | Configuration | +| Template element | Configuration | |------------------|---------------| | SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflects the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located. | | SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | -| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. This certificate must be issued using the PassportForWork CSP. | -| EnhancedKeyUsage | One or more of the following EKUs is required: - Client Authentication (for the VPN) - EAP Filtering OID (for PassportForWork)- SmartCardLogon (for Azure AD joined devices)If the domain controllers require smart card EKU either:- SmartCardLogon- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)Otherwise:- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | +| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. | +| EnhancedKeyUsage | One or more of the following EKUs is required: - Client Authentication (for the VPN) - EAP Filtering OID (for Windows Hello for Business)- SmartCardLogon (for Azure AD joined devices)If the domain controllers require smart card EKU either:- SmartCardLogon- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)Otherwise:- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | + +## NDES server configuration + +The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used. +For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/en-us/intune/deploy-use/Configure-certificate-infrastructure-for-scep). + +## Active Directory requirements + +You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well. + +The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store. + +The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication. +This is because Windows 10 Mobile requires strict KDC validation to be enabled. +This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server. +For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382). + diff --git a/windows/keep-secure/images/atp-add-intune-policy.png b/windows/keep-secure/images/atp-add-intune-policy.png new file mode 100644 index 0000000000..61a47e9f37 Binary files /dev/null and b/windows/keep-secure/images/atp-add-intune-policy.png differ diff --git a/windows/keep-secure/images/atp-mdm-onboarding-package.png b/windows/keep-secure/images/atp-mdm-onboarding-package.png new file mode 100644 index 0000000000..23b9c49490 Binary files /dev/null and b/windows/keep-secure/images/atp-mdm-onboarding-package.png differ diff --git a/windows/keep-secure/images/atp-refresh-token.png b/windows/keep-secure/images/atp-refresh-token.png new file mode 100644 index 0000000000..3f7e8c7c69 Binary files /dev/null and b/windows/keep-secure/images/atp-refresh-token.png differ diff --git a/windows/keep-secure/images/wip-select-column.png b/windows/keep-secure/images/wip-select-column.png new file mode 100644 index 0000000000..d4e8a9e7a0 Binary files /dev/null and b/windows/keep-secure/images/wip-select-column.png differ diff --git a/windows/keep-secure/images/wip-taskmgr.png b/windows/keep-secure/images/wip-taskmgr.png new file mode 100644 index 0000000000..d69e829d65 Binary files /dev/null and b/windows/keep-secure/images/wip-taskmgr.png differ diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 3e1ed57822..aee90f46a5 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +localizationpriority: high author: brianlic-msft --- # Keep Windows 10 secure @@ -17,19 +18,19 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure. | Topic | Description | | - | - | | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. | -| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | | [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. | | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. | -| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | +| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | +| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | | [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. | -| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. | +| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. | | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. | |[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. | | [VPN technical guide](vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. | -| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. | -| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. | +| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. For example, learn about AppLocker, BitLocker, and Security auditing. | +| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Review technology overviews that help you understand Windows 10 security technologies in the context of the enterprise. | | [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). | ## Related topics diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index c95ae45458..39aaeb8dc5 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -25,8 +25,8 @@ This table provides info about the most common problems you might encounter whil
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
Note
For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).
(Replace "contoso" with your domain name(s) | |-----------------------------|---------------------------------------------------------------------| -|Office 365 for Business |
- contoso.sharepoint.com
- contoso-my.sharepoint.com
- contoso-files.sharepoint.com
- tasks.office.com
- lists.office.com
- collabdb.com
- www.collabdb.com
- protection.office.com
- meet.lync.com
- teams.microsoft.com
- contoso.sharepoint.com
- contoso-my.sharepoint.com
- contoso-files.sharepoint.com
- tasks.office.com
- protection.office.com
- meet.lync.com
- teams.microsoft.com
- www.yammer.com
- yammer.com
- persona.yammer.com
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).
**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Important**: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | > **Important** The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md index 8bd5183126..6b82a956c7 100644 --- a/windows/keep-secure/security-technologies.md +++ b/windows/keep-secure/security-technologies.md @@ -11,21 +11,23 @@ author: brianlic-msft # Security technologies -Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. +As an IT professional, you can use these topics to learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. -| Topic | Description | +| Section | Description | |-|-| | [Access control](access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. | -| [AppLocker](applocker-overview.md)| This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.| -| [BitLocker](bitlocker-overview.md)| This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.| -| [Encrypted Hard Drive](encrypted-hard-drive.md) | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.| -| [Security auditing](security-auditing-overview.md)| Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.| -| [Security policy settings](security-policy-settings.md)| This reference topic describes the common scenarios, architecture, and processes for security settings.| -| [Trusted Platform Module](trusted-platform-module-overview.md)| This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.| -| [User Account Control](user-account-control-overview.md)| User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.| -| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| -| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.| -| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. | +| [AppLocker](applocker-overview.md)| Describes AppLocker, and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.| +| [BitLocker](bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. | +| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.| +| [Security auditing](security-auditing-overview.md)| Describes how the IT professional can use the security auditing features in Windows, and how organizations can benefit from using these technologies, to enhance the security and manageability of networks.| +| [Security policy settings](security-policy-settings.md)| Provides a collection of reference topics that describe the common scenarios, architecture, and processes for security settings.| +| [Smart Cards](smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. | +| [Trusted Platform Module](trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. | +| [User Account Control](user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.| +| [Virtual Smart Cards](virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. | +| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Provides information about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| +| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| Provides information about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.| +| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. | diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md index df382bc1fe..3730d58e83 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md @@ -2223,6 +2223,19 @@ Description of the error.
The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
Symbolic name:
MALWAREPROTECTION_SAMPLESUBMISSION_UPLOAD
Message:
The antimalware engine has uploaded a file for further analysis.
Filename <uploaded filename>
Sha256: <file SHA>
Description:
A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.
Symbolic name:
MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED_FAILED
Message:
The antimalware engine has encountered an error trying to upload a suspicious file for further analysis.
+Filename: <uploaded filename>
+Sha256: <file SHA>
+Current Signature Version: <signature version number>
+Current Engine Version: <engine version number>
+Error code: <error code>
Description:
A file could not be uploaded to the Windows Defender Antimalware cloud.
User action:
You can attempt to manually submit the file.
- Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.
- Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.
- Add the following URLs to the Neutral Resources network element in your WIP policy:
- outlook.office365.com
- outlook.office.com
- outlook-sdf.office.com
- attachment.outlook.office.net
| Cellular | Device is only connected to a cellular network (standard data charges apply) | Will skip a daily scan if scan was successfully completed in the last 5 days | -Will only occur if update package is small and does not exceed the mobile operator data limit or the user clicks “download now”. | -Yes, if the user clicked “download now” | +Will only occur if update package is small and does not exceed the mobile operator data limit. | +Yes | Idem |