deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fixing merge conflict

Browse Source
This commit is contained in:
Trudy Hakala 2016-10-12 09:29:44 -07:00
commit 934dd7b521
67 changed files with 2176 additions and 453 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
devices/surface-hub/admin-group-management-for-surface-hub.md
View File

@ -32,34 +32,49 @@ To create a local admin, [choose to use a local admin during first run](first-ru
Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admins password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD tenant, then youll need to [reset the device](device-reset-surface-hub.md) and go through the first-time program again.
### Domain join the device to Active Directory (AD)
You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#a-href-iduse-active-directoryause-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
>**Note**  Surface Hubs use domain join only to set up an admin group for the device. Group policies are not applied after the device is domain joined
#### What happens when you domain join your Surface Hub?
Surface Hubs use domain join to:
- Grant admin rights to members of a specified security group in AD.
- Backup the device's BitLocker recovery key by storing it under the computer object in AD. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
- Synchronize the system clock with the domain controller for encrypted communication
>**Note**  If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, [reset the device](device-reset-surface-hub.md) first.
Surface Hub does not support applying group policies or certificates from the domain controller.
> [!NOTE]
> If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, [reset the device](device-reset-surface-hub.md) first.
### Azure Active Directory (Azure AD) join the device
You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. The people who are provisioned as admins on your device depend on your Azure AD subscription. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#a-href-iduse-microsoft-azureause-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be added as admins on the device.
You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#a-href-iduse-microsoft-azureause-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be granted admin rights on the device.
>**Note**  If your Azure AD organization is configured to automatically enroll devices into mobile device management (MDM), you will need to disable this for the Surface Hubs you plan to join to Azure AD, and manually enroll into MDM using Settings. A known issue prevents Surface Hubs from supporting this setting.
By default, all **global administrators** will be given admin rights on an Azure AD joined Surface Hub. With **Azure AD Premium** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
1. In the [Azure classic portal](https://manage.windowsazure.com/), click **Active Directory**, and then click the name of your organization's directory.
2. On the **Configure** page, under **Devices** > **Additional administrators on Azure AD joined devices**, click **Selected**.
3. Click **Add**, and select the users you want to add as administrators on your Surface Hub and other Azure AD joined devices.
4. When you have finished, click the checkmark button to save your change.
#### What happens when you Azure AD join your Surface Hub?
Surface Hubs use Azure AD join to:
- Grant admin rights to the appropriate users in your Azure AD tenant.
- Backup the device's BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
> [!IMPORTANT]
> Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
### Which should I choose?
If your organization is using AD or Azure AD, we recommend you either domain join or Azure AD join, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain.
### Summary
| Option | Requirements | Which credentials can be used to access the Settings app? |
|---------------------------------------------------|-----------------------------------------|-------|
| Create a local admin account | None | The user name and password specified during first run |
| Domain join to Active Directory (AD) | Your organization uses AD | Any AD user from a specific security group in your domain |
| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic | Global administators only |
| | Your organization uses Azure AD Premium | Global administrators and other specified users |
|   | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |

6
devices/surface-hub/create-a-device-account-using-office-365.md
View File

@ -133,7 +133,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
5. Finally, to connect to Exchange Online Services, run:
``` syntax
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" AllowRedirection
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" AllowRedirection
```
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png)
@ -202,7 +202,7 @@ Now that you're connected to the online services, you can finish setting up the
``` syntax
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-26.png)
@ -350,7 +350,7 @@ Now that you're connected to the online services, you can finish setting up the
``` syntax
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. Now we have to set some properties in AD. To do that, you need the alias of the account (this is the part of the UPN that becomes before the “@”).

175
devices/surface-hub/create-and-test-a-device-account-surface-hub.md
View File

@ -16,166 +16,43 @@ localizationpriority: medium
This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype.
A "device account" is an account that the Microsoft Surface Hub uses to:
A **device account** is an Exchange resource account that Surface Hub uses to:
- sync its meeting calendar,
- send mail,
- and enable Skype for Business compatibility.
- Display its meeting calendar
- Join Skype for Business calls
- Send email (for example, email whiteboard content from a meeting)
People can book this account by scheduling a meeting with it. The Surface Hub will be able to join that meeting and provide various features to the meeting attendees.
Once the device account is provisioned to a Surface Hub, people can add this account to a meeting invitation the same way that they would invite a meeting room.
>**Important**  Without a device account, none of these features will work.
## Configuration overview
 
This table explains the main steps and configuration decisions when you create a device account.
| Step | Description | Purpose |
|------|---------------------------------|--------------------------------------|
| 1 | Created a logon-enabled Exchange resource mailbox (Exchange 2013 or later, or Exchange Online) | This resource mailbox allows the device to maintain a meeting calendar, receive meeting requests, and send mail. It must be logon-enabled to be provisioned to a Surface Hub. |
| 2 | Configure mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. For more information on mailbox properties, see [Mailbox properties](exchange-properties-for-surface-hub-device-accounts.md). |
| 3 | Apply a compatible mobile device mailbox policy to the mailbox | Surface Hub is managed using mobile device management (MDM) rather than through mobile device mailbox policies. For compatibility, the device account must have a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Otherwise, Surface Hub can't sync mail and calendar info. |
| 4 | Enable mailbox with Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business must be enabled to use conferencing features like video calls, IM, and screen sharing. |
| 5 | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to whitelist the ActiveSync Device ID of your Surface Hub. |
| 6 | (Optional) Disable password expiration | To simplify management, you can turn off password expiration for the device account and allow Surface Hub to automatically rotate the device account password. For more information about password management, see [Password management](password-management-for-surface-hub-device-accounts.md). |
Every device account is unique to a single Surface Hub, and requires some setup:
## Detailed configuration steps
- The device account must be configured correctly, as described in the folllowing sections.
- Your infrastructure must be configured to allow the Surface Hub to validate the device account, and to reach the appropriate Microsoft services.
We recommend setting up your device accounts using remote PowerShell. There are PowerShell scripts available to help create and validate device accounts For more information on PowerShell scripts and instructions, see [Appendix A: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md).
You can think of a device account as the resource account that people recognize as a conference rooms or meeting spaces account. When you want to schedule a meeting using that conference room, you invite the account to that meeting. In order to use the Surface Hub most effectively, you do the same with the device account that's assigned to each one.
For detailed steps using PowerShell to provision a device account, choose an option from the table, based on your organization deployment.
If you already have a resource mailbox account set up for the meeting space where youre putting a Surface Hub, you can change that resource account into a device account. Once thats done, all you need to do is add the device account to a Surface Hub. See step 2 of either [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) or [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md).
| Organization deployment | Description |
|---------------------------------|--------------------------------------|
| [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
The following sections will describe how to create and test a device account before configuring your Surface Hub.
### Basic configuration
These properties represent the minimum configuration for a device account to work on a Surface Hub. Your device account may require further setup, which is covered in [Advanced configuration](#advanced-config).
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Property</th>
<th align="left">Purpose</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Exchange mailbox (Exchange 2013 or later, or Exchange Online)</p></td>
<td align="left"><p>Enabling the account with an Exchange mailbox gives the device account the capability to receive and send both mail and meeting requests, and to display a meetings calendar on the Surface Hubs welcome screen. The Surface Hub mailbox must be a room mailbox.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Skype for Business-enabled (Lync/Skype for Business 2013 or later or Skype for Business Online)</p></td>
<td align="left"><p>Skype for Business must be enabled in order to use various conferencing features, like video calls, IM, and screen-sharing.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Password-enabled</p></td>
<td align="left"><p>The device account must be enabled with a password, or it cannot authenticate with either Exchange or Skype for Business.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Compatible EAS policies</p></td>
<td align="left"><p>The device account must use a compatible EAS policy in order for it to sync its mail and calendar. In order to implement this policy, the PasswordEnabled property must be set to False. If an incompatible EAS policy is used, the Surface Hub will not be able to use any services provided by Exchange and ActiveSync.</p></td>
</tr>
</tbody>
</table>
 
### <a href="" id="advanced-config"></a>Advanced configuration
While the properties for the basic configuration will allow the device account to be set up in a simple environment, it is possible your environment has other restrictions on directory accounts that must be met in order for the Surface Hub to successfully use the device account.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Property</th>
<th align="left">Purpose</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Certificate-based authentication</p></td>
<td align="left"><p>Certificates may be required for both ActiveSync and Skype for Business. To deploy certificates, you need to use provisioning packages or an MDM solution.</p>
<p>See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Allowed device IDs (ActiveSync Device ID)</p></td>
<td align="left"><p>Your Exchange ActiveSync setup may require that an account must whitelist device IDs so that ActiveSync can retrieve the device accounts mail and calendar. You must ensure that the Surface Hubs device ID is added to this whitelist. This can either be configured using PowerShell (by setting the <code>ActiveSyncAllowedDeviceIDs</code> property) or the Exchange administrative portal.</p>
<p>You can find out how to find and whitelist a device ID with PowerShell in [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).</p></td>
</tr>
</tbody>
</table>
 
### How do I set up the account?
The best way to set up device accounts is to configure them using remote PowerShell. We provide several PowerShell scripts that will help create new device accounts, or validate existing resource accounts you have in order to help you turn them into compatible Surface Hub device accounts. These PowerShell scripts, and instructions for their use, are in [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md).
You can check online for updated versions at [Surface Hub device account scripts](http://aka.ms/surfacehubscripts).
### Device account configuration
Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
- [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organizations environment is deployed entirely on Office 365.
- [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
- [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365.
If you prefer to use the Office 365 UI over PowerShell cmdlets, some steps can be performed manually. See [Creating a device account using Office 365](create-a-device-account-using-office-365.md).
### Device account resources
These sections describe resources used by the Surface Hub device account.
- [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md): The Exchange properties of the device account must be set to particular values for the Surface Hub to work properly.
- [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md): The Surface Hub uses ActiveSync to sync both mail and its meeting calendar.
- [Password management](password-management-for-surface-hub-device-accounts.md): Every device account requires a password to authenticate. This section describes your options for managing this password.
## In this section
If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell.
For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Online deployment](online-deployment-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>This topic has instructions for adding a device account for your Surface Hub when you have a pure, online deployment.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>This topic explains how you add a device account for your Surface Hub when you have a single-forest, on-premises deployment.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>A hybrid deployment requires special processing in order to set up a device account for your Surface Hub. If youre using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided PowerShell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Create a device account using UI](create-a-device-account-using-office-365.md)</p></td>
<td align="left"><p>If you prefer to use a graphical user interface, you can create a device account for your Surface Hub with either the [Office 365 UI](#create-device-acct-o365) or the [Exchange Admin Center](#create-device-acct-eac).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>Some Exchange properties of the device account must be set to particular values to have the best meeting experience on Surface Hub. The following table lists various Exchange properties based on PowerShell cmdlet parameters, their purpose, and the values they should be set to.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>The Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Password management](password-management-for-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>Every Surface Hub device account requires a password to authenticate and enable features on the device.</p></td>
</tr>
</tbody>
</table>
 

12
devices/surface-hub/first-run-program-surface-hub.md
View File

@ -169,17 +169,19 @@ On this page, the Surface Hub will ask for credentials for the device account th
>**Note**  This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors.
 
![Image showing Enter device account info page.](images/setupdeviceacct.png)
### Details
Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field.
Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field. Use the format that matches your environment, and enter the password.
| Environment | Required format for device account|
| ------------ | ----------------------------------|
| Device account is hosted only online. | username@domain.com|
| Device account is hosted only on-prem. | DOMAIN\username|
| Device account is hosted online and on-prem (hybrid). | DOMAIN\username|
- **User principal name:** This is the UPN of the device account for this Surface Hub. If youre using Azure Active Directory (Azure AD) or a hybrid deployment, then you must enter the UPN of the device account.
- **Domain\\user name:** This is the identity of the device account for this Surface Hub, in domain\\user name format. If youre using an Active Directory (AD) deployment, then you must enter the account in this format.
- **Password:** Enter the device account password.
Click **Skip setting up a device account** to skip setting up a device account. However, if you don't set up a device account, the device will not be fully integrated into your infrastructure. For example, people won't be able to:

2
devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
View File

@ -71,7 +71,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
```PowerShell
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.

56
devices/surface-hub/password-management-for-surface-hub-device-accounts.md
View File

@ -13,62 +13,24 @@ localizationpriority: medium
# Password management (Surface Hub)
Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change (or "rotate") this password regularly. However, if the device accounts password changes, the password that was previously stored on the Surface Hub will be invalid, and all features that depend on the device account will be disabled. You will need to update the device accounts password on the Surface Hub from the Settings app to re-enable these features.
Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change ( or "rotate") this password. However, if the device accounts password changes, the device account on the Surface Hub will be expired, and all features that depend on the device account will be disabled. You can update the device accounts password on the Surface Hub from the Settings app to re-enable these features.
To simplify password management for your Surface Hub device accounts, there are two options:
To prevent the device account from expiring, there are two options:
1. Set the password on the device account so it doesn't expire.
1. Turn off password expiration for the device account.
2. Allow the Surface Hub to automatically rotate the device accounts password.
## Setting the password so it doesn't expire
## Turn off password rotation for the device account
Set the device accounts **PasswordNeverExpires** property to True. You should verify whether this meets your organizations security requirements.
## Allow the Surface Hub to manage the password
The Surface Hub can manage a device accounts password by changing it frequently without requiring you to manually update the device accounts information from the Surface Hub. You can enable this feature in **Settings**. Once enabled, the device account's password will change daily.
Note that when the device accounts password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory to reset the password.
For your device account to use password rotation, you must meet enter the device accounts information when you set up your Surface Hub (during First-run experience), or in **Settings**. The format you'll use depends on where your device account it hosted:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Environment</th>
<th align="left">Required format for device account</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Device account is hosted only online</p></td>
<td align="left"><p>username@contoso.com</p></td>
</tr>
<tr class="even">
<td align="left"><p>Device account is hosted only on-prem</p></td>
<td align="left"><p>DOMAIN\username</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Device account is hosted online and on-prem (hybrid)</p></td>
<td align="left"><p>DOMAIN\username</p></td>
</tr>
</tbody>
</table>
 
 
 
## Allow the Surface Hub to automatically rotate the device accounts password
The Surface Hub can manage a device accounts password by changing it frequently without requiring you to manually update the device accounts information. You can enable this feature in **Settings**. Once enabled, the device account's password will change weekly during maintenance hours.
Note that when the device accounts password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory or the Office 365 admin portal to reset the password.
> [!IMPORTANT]
> If your organization uses a hybrid topology (some services are hosted on-premises and some are hosted online through Office 365), you must setup the device account in **domain\username** format. Otherwise, password rotation will not work.

24
education/windows/get-minecraft-for-education.md
View File

@ -19,24 +19,24 @@ author: jdeckerMS
<iframe width="501" height="282" src="https://www.youtube.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe>
Teachers and IT administrators can now get early access to **Minecraft Education Edition** and add it their Microsoft Store for Business for distribution.
Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution.
![education.minecraft.net](images/minecraft.png)
<!-- ![education.minecraft.net](images/minecraft.png) -->
## Prerequisites
- **Minecraft: Education Edition** requires Windows 10.
- Early access to **Minecraft: Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD).
- If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
* Office 365 Education, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
- **Minecraft Education Edition** requires Windows 10.
- Early access to **Minecraft Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD).
- If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft Education Edition**.
* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan)
* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
<!-- ![teacher](images/teacher.png) -->
![teacher](images/teacher.png)
[Learn how teachers can get and distribute **Minecraft Education Edition**](teacher-get-minecraft.md)
[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
![IT administrator](images/school.png)
<!-- ![IT administrator](images/school.png) -->
[Learn how IT administrators can get and distribute **Minecraft Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.

66
education/windows/school-get-minecraft.md
View File

@ -8,59 +8,57 @@ ms.sitesec: library
author: jdeckerMS
---
# For IT administrators: get Minecraft Education Edition
# For IT administrators: get Minecraft: Education Edition
**Applies to:**
- Windows 10
When you sign up for early access to [Minecraft Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
When you sign up for early access to [Minecraft: Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 subscription when you request Minecraft Education Edition.
> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
## Add Minecraft to your Windows Store for Business
You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - individual copies](#individual-copies).
You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies).
If youve been approved and are part of the Enrollment for Education Solutions program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license)
If youve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume licenses for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
### <a href="" id="individual-copies"></a>Minecraft: Education Edition - individual copies
### <a href="" id="individual-copies"></a>Minecraft: Education Edition - direct purchase
1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**.
1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**.
![Click Get the app](images/it-get-app.png)
<!-- ![Click Get the app](images/it-get-app.png) -->
2. Enter your email address.
2. Enter your email address, and select Educator, Administrator, or Student. </br> If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one.
![Enter school email address](images/enter-email.png)
- If your email address isn't associated to an Azure AD or Office 365 tenant, you'll be asked to fill in a form. The information will be used to create an Office 365 subscription for your school.
<!-- ![Enter school email address](images/enter-email.png) -->
3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
![You can get the app now](images/get-the-app.png)
<!-- ![You can get the app now](images/get-the-app.png) -->
4. Sign in to Windows Store for Business with your email address.
5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
![Get Minecraft app in Store](images/minecraft-get-the-app.png)
<!-- ![Get Minecraft app in Store](images/minecraft-get-the-app.png) -->
Now that the app is in your Store for Business inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
### <a href="" id="volume-license"></a>Minecraft: Education Edition - volume license
### <a href="" id="volume-license"></a>Minecraft: Education Edition - volume licensing
Qualified education institutions can purchase Minecraft: Education Edition volume licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the copies will be available in [Windows Store for Business](https://www.microsoft.com/business-store) inventory.
- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Windows Store for Business](https://www.microsoft.com/business-store) inventory.
- Youll receive an email with a link to Windows Store for Business.
- Sign in to [Windows Store for Business](https://www.microsoft.com/business-store) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
## <a href="" id="distribute-minecraft"></a>Distribute Minecraft
After Minecraft Education Edition is added to your Windows Store for Business, you have three options:
After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
- You can install the app on your PC.
- You can assign the app to others.
@ -68,11 +66,11 @@ After Minecraft Education Edition is added to your Windows Store for Business, y
Admins can also add Minecraft: Education Edition to the private store. This allows people in your organization to install the app from the private store. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).
Here's the page you'll see for individual copies of **Minecraft: Education Edition**.
Here's the page you'll see for Minecraft: Education Edition licenses purchased directly through the Windows Store for Business.
![App distribution options - individual copies](images/mc-install-for-me-admin.png)
Here's the page you'll see for volume licensed copies of of **Minecraft: Education Edition**.
Here's the page you'll see for Minecraft: Education Edition licenses purchased through volume licensing.
![App distribution options - individual copies](images/wsfb-minecraft-vl.png)
@ -87,17 +85,17 @@ You can install the app on your PC. This gives you a chance to test the app and
3. Click **Install**.
### Assign to others
Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can
Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app.
**To assign to others**
1. Sign in to Windows Store for Business.
2. Click **Manage**.
![Minecraft Education Edition product page](images/minecraft-assign-to-others.png)
4. Click **Assign to people**.
3. Click **Assign to people**.
![Assign to people](images/minecraft-assign-to-people.png)
5. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
4. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
@ -114,16 +112,16 @@ Enter email addresses for your students, and each student will get an email with
![Windows Store app with Minecraft page](images/minecraft-in-windows-store-app.png)
After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**.
After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**. Windows Store app is preinstalled with Windows 10.
![Windows Store app showing access to My Library](images/minecraft-private-store.png)
When students click **My Libarary** they'll find apps assigned to them.
When students click **My Library** they'll find apps assigned to them.
![My Library for example student](images/minecraft-my-library.png)
### Download for others
Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for younger students, and for shared computers. Choose this option when:
Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
- You have administrative permissions to install apps on the PC.
- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs.
- Your students share Windows 10 computers, but sign in with their own Windows account.
@ -161,12 +159,12 @@ You'll download a .zip file, extract the files, and then use one of the files to
6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.
## Manage Minecraft Education Edition
## Manage Minecraft: Education Edition
### Access to Windows Store for Business
By default, when a teacher with a work or school account in your edu tenant acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
By default, when a teacher with a work or school account acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purachaser** role. You can configure this with the **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page.
However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purchaser** role. You can configure this with the **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page.
To prevent educators from automatically signing up for Windows Store for Business
1. In Windows Store for Business, click **Settings**, and then click **Permissions**.
@ -217,10 +215,10 @@ These apps will automatically be in your private store:
As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.
## Need more copies of Minecraft: Education Edition?
<!-- ## Need more copies of Minecraft: Education Edition?
You can purchase more licenses by working with your channel partner. Licenses are available at a lower rate than the price for individual copies that are available through Windows Store for Business. Individual copies are also available through Windows Store for Business.
If youve purchased a volume license, be sure to let other basic purchasers in your organization know about the volume license. That should help prevent unnecessary purchases of individual copies.
If youve purchased a volume license, be sure to let other basic purchasers in your organization know about the volume license. That should help prevent unnecessary purchases of individual copies. -->
## Learn more
@ -230,6 +228,6 @@ If youve purchased a volume license, be sure to let other basic purchasers in
## Related topics
[Get Minecraft Education Edition](get-minecraft-for-education.md)
[Get Minecraft: Education Edition](get-minecraft-for-education.md)
[For teachers get Minecraft Education Edition](teacher-get-minecraft.md)
[For teachers get Minecraft: Education Edition](teacher-get-minecraft.md)

20
education/windows/teacher-get-minecraft.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerMS
---
# For teachers: get Minecraft Education Edition
# For teachers: get Minecraft: Education Edition
**Applies to:**
@ -18,29 +18,29 @@ Learn how teachers can get and distribute Minecraft: Education Edition.
## Add Minecraft to your Windows Store for Business
1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**.
1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**.
![Click Get the app](images/teacher-get-app.png)
<!-- ![Click Get the app](images/teacher-get-app.png) -->
2. Enter your email address.
![Enter school email address](images/enter-email.png)
<!-- ![Enter school email address](images/enter-email.png) -->
3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
![You can get the app now](images/get-the-app.png)
<!-- ![You can get the app now](images/get-the-app.png) -->
4. Sign in to Windows Store for Business with your email address.
5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft Education Edition** in your Store inventory.
6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Windows Store for Business inventory.
![Get Minecraft app in Store](images/minecraft-get-the-app.png)
## Distribute Minecraft
After Minecraft Education Edition is added to your Windows Store for Business, you have three options:
After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
- You can install the app on your PC.
- You can assign the app to others.
@ -97,7 +97,7 @@ Students will receive an email with a link that will install the app on their PC
![My Library for example student](images/minecraft-my-library.png)
### Download for others
Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for younger students, and for shared computers. Choose this option when:
Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
- You have administrative permissions to install apps on the PC.
- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs.
- Your students share Windows 10 computers, but sign in with their own Windows account.
@ -152,8 +152,8 @@ If you are still having trouble installing the app, you can get more help on our
## Related topics
[Get Minecraft Education Edition](get-minecraft-for-education.md)
[Get Minecraft: Education Edition](get-minecraft-for-education.md)
[For IT admins: get Minecraft Education Edition](school-get-minecraft.md)
[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)

1
windows/deploy/TOC.md
View File

@ -45,6 +45,7 @@
### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)

5
windows/deploy/change-history-for-deploy-windows-10.md
View File

@ -11,6 +11,11 @@ author: greg-lindsay
# Change history for Deploy Windows 10
This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## October 2016
| New or changed topic | Description |
|----------------------|-------------|
| [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) | New |
## September 2016
| New or changed topic | Description |
|----------------------|-------------|

1
windows/deploy/index.md
View File

@ -21,6 +21,7 @@ Learn about deploying Windows 10 for IT professionals.
|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
|[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
| [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. |

34
windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -40,30 +40,30 @@ In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
1. General
* General
2. Name: Install Windows 10 Enterprise x64
* Name: Install Windows 10 Enterprise x64
3. Limited Collection: All Systems
* Limited Collection: All Systems
4. Membership rules:
* Membership rules:
5. Direct rule
* Direct rule
6. Resource Class: System Resource
* Resource Class: System Resource
7. Attribute Name: Name
* Attribute Name: Name
8. Value: PC0003
* Value: PC0003
9. Select **Resources**
* Select **Resources**
10. Select **PC0003**
* Select **PC0003**
2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
**Note**  
It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
>[!NOTE] 
>It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
 
@ -82,8 +82,8 @@ Using the Configuration Manager console, in the Software Library workspace, sele
- Make available to the following: Configuration Manager clients, media and PXE
**Note**  
It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
>[!NOTE]  
>It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
 
@ -110,10 +110,8 @@ Now you can start the computer refresh on PC0003.
1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
**Note**  
The Client Notification feature is new in Configuration Manager.
 
>[!NOTE]  
>The Client Notification feature is new in Configuration Manager.
2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.

59
windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
View File

@ -20,7 +20,7 @@ This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (L
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
![figure 1](images/mdt-04-fig01.png)
![The machines used in this topic](images/mdt-04-fig01.png "The machines used in this topic")
Figure 1. The machines used in this topic.
@ -28,15 +28,21 @@ Figure 1. The machines used in this topic.
Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
1. Back up data and settings locally, in a backup folder.
2. Wipe the partition, except for the backup folder.
3. Apply the new operating system image.
4. Install other applications.
5. Restore data and settings.
During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
**Note**  
In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
>[!NOTE] 
>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
 
### Multi-user migration
@ -45,8 +51,8 @@ by configuring command-line switches to ScanState (added as rules in MDT).
As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
**Note**  
You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
>[!NOTE] 
>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
 
### Support for additional settings
@ -55,12 +61,15 @@ In addition to the command-line switches that control which profiles to migrate,
## <a href="" id="sec02"></a>Create a custom User State Migration Tool (USMT) template
In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
1. Back up the **C:\\Data** folder (including all files and folders).
2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
- [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
- [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
- [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
* [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
* [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
* [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
### Add the custom XML template
@ -77,27 +86,30 @@ In order to use the custom MigContosoData.xml USMT template, you need to copy it
After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
**Note**  
MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
>[!NOTE]   
>MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
 
### Upgrade (refresh) a Windows 7 SP1 client
1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
2. Computer name: &lt;default&gt;
3. Specify where to save a complete computer backup: Do not back up the existing computer
**Note**  
Skip this optional full WIM backup. The USMT backup will still run.
* Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
* Computer name: &lt;default&gt;
* Specify where to save a complete computer backup: Do not back up the existing computer
>[!NOTE]
>Skip this optional full WIM backup. The USMT backup will still run.
 
2. Select one or more applications to install: Install - Adobe Reader XI - x86
3. The setup now starts and does the following:
1. Backs up user settings and data using USMT.
2. Installs the Windows 10 Enterprise x64 operating system.
3. Installs the added application(s).
4. Updates the operating system via your local Windows Server Update Services (WSUS) server.
5. Restores user settings and data using USMT.
![figure 2](images/fig2-taskseq.png)
3. The setup now starts and does the following:
* Backs up user settings and data using USMT.
* Installs the Windows 10 Enterprise x64 operating system.
* Installs the added application(s).
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores user settings and data using USMT.
![Start the computer refresh from the running Windows 7 client](images/fig2-taskseq.png "Start the computer refresh from the running Windows 7 client")
Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
@ -109,7 +121,6 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)

62
windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -32,9 +32,9 @@ In this topic, you will create a backup-only task sequence that you run on PC000
3. On the **General** page, assign the following settings and click **Next**:
1. Task sequence name: Replace Task Sequence
* Task sequence name: Replace Task Sequence
2. Task sequence comments: USMT backup only
* Task sequence comments: USMT backup only
4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
@ -48,9 +48,11 @@ In this topic, you will create a backup-only task sequence that you run on PC000
9. On the **Confirmation** page, click **Finish**.
10. Review the Replace Task Sequence. Note: This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
10. Review the Replace Task Sequence.
>[!NOTE]
>This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
![figure 34](images/mdt-06-fig42.png)
![The back-up only task sequence](images/mdt-06-fig42.png "The back-up only task sequence")
Figure 34. The backup-only task sequence (named Replace Task Sequence).
@ -67,13 +69,13 @@ This section walks you through the process of associating a blank machine, PC000
4. On the **Single Computer** page, use the following settings and then click **Next**:
1. Computer Name: PC0006
* Computer Name: PC0006
2. MAC Address: &lt;the mac address from step 1&gt;
* MAC Address: &lt;the mac address from step 1&gt;
3. Source Computer: PC0004
* Source Computer: PC0004
![figure 35](images/mdt-06-fig43.png)
![Create the computer association](images/mdt-06-fig43.png "Create the computer association")
Figure 35. Creating the computer association between PC0004 and PC0006.
@ -96,25 +98,25 @@ This section walks you through the process of associating a blank machine, PC000
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
1. General
* General
2. Name: USMT Backup (Replace)
* Name: USMT Backup (Replace)
3. Limited Collection: All Systems
* Limited Collection: All Systems
4. Membership rules:
* Membership rules:
5. Direct rule
* Direct rule
6. Resource Class: System Resource
* Resource Class: System Resource
7. Attribute Name: Name
* Attribute Name: Name
8. Value: PC0004
* Value: PC0004
9. Select **Resources**
* Select **Resources**
10. Select **PC0004**
* Select **PC0004**
2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
@ -158,10 +160,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
**Note**  
You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
>[!NOTE]  
>You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
@ -173,8 +173,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
**Note**  
It may take a few minutes for the user state store location to be populated.
>[!NOTE]  
>It may take a few minutes for the user state store location to be populated.
 
@ -183,21 +183,21 @@ It may take a few minutes for the user state store location to be populated.
1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
1. Password: P@ssw0rd
* Password: P@ssw0rd
2. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
* Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
2. The setup now starts and does the following:
1. Installs the Windows 10 operating system
* Installs the Windows 10 operating system
2. Installs the Configuration Manager client
* Installs the Configuration Manager client
3. Joins it to the domain
* Joins it to the domain
4. Installs the applications
* Installs the applications
5. Restores the PC0004 backup
* Restores the PC0004 backup
When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.

70
windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -19,7 +19,7 @@ author: mtniehaus
A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
![figure 1](images/mdt-03-fig01.png)
![The machines used in this topic](images/mdt-03-fig01.png "The machines used in this topic")
Figure 1. The machines used in this topic.
@ -30,11 +30,13 @@ When preparing for the computer replace, you need to create a folder in which to
### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
1. On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
### Create and share the MigData folder
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` syntax
New-Item -Path E:\MigData -ItemType directory
@ -45,75 +47,89 @@ When preparing for the computer replace, you need to create a folder in which to
### Create a backup only (replace) task sequence
1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: REPLACE-001
2. Task sequence name: Backup Only Task Sequence
3. Task sequence comments: Run USMT to backup user data and settings
4. Template: Standard Client Replace Task Sequence
* Task sequence ID: REPLACE-001
* Task sequence name: Backup Only Task Sequence
* Task sequence comments: Run USMT to backup user data and settings
* Template: Standard Client Replace Task Sequence
3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
![figure 2](images/mdt-03-fig02.png)
![The Backup Only Task Sequence action list](images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
Figure 2. The Backup Only Task Sequence action list.
## <a href="" id="sec02"></a>Perform the computer replace
During a computer replace, these are the high-level steps that occur:
1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
2. On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
### Execute the replace task sequence
1. On PC0002, log on as **CONTOSO\\Administrator**.
2. Verify that you have write access to the **\\\\MDT01\\MigData$** share.
3. Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
4. Complete the Windows Deployment Wizard using the following settings:
1. Select a task sequence to execute on this computer: Backup Only Task Sequence
1. Specify where to save your data and settings: Specify a location
2. Location: \\\\MDT01\\MigData$\\PC0002
**Note**  
If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
* Specify where to save your data and settings: Specify a location
* Location: \\\\MDT01\\MigData$\\PC0002
>[!NOTE]  
>If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
 
2. Specify where to save a complete computer backup: Do not back up the existing computer
3. Password: P@ssw0rd
The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
![figure 3](images/mdt-03-fig03.png)
![The new task sequence](images/mdt-03-fig03.png "The new task sequence")
Figure 3. The new task sequence running the Capture User State action on PC0002.
5. On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
![figure 4](images/mdt-03-fig04.png)
![The USMT backup](images/mdt-03-fig04.png "The USMT backup")
Figure 4. The USMT backup of PC0002.
### Deploy the PC0007 virtual machine
1. Create a virtual machine with the following settings:
1. Name: PC0007
2. Location: C:\\VMs
3. Generation: 2
4. Memory: 2048 MB
5. Hard disk: 60 GB (dynamic disk)
* Name: PC0007
* Location: C:\\VMs
* Generation: 2
* Memory: 2048 MB
* Hard disk: 60 GB (dynamic disk)
2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
![figure 5](images/mdt-03-fig05.png)
![The initial PXE boot process](images/mdt-03-fig05.png "The initial PXE boot process")
Figure 5. The initial PXE boot process of PC0005.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
1. Password: P@ssw0rd
2. Select a task sequence to execute on this computer:
1. Windows 10 Enterprise x64 RTM Custom Image
2. Computer Name: PC0007
3. Applications: Select the Install - Adobe Reader XI - x86 application.
* Password: P@ssw0rd
* Select a task sequence to execute on this computer:
* Windows 10 Enterprise x64 RTM Custom Image
* Computer Name: PC0007
* Applications: Select the Install - Adobe Reader XI - x86 application.
4. The setup now starts and does the following:
1. Installs the Windows 10 Enterprise operating system.
2. Installs the added application.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
4. Restores the USMT backup from PC0002.
* Installs the Windows 10 Enterprise operating system.
* Installs the added application.
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores the USMT backup from PC0002.
## Related topics

896
windows/deploy/resolve-windows-10-upgrade-errors.md Normal file
View File

@ -0,0 +1,896 @@
---
title: Resolve Windows 10 upgrade errors
description: Resolve Windows 10 upgrade errors
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
localizationpriority: high
---
# Resolve Windows 10 upgrade errors
**Applies to**
- Windows 10
This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
## In this topic
The following sections and procedures are provided in this guide:
- [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.<BR>
- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.<BR>
- [Upgrade error codes](#upgrade-error-codes): The components of an error code are explained.
- [Result codes](#result-codes): Information about result codes.
- [Extend codes](#extend-codes): Information about extend codes.
- [Log files](#log-files): A list and description of log files useful for troubleshooting.
- [Log entry structure](#log-entry-structure): The format of a log entry is described.
- [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
- [Resolution procedures](#resolution-procedures): Causes and mitigation procedures associated with specific error codes.
- [0xC1900101](#0xC1900101): Information about the 0xC1900101 result code.
- [0x800xxxxx](#0x800xxxxx): Information about result codes that start with 0x800.
- [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
- [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
## The Windows 10 upgrade process
The Windows Setup application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. When performing an operating system upgrade, Windows Setup uses the following phases:
1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Installation components are gathered.
2. **Safe OS phase**: A recovery partition is configured and updates are installed. An OS rollback is prepared if needed.
- Example error codes: 0x2000C, 0x20017
3. **First boot phase**: Initial settings are applied.
- Example error codes: 0x30018, 0x3000D
4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**.
- Example error: 0x4000D, 0x40017
5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful.
- Example error: 0x50000
**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
![Upgrade process](images/upgrade-process.png)
DU = Driver/device updates.<BR>
OOBE = Out of box experience.<BR>
WIM = Windows image (Microsoft)
## Quick fixes
The following steps can resolve many Windows upgrade problems.
<OL>
<LI>Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
<UL>
<LI>chkdsk /F</LI>
</UL>
</LI>
<LI>Attept to restore and repair system files by typing the following commands at an elevated command prompt. It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
<UL>
<LI>DISM.exe /Online /Cleanup-image /Restorehealth</LI>
<LI>sfc /scannow</LI>
</UL>
</LI>
<LI>Update Windows so that all available recommended updates are installed.</LI>
<LI>Uninstall non-Microsoft antivirus software.
<UL>
<LI>Use Windows Defender for protection during the upgrade.
<LI>Verify compatibility information and re-install antivirus applications after the upgrade.</LI></LI>
</UL>
<LI>Uninstall all nonessential software.</LI>
<LI>Remove nonessential external hardware, such as docks and USB devices.</LI>
<LI>Update firmware and drivers.</LI>
<LI>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</LI>
<LI>Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
</OL>
## Upgrade error codes
If the upgrade process is not successful, Windows Setup will return two codes:
1. **A result code**: The result code corresponds to a specific Win32 error.
2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.
>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned.
### Result codes
>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <BR>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic.
Result codes can be matched to the type of error encountered. To match a result code to an error:
1. Identify the error code type, either Win32 or NTSTATUS, using the first hexidecimal digit:
<BR>8 = Win32 error code (ex: 0x**8**0070070)
<BR>C = NTSTATUS value (ex: 0x**C**1900107)
2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits correspond to the last 16 bits of the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure.
3. Based on the type of error code determined in the first step, match the 4 digits derived from the second step to either a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx), or an [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx).
For example:
- 0x80070070 = Win32 = 0070 = 0x00000070 = ERROR_DISK_FULL
- 0xC1900107 = NTSTATUS = 0107 = 0x00000107 = STATUS_SOME_NOT_MAPPED
Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot.
### Extend codes
>Important: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
1. Use the first digit to identify the phase (ex: 0x4000D = 4).
2. Use the last two digits to identify the operation (ex: 0x4000D = 0D).
3. Match the phase and operation to values in the tables provided below.
The following tables provide the corresponding phase and operation for values of an extend code:
<TABLE cellspacing=0 cellpadding=0>
<TR><TD colspan=2 align="center" valign="top" BGCOLOR="#a0e4fa"><B>Extend code: phase</B></TD>
<TR><TD style='padding:0in 4pt 0in 4pt'><b>Hex</b><TD style='padding:0in 5.4pt 0in 5.4pt'><span style='padding:0in 1pt 0in 1pt;'><b>Phase</b>
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>0<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_UNKNOWN
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_DOWNLEVEL
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>2<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_SAFE_OS
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>3<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_FIRST_BOOT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>4<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OOBE_BOOT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>5<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_UNINSTALL
</TABLE>
<TABLE border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse;border:none'>
<TR><TD colspan=2 align="center" valign="top" BGCOLOR="#a0e4fa"><B>Extend code: operation</B></TD>
<TR><TD align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt'><b>Hex</b><TD style='padding:0in 4pt 0in 4pt'><span style='padding:0in 5.4pt 0in 5.4pt;'><b>Operation</b>
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>0<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_UNKNOWN
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_COPY_PAYLOAD
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>2<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DOWNLOAD_UPDATES
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>3<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_UPDATES
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>4<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>5<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>6<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REPLICATE_OC
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>7<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_DRVIERS
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>8<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_SAFE_OS
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>9<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_ROLLBACK
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>A<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_FIRST_BOOT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>B<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_OOBE_BOOT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>C<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_APPLY_IMAGE
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>D<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_MIGRATE_DATA
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>E<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SET_PRODUCT_KEY
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>F<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_UNATTEND
</TABLE>
</TD>
<TD align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt'><b>Hex</b><TD style='padding:0in 4pt 0in 4pt'><b>Operation</b>
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>10<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_DRIVER
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>11<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ENABLE_FEATURE
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>12<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DISABLE_FEATURE
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>13<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>14<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>15<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_FILE
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>16<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_REGISTRY
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>17<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BOOT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>18<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SYSPREP
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>19<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_OOBE
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1A<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_FIRST_BOOT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1B<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_FIRST_BOOT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1C<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_OOBE_BOOT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1D<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_OOBE_BOOT
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1E<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PRE_OOBE
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1F<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_POST_OOBE
<TR><TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>20<TD style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
</TABLE>
</TD>
</TR>
</TABLE>
For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**).
## Log files
Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code.
<P>The following table describes some log files and how to use them for troubleshooting purposes:
<TABLE>
<TR>
<td BGCOLOR="#a0e4fa"><B>Log file<td BGCOLOR="#a0e4fa"><B>Phase: Location<td BGCOLOR="#a0e4fa"><B>Description<td BGCOLOR="#a0e4fa"><B>When to use
<TR><TD rowspan=5>setupact.log<TD>Down-Level:<BR>$Windows.~BT\Sources\Panther<TD>Contains information about setup actions during the downlevel phase.
<TD>All down-level failures and starting point for rollback investigations.<BR> This is the most important log for diagnosing setup issues.
<TR><TD>OOBE:<BR>$Windows.~BT\Sources\Panther\UnattendGC
<TD>Contains information about actions during the OOBE phase.<TD>Investigating rollbacks that failed during OOBE phase and operations 0x4001C, 0x4001D, 0x4001E, 0x4001F.
<TR><TD>Rollback:<BR>$Windows.~BT\Sources\Rollback<TD>Contains information about actions during rollback.<TD>Investigating generic rollbacks - 0xC1900101.
<TR><TD>Pre-initialization (prior to downlevel):<BR>Windows</TD><TD>Contains information about initializing setup.<TD>If setup fails to launch.
<TR><TD>Post-upgrade (after OOBE):<BR>Windows\Panther<TD>Contains information about setup actions during the installation.<TD>Investigate post-upgrade related issues.
<TR><TD>setuperr.log<TD>Same as setupact.log<TD>Contains information about setup errors during the installation.<TD>Review all errors encountered during the installation phase.
<TR><TD>miglog.xml<TD>Post-upgrade (after OOBE):<BR>Windows\Panther<TD>Contains information about what was migrated during the installation.<TD>Identify post upgrade data migration issues.
<TR><TD>BlueBox.log<TD>Down-Level:<BR>Windows\Logs\Mosetup<TD>Contains information communication between setup.exe and Windows Update.<TD>Use during WSUS and WU down-level failures or for 0xC1900107.
<TR><TD>Supplemental rollback logs:<BR>
Setupmem.dmp<BR>
setupapi.dev.log<BR>
Event logs (*.evtx)
<TD>$Windows.~BT\Sources\Rollback<TD>Additional logs collected during rollback.
<TD>
Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.<BR>
Setupapi: Device install issues - 0x30018<BR>
Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
</TABLE>
### Log entry structure
A setupact.log or setuperr.log entry includes the following elements:
<OL>
<LI><B>The date and time</B> - 2016-09-08 09:20:05.
<LI><B>The log level</B> - Info, Warning, Error, Fatal Error.
<LI><B>The logging component</B> - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
<UL>
<LI>The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.
</UL>
<LI><B>The message</B> - Operation completed successfully.
</OL>
See the following example:
| Date/Time | Log level | Component | Message |
|------|------------|------------|------------|
|2016-09-08 09:23:50,| Warning | MIG | Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.|
### Analyze log files
<P>To analyze Windows Setup log files:
<OL>
<LI>Determine the Windows Setup error code.
<LI>Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
<LI>Open the log file in a text editor, such as notepad.
<LI>Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
<LI>To find the last occurrence of the result code:
<OL type="a">
<LI>Scroll to the bottom of the file and click after the last character.
<LI>Click **Edit**.
<LI>Click **Find**.
<LI>Type the result code.
<LI>Under **Direction** select **Up**.
<LI>Click **Find Next**.
</OL>
<LI> When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
<LI> Search for the following important text strings:
<UL>
<LI><B>Shell application requested abort</B>
<LI><B>Abandoning apply due to error for object</B>
</UL>
<LI> Decode Win32 errors that appear in this section.
<LI> Write down the timestamp for the observed errors in this section.
<LI> Search other log files for additional information matching these timestamps or errors.
</OL>
For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
>Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
<P><B>setuperr.log</B> content:
<pre style="font-size: 10px; overflow-y: visible">
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
27:08, Error Gather failed. Last error: 0x00000000
27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
27:09, Error SP CMigrateFramework: Gather framework failed. Status: 44
27:09, Error SP Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
27:09, Error SP Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
27:09, Error SP CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
</PRE>
The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
<pre style="font-size: 10px; overflow-y: visible">
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
</PRE>
</B>The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
<P><B>setupact.log</B> content:
<pre style="font-size: 10px; overflow-y: visible">
27:00, Info Gather started at 10/5/2016 23:27:00
27:00, Info [0x080489] MIG Setting system object filter context (System)
27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
27:00, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
27:00, Info SP ExecuteProgress: Elapsed events:1 of 4, Percent: 12
27:00, Info [0x0802c6] MIG Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
27:08, Info SP ExecuteProgress: Elapsed events:2 of 4, Percent: 25
27:08, Info SP ExecuteProgress: Elapsed events:3 of 4, Percent: 37
27:08, Info [0x080489] MIG Setting system object filter context (System)
27:08, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
27:08, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
27:08, Info MIG COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
27:08, Error Gather failed. Last error: 0x00000000
27:08, Info Gather ended at 10/5/2016 23:27:08 with result 44
27:08, Info Leaving MigGather method
27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
</PRE>
<P>This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f.
## Resolution procedures
### 0xC1900101
A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:<BR>
- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp,
- Event logs: $Windows.~bt\Sources\Rollback\*.evtx
- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process.
<P>See the following general troubleshooting procedures associated with a result code of 0xC1900101:
<TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20004</B>
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation
<BR>This is generally caused by out-of-date drivers.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Uninstall antivirus applications.
<BR>Remove all unused SATA devices.
<BR>Remove all unused devices and drivers.
<BR>Update drivers and BIOS.
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x2000c</B>
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
<BR>This is generally caused by out-of-date drivers.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
<BR>Contact your hardware vendor to obtain updated device drivers.
<BR>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20017
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A driver has caused an illegal operation.
<BR>Windows was not able to migrate the driver, resulting in a rollback of the operating system.
<P>This is a safeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
Ensure that all that drivers are updated.<BR>
Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
<BR>For more information, see [Understanding Failures and Log Files](https://technet.microsoft.com/en-us/library/ee851579.aspx).
<BR>Update or uninstall the problem drivers.
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x30018</B>
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A device driver has stopped responding to setup.exe during the upgrade process.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
<BR>Contact your hardware vendor to obtain updated device drivers.
<BR>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x3000D</B>
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
<BR>This can occur due to a problem with a display driver.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
<BR>Update or uninstall the display driver.
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x4000D</B>
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A rollback occurred due to a driver configuration issue.
<P>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
<P>This can occur due to incompatible drivers.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
<P>Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
<p>Review the rollback log and determine the stop code.
<BR>The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder. An example analysis is shown below. This example is not representative of all cases:
<p>Info SP Crash 0x0000007E detected
<BR>Info SP Module name :
<BR>Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
<BR>Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
<BR>Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
<BR>Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
<BR>Info SP Cannot recover the system.
<BR>Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
<P>Typically there is a a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<BR>
1. Make sure you have enough disk space.<BR>
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<BR>
3. Try changing video adapters.<BR>
4. Check with your hardware vendor for any BIOS updates.<BR>
5. Disable BIOS memory options such as caching or shadowing.
</p>
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x40017</B>
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows 10 upgrade failed after the second reboot.
<BR>This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Clean boot into Windows, and then attempt the upgrade to Windows 10.<BR>
For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
<P>Ensure you select the option to "Download and install updates (recommended)."
</TABLE>
</TD>
</TR>
</TABLE>
### 0x800xxxxx
Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
<P>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
<TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
8000405 - 0x20007
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
An unspecified error occurred with a driver during the SafeOS phase.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
800704B8 - 0x3001A
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
An extended error has occurred during the first boot phase.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/en-us/kb/929135).
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
8007042B - 0x4000D
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
<BR>This issue can occur due to file system, application, or driver issues.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
[Analyze log files](#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object.
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
8007001F - 0x4000D
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
General failure, a device attached to the system is not functioning.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
[Analyze log files](#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device.
</TABLE>
</TD>
</TR>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
8007042B - 0x4001E
</TABLE>
<P><TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
The installation failed during the second boot phase while attempting the PRE_OOBE operation.
</TABLE>
</TD>
<TD align="left" valign="top" style='border:solid #000000 1.0pt;'>
<TABLE cellspacing=0 cellpadding=0>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
</TABLE>
</TD>
</TR>
</TABLE>
### Other result codes
<table>
<tr>
<td BGCOLOR="#a0e4fa"><B>Error code</th>
<td BGCOLOR="#a0e4fa"><B>Cause</th>
<td BGCOLOR="#a0e4fa"><B>Mitigation</th>
</tr>
<tr>
<td>0xC1800118</td>
<td>WSUS has downloaded content that it cannot use due to a missing decryption key.</td>
<td>See [Steps to resolve error 0xC1800118](https://blogs.technet.microsoft.com/wsus/2016/09/21/resolving-error-0xc1800118/) for information.</td>
</tr>
<tr>
<td>0xC1900200</td>
<td>Setup.exe has detected that the machine does not meet the minimum system requirements.</td>
<td>Ensure the system you are trying to upgrade meets the minimum system requirements. <P>See [Windows 10 specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) for information.</td>
</tr>
<tr>
<td>0x80090011</td>
<td>A device driver error occurred during user data migration.</td>
<td>Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process.
<P>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
</tr>
<tr>
<td>0xC7700112</td>
<td>Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.</td>
<td>This issue is resolved in the latest version of Upgrade Assistant.
<P>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
</tr>
<tr>
<td>0x80190001</td>
<td>An unexpected error was encountered while attempting to download files required for upgrade.</td>
<td>To resolve this issue, download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
</td>
</tr>
<tr>
<td>0x80246007</td>
<td>The update was not downloaded successfully.</td>
<td>Attempt other methods of upgrading the operating system.<BR>
Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
<BR>Attempt to upgrade using .ISO or USB.<BR>
**Note**: Windows 10 Enterprise isnt available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).
</td>
</tr>
<tr>
<td>0xC1900201</td>
<td>The system did not pass the minimum requirements to install the update.</td>
<td>Contact the hardware vendor to get the latest updates.</td>
</tr>
<tr>
<td>0x80240017</td>
<td>The upgrade is unavailable for this edition of Windows.</td>
<td>Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.</td>
</tr>
<tr>
<td>0x80070020</td>
<td>The existing process cannot access the file because it is being used by another process.</td>
<td>Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).</td>
</tr>
<tr>
<td>0x80070522</td>
<td>The user doesnt have required privilege or credentials to upgrade.</td>
<td>Ensure that you have signed in as a local administrator or have local administrator privileges.</td>
</tr>
<tr>
<td>0xC1900107</td>
<td>A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.
</td>
<td>Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/en-us/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10).</td>
</tr>
<tr>
<td>0xC1900209</td>
<td>The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.</td>
<td>Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/) for more information.
<P>You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools.
</td>
</tr>
<tr>
<td>0x8007002 </td>
<td>This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)</td>
<td>Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
<P>The error 80072efe means that the connection with the server was terminated abnormally.
<P>To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.
</td>
</tr>
</table>
### Other error codes
<TABLE>
<TR><td BGCOLOR="#a0e4fa">Error Codes<td BGCOLOR="#a0e4fa">Cause<td BGCOLOR="#a0e4fa">Mitigation</TD></TR>
<TR><TD>0x80070003- 0x20007
<TD>This is a failure during SafeOS phase driver installation.
<TD>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
</TD></TR>
<TR><TD>0x8007025D - 0x2000C
<TD>This error occurs if the ISO file's metadata is corrupt.<TD>"Re-download the ISO/Media and re-attempt the upgrade.
Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10).
</TD></TR>
<TR><TD>0x80070490 - 0x20007<TD>An incompatible device driver is present.
<TD>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
</TD></TR>
<TR><TD>0xC1900101 - 0x2000c
<TD>An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.
<TD>Run checkdisk to repair the file system. For more information, see the [quick fixes](#quick-fixes) section in this guide.
<P>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.</TD></TR>
<TR><TD>0xC1900200 - 0x20008
<TD>The computer doesnt meet the minimum requirements to download or upgrade to Windows 10.
<TD>See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements.
<BR>Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).</TD></TR>
<TR><TD>0x80070004 - 0x3000D
<TD>This is a problem with data migration during the first boot phase. There are multiple possible causes.
<TD>[Analyze log files](#analyze-log-files) to determine the issue.</TD></TR>
<TR><TD>0xC1900101 - 0x4001E
<TD>Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
<TD>This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xC1900101) section of this guide and review general troubleshooting procedures described in that section.</TD></TR>
<TR><TD>0x80070005 - 0x4000D
<TD>The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
<TD>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.</TD></TR>
<TR><TD>0x80070004 - 0x50012
<TD>Windows Setup failed to open a file.
<TD>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access problems.</TD></TR>
<TR><TD>0xC190020e
<BR>0x80070070 - 0x50011
<BR>0x80070070 - 0x50012
<BR>0x80070070 - 0x60000
<TD>These errors indicate the computer does not have enough free space available to install the upgrade.
<TD>To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
<P>Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
</TD></TR>
</TABLE>
## Related topics
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
<BR>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
<BR>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
<BR>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
<BR>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)

2
windows/deploy/upgrade-analytics-get-started.md
View File

@ -101,7 +101,7 @@ IMPORTANT: Restart user computers after you install the compatibility update KBs
| **Site discovery** | **KB** |
|----------------------|-----------------------------------------------------------------------------|
| [Review site discovery](upgrade-analytics-review-site-discovery.md) | [KB 3170106](https://support.microsoft.com/en-us/kb/3170106)<br>Site discovery requires July 2016 security update for Internet Explorer. |
| [Review site discovery](upgrade-analytics-review-site-discovery.md) | Site discovery requires the [July 2016 security update for Internet Explorer](https://support.microsoft.com/en-us/kb/3170106) (KB3170106) or later. |
### Automate data collection

2
windows/deploy/upgrade-analytics-review-site-discovery.md
View File

@ -15,7 +15,7 @@ This section of the Upgrade Analytics workflow provides an inventory of web site
Ensure the following prerequisites are met before using site discovery:
1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update (KB3170106)](https://support.microsoft.com/kb/3170106) and later.
1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update](https://support.microsoft.com/kb/3170106) and later.
2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it.

10
windows/keep-secure/TOC.md
View File

@ -38,7 +38,15 @@
#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
## [VPN profile options](vpn-profile-options.md)
## [VPN technical guide](vpn-guide.md)
### [VPN connection types](vpn-connection-type.md)
### [VPN routing decisions](vpn-routing.md)
### [VPN authentication options](vpn-authentication.md)
### [VPN and conditional access](vpn-conditional-access.md)
### [VPN name resolution](vpn-name-resolution.md)
### [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
### [VPN security features](vpn-security-features.md)
### [VPN profile options](vpn-profile-options.md)
## [Windows security baselines](windows-security-baselines.md)
## [Security technologies](security-technologies.md)
### [Access Control Overview](access-control.md)

6
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -12,6 +12,12 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## October 2016
| New or changed topic | Description |
| --- | --- |
| [VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
## September 2016
| New or changed topic | Description |

57
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -33,15 +33,54 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
a. Select **Endpoint Management** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
![Endpoint onboarding](images/atp-onboard-mdm.png)
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
a. Select **Policy** > **Configuration Policies** > **Add**.
![Microsoft Intune Configuration Policies](images/atp-intune-add-policy.png)
b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
c. Type a name and description for the policy.
![Microsoft Intune Create Policy](images/atp-intune-policy-name.png)
d. Under OMA-URI settings, select **Add...**.
![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
e. Type the following values then select **OK**:
![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
- **Setting name**: Type a name for the setting.
- **Setting description**: Type a description for the setting.
- **Data type**: Select **String**.
- **OMA-URI**: *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding*
- **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded.
f. Save the policy.
![Microsoft Intune save policy](images/atp-intune-save-policy.png)
g. Deploy the policy.
![Microsoft Intune deploy policy](images/atp-intune-deploy-policy.png)
h. Select the device group to deploy the policy to:
![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png)
When the policy is deployed and is propagated, endpoints will be shown in the **Machines view**.
You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines
@ -49,10 +88,10 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding
Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
> [!NOTE]
@ -83,8 +122,8 @@ Offboarding - Use the offboarding policies to remove configuration settings on e
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
> [!NOTE]
> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.

BIN
windows/keep-secure/images/atp-intune-add-oma.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/keep-secure/images/atp-intune-add-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
windows/keep-secure/images/atp-intune-deploy-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/keep-secure/images/atp-intune-manage-deployment.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 KiB

BIN
windows/keep-secure/images/atp-intune-new-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 178 KiB

BIN
windows/keep-secure/images/atp-intune-oma-uri-setting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/keep-secure/images/atp-intune-policy-name.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/keep-secure/images/atp-intune-save-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
windows/keep-secure/images/atp-onboard-mdm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 80 KiB

BIN
windows/keep-secure/images/vpn-app-rules.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/keep-secure/images/vpn-app-trigger.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/keep-secure/images/vpn-conditional-access-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/keep-secure/images/vpn-connection-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/keep-secure/images/vpn-connection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
windows/keep-secure/images/vpn-custom-xml-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.4 KiB

BIN
windows/keep-secure/images/vpn-device-compliance.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/keep-secure/images/vpn-eap-xml.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/keep-secure/images/vpn-intune-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.5 KiB

BIN
windows/keep-secure/images/vpn-name-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/keep-secure/images/vpn-profilexml-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/keep-secure/images/vpn-split-route.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/keep-secure/images/vpn-split.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/keep-secure/images/vpn-traffic-rules.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

12
windows/keep-secure/implement-microsoft-passport-in-your-organization.md
View File

@ -312,7 +312,6 @@ Youll need this software to set Windows Hello for Business policies in your e
<tr class="header">
<th align="left">Windows Hello for Business mode</th>
<th align="left">Azure AD</th>
<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016)</th>
<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
</tr>
</thead>
@ -321,11 +320,6 @@ Youll need this software to set Windows Hello for Business policies in your e
<td align="left">Key-based authentication</td>
<td align="left">Azure AD subscription</td>
<td align="left"><ul>
<li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
<li>A few Windows Server 2016 domain controllers on-site</li>
<li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
</ul></td>
<td align="left"><ul>
<li>Azure AD subscription</li>
<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
<li>A few Windows Server 2016 domain controllers on-site</li>
@ -341,12 +335,6 @@ Youll need this software to set Windows Hello for Business policies in your e
<li>PKI infrastructure</li>
</ul></td>
<td align="left"><ul>
<li>ADFS (Windows Server 2016)</li>
<li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
<li>PKI infrastructure</li>
<li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
</ul></td>
<td align="left"><ul>
<li>Azure AD subscription</li>
<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
<li>AD CS with NDES</li>

2
windows/keep-secure/index.md
View File

@ -26,7 +26,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [VPN technical guide](vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |

2
windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
View File

@ -19,7 +19,7 @@ localizationpriority: high
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
>[!NOTE]
> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Hello addresses the following problems with passwords:
- Passwords can be difficult to remember, and users often reuse passwords on multiple sites.

6
windows/keep-secure/microsoft-passport-guide.md
View File

@ -298,7 +298,6 @@ Table 1. Deployment requirements for Microsoft Passport
<th align="left">Microsoft Passport method</th>
<th align="left">Azure AD</th>
<th align="left">Hybrid Active Directory</th>
<th align="left">On-premises Active Directory only</th>
</tr>
</thead>
<tbody>
@ -312,8 +311,6 @@ Table 1. Deployment requirements for Microsoft Passport
<li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
<li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
</ul></td>
<td align="left"><p>One or more Windows Server 2016 Technical Preview domain controllers</p>
<p>AD FS of Windows Server 2016 Technical Preview</p></td>
</tr>
<tr class="even">
<td align="left">Certificate-based</td>
@ -326,9 +323,6 @@ Table 1. Deployment requirements for Microsoft Passport
<li>AD CS with NDES</li>
<li>Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
</ul></td>
<td align="left"><p>AD DS Windows Server 2016 Technical Preview schema</p>
<p>AD FS of Windows Server 2016 Technical Preview</p>
<p>PKI infrastructure System Center 2012 R2 Configuration Manager with SP2 or later</p></td>
</tr>
</tbody>
</table>

4
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -74,6 +74,8 @@ Event ID | Error Type | Resolution steps
## Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on endpoints, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
Use the following tables to understand the possible causes of issues while onboarding:
- Microsoft Intune error codes and OMA-URIs table
@ -114,7 +116,7 @@ Channel name: Admin
ID | Severity | Event description | Troubleshooting steps
:---|:---|:---|:---
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
## Troubleshoot onboarding issues on the endpoint
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:

61
windows/keep-secure/vpn-authentication.md Normal file
View File

@ -0,0 +1,61 @@
---
title: VPN authentication options (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerMS
localizationpriority: high
---
# VPN authentication options
**Applies to**
- Windows 10
- Windows 10 Mobile
In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
Windows supports a number of EAP authentication methods.
<table>
<thead><tr><th>Method</th><th>Details</th></thead>
<tbody>
<tr><td>EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)</td><td><ul><li>User name and password authentication</li><li>Winlogon credentials - can specify authentication with computer sign-in credentials</li></ul></td></tr>
<tr><td>EAP-Transport Layer Security (EAP-TLS) </td><td><ul><li>Supports the following types of certificate authentication<ul><li>Certificate with keys in the software Key Storage Provider (KSP)</li><li>Certificate with keys in Trusted Platform Module (TPM) KSP</li><li>Smart card certficates</li><li>Windows Hello for Business certificate</li></ul></li><li>Certificate filtering<ul><li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with</li><li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based</li></ul></li><li>Server validation - with TLS, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li></ul></td></tr>
<tr><td><a href="https://msdn.microsoft.com/library/cc754179.aspx">Protected Extensible Authentication Protocol (PEAP)</a></td><td><ul><li>Server validation - with PEAP, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li><li>Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication<ul><li>EAP-MSCHAPv2</li><li>EAP-TLS</li></ul><li>Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.<li><a href="https://msdn.microsoft.com/library/cc238384.aspx">Cryptobinding</a>: By deriving and exchanging values from the PEAP phase 1 key material (<b>Tunnel Key</b>) and from the PEAP phase 2 inner EAP method key material (<b>Inner Session Key</b>), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.</li></li></ul></td></tr>
<tr><td>Tunneled Transport Layer Security (TTLS)</td><td><ul><li>Inner method<ul><li>Non-EAP<ul><li>Password Authentication Protocol (PAP)</li><li>CHAP</li><li>MSCHAP</li><li>MSCHAPv2</li></ul></li><li>EAP<ul><li>MSCHAPv2</li><li>TLS</li></ul></li></ul></li><li>Server validation: in TTLS, the server must be validated. The following can be configured:<ul><li>Server name</li><li>Trusted root certificate for server certificate</li><li>Whether there should be a server validation notification</li></ul></li></ul></td></tr></tbody>
</table>
</br>
For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential types can be used:
- Smart card
- Certificate
- Windows Hello for Business
- User name and password
- One-time password
- Custom credential type
## Configure authentication
See [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) for EAP XML configuration.
>[!NOTE]
>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) to create a smart card certificate. [Learn more about Windows Hello for Business.](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport)
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
![EAP XML configuration in Intune profile](images/vpn-eap-xml.png)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

88
windows/keep-secure/vpn-auto-trigger-profile.md Normal file
View File

@ -0,0 +1,88 @@
---
title: VPN auto-triggered profile options (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerMS
localizationpriority: high
---
# VPN auto-triggered profile options
**Applies to**
- Windows 10
- Windows 10 Mobile
In Windows 10, a number of features were added to auto-trigger VPN so users wont have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
- App trigger
- Name-based trigger
- Always On
## App trigger
VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
[Find a package family name (PFN) for per-app VPN configuration](https://docs.microsoft.com/intune/deploy-use/find-a-pfn-for-per-app-vpn)
## Name-based trigger
You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.
Name-based auto-trigger can be configured using the VPNv2/*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
There are four types of name-based triggers:
- Short name: for example, if **HRweb** is configured as a trigger and the stack sees a DNS resolution request for **HRweb**, the VPN will be triggered.
- Fully-qualified domain name (FQDN): for example, if **HRweb.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request for **HRweb.corp.contoso.com**, the VPN will be triggered.
- Suffix: for example, if **.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request with a matching suffix (such as **HRweb.corp.contoso.com**), the VPN will be triggered. For any short name resolution, VPN will be triggered and the DNS server will be queried for the *ShortName*.**corp.contoso.com**.
- All: if used, all DNS resolution should trigger VPN.
## Always On
Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
- User sign-in
- Network change
- Device screen on
When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction.
When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**.
## Trusted network detection
This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
## Configure app-triggered VPN
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
![Add an app for the VPN connection](images/vpn-app-trigger.png)
After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
![Configure rules for the app](images/vpn-app-rules.png)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

127
windows/keep-secure/vpn-conditional-access.md Normal file
View File

@ -0,0 +1,127 @@
---
title: VPN and conditional access (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerMS
localizationpriority: high
---
# VPN and conditional access
**Applies to**
- Windows 10
- Windows 10 Mobile
The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
>[!NOTE]
>Conditional Access is an Azure AD Premium feature.
Conditional Access Platform components used for Device Compliance include the following cloud-based services:
- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
- [Azure AD Connect Health](https://azure.microsoft.com/documentation/articles/active-directory-Azure ADconnect-health/)
- [Windows Health Attestation Service](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional)
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used.
Additional details regarding the Azure AD issued short-lived certificate:
- The default lifetime is 60 minutes and is configurable
- When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection
- [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
- Password policy compliance
- Encryption compliance
- Device health attestation state (validated against attestation service after query)
The following client-side components are also required:
- [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx)
- [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings
- Trusted Platform Module (TPM)
## VPN device compliance
Server-side infrastructure requirements to support VPN device compliance include:
- The VPN server should be configured for certificate authentication.
- The VPN server should trust the tenant-specific Azure AD CA
- Either of the below should be true for Kerberos/NTLM SSO:
- Domain servers trust Azure AD CA
- A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO)
After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
Two client-side configuration service providers are leveraged for VPN device compliance.
- VPNv2 CSP DeviceCompliance settings
- **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client will attempt to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
- **Sso**: nodes under SSO can be used to choose a certificate different from the VPN authentication certificate for Kerberos authentication in the case of device compliance.
- **Sso/Enabled**: if this field is set to **true**, the VPN client will look for a separate certificate for Kerberos authentication.
- **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
- **Sso/Eku**: comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication.
- HealthAttestation CSP (not a requirement) - functions performed by the HealthAttestation CSP include:
- Collects TPM data used to verify health states
- Forwards the data to the Health Attestation Service (HAS)
- Provisions the Health Attestation Certificate received from the HAS
- Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
## Client connection flow
The VPN client side connection flow works as follows:
![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png)
When a Device Compliance-enabled VPN connection profile is triggered (either manually or automatically):
1. The VPN client calls into Windows 10s AAD Token Broker, identifying itself as a VPN client.
2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
3. If compliant, Azure AD requests a short-lived certificate
4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
5. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
## Configure conditional access
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune.
![conditional access in profile](images/vpn-conditional-access-intune.png)
>[!NOTE]
>In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profiles successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the users device yet.
## Learn more about Conditional Access and Azure AD Health
- [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/)
- [Getting started with Azure Active Directory Conditional Access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access-azuread-connected-apps/)
- [Control the health of Windows 10-based devices](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

84
windows/keep-secure/vpn-connection-type.md Normal file
View File

@ -0,0 +1,84 @@
---
title: VPN connection types (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerMS
localizationpriority: high
---
# VPN connection types
**Applies to**
- Windows 10
- Windows 10 Mobile
Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organizations private network.
There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
![VPN connection types](images/vpn-connection.png)
## Built-in VPN client
- Tunneling protocols
- [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/library/ff687731.aspx)
Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
- [L2TP](https://technet.microsoft.com/library/ff687761.aspx)
L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
- [PPTP](https://technet.microsoft.com/library/ff687676.aspx)
- [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
- Automatic
The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure.
Configure **Automatic** for the **NativeProtocolType** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
## Universal Windows Platform VPN plug-in
The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
## Configure connection type
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune.
![Available connection types](images/vpn-connection-intune.png)
In Intune, you can also include custom XML for third-party plug-in profiles.
![Custom XML](images/vpn-custom-xml-intune.png)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

45
windows/keep-secure/vpn-guide.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Windows 10 VPN technical guide (Windows 10)
description: Use this guide to configure VPN deployment for Windows 10.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Windows 10 VPN technical guide
**Applies to**
- Windows 10
- Windows 10 Mobile
This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
![Intune VPN policy template](images/vpn-intune-policy.png)
>[!NOTE]
>This guide does not explain server deployment.
## In this guide
| Topic | Description |
| --- | --- |
| [VPN connection types](vpn-connection-type.md) | Select a VPN client and tunneling protocol |
| [VPN routing decisions](vpn-routing.md) | Choose between split tunnel and force tunnel configuration |
| [VPN authentication options](vpn-authentication.md) | Select a method for Extensible Authentication Protocol (EAP) authentication. |
| [VPN and conditional access](vpn-conditional-access.md) | Use Azure Active Directory policy evaluation to set access policies for VPN connections. |
| [VPN name resolution](vpn-name-resolution.md) | Decide how name resolution should work |
| [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) | Set a VPN profile to connect automatically by app or by name, to be "always on", and to not trigger VPN on trusted networks |
| [VPN security features](vpn-security-features.md) | Set a LockDown VPN profile, configure traffic filtering, and connect VPN profile to Windows Information Protection (WIP) |
| [VPN profile options](vpn-profile-options.md) | Combine settings into single VPN profile using XML |
## Learn more
- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)

82
windows/keep-secure/vpn-name-resolution.md Normal file
View File

@ -0,0 +1,82 @@
---
title: VPN name resolution (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerMS
localizationpriority: high
---
# VPN name resolution
**Applies to**
- Windows 10
- Windows 10 Mobile
When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces.
## Name Resolution Policy table (NRPT)
The NRPT is a table of namespaces that determines the DNS clients havior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
There are 3 types of name matches that can set up for NRPT:
- Fully qualified domain name (FQDN) that can used for direct matching to a name
- Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name)
- Any resolution should attempt to first resolve with the proxy server/DNS server with this entry
NRPT is set using the **VPNv2/*ProfileName*/DomainNameInformationList** node of the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). This node also configures Web proxy server or domain name servers.
[Learn more about NRPT](https://technet.microsoft.com/library/ee649207%28v=ws.10%29.aspx)
## DNS suffix
This setting is used to configure the primary DNS suffix for the VPN interface and the suffix search list after the VPN connection is established.
Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node.
[Learn more about primaryDNS suffix](https://technet.microsoft.com/library/cc959611.aspx)
## Persistent
You can also configure *persistent* name resolution rules. Name resolution for specified items will only performed over VPN.
Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.
## Configure name resolution
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
![Add DNS rule](images/vpn-name-intune.png)
The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
| Field | XML |
| --- | --- |
| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

310
windows/keep-secure/vpn-profile-options.md
View File

@ -16,48 +16,288 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or System Center Configuration Manager. All VPN settings in Windows 10 can be configued using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
## Always On
>[!NOTE]
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first.
Always On is a new feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
- User sign-on
- Network change
The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**.
When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** &gt; **Network & Internet** &gt; **VPN** &gt; *VPN profile* &gt; **Let apps automatically use this VPN connection**.
| Profile setting | Can be configured in Intune and Configuration Manager |
| --- | --- |
| Connection type | yes |
| Routing: split-tunnel routes | yes, except exclusion routes |
| Routing: forced-tunnel | yes |
| Authentication (EAP) | yes, if connection type is built-in |
| Conditional access | yes |
| Proxy settings | yes, by PAC/WPAD file or server and port |
| Name resolution: NRPT | yes |
| Name resolution: DNS suffix | no |
| Name resolution: persistent | no |
| Auto-trigger: app trigger | yes |
| Auto-trigger: name trigger | yes |
| Auto-trigger: Always On | no |
| Auto-trigger: trusted network detection | no |
| LockDown | no |
| Windows Information Protection (WIP) | no |
| Traffic filters | yes |
## App-triggered VPN
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. This feature was included in Windows 8.1 as "On demand VPN". The applications can be defined using the following:
- Package family name for Universal Windows Platform (UWP) apps
- File path for Classic Windows applications
## Traffic filters
## Sample Native VPN profile
Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy . With the ever-increasing landscape of remote threats on the corporate network and lesser IT controls on machines, it becomes essential to control the traffic that is allowed through. While server-side layers of firewalls and proxies help, by adding traffic filters the first layer of filtering can be moved onto the client with more advanced filtering on the server side. There are two types of Traffic Filter rules:
The following is a sample Native VPN profile. This blob would fall under the ProfileXML node.
- **App-based rules**. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
- **Traffic-based rules**. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
```
<VPNProfile>
<ProfileName>TestVpnProfile</ProfileName>
<NativeProfile>
<Servers>testServer.VPN.com</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<!--Sample EAP profile (PEAP)-->
<Authentication>
<UserMethod>Eap</UserMethod>
<MachineMethod>Eap</MachineMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>25</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1">
<ServerValidation>
<DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
<TrustedRootCA>d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 </TrustedRootCA>
<TrustedRootCA>d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 </TrustedRootCA>
</ServerValidation>
<FastReconnect>true</FastReconnect>
<InnerEapOptional>false</InnerEapOptional>
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
<TrustedRootCA>d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 </TrustedRootCA>
<TrustedRootCA>d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 </TrustedRootCA>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<EKUMapping>
<EKUMap>
<EKUName>AAD Conditional Access</EKUName>
<EKUOID>1.3.6.1.4.1.311.87</EKUOID>
</EKUMap>
</EKUMapping>
<ClientAuthEKUList Enabled="true">
<EKUMapInList>
<EKUName>AAD Conditional Access</EKUName>
</EKUMapInList>
</ClientAuthEKUList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
<EnableQuarantineChecks>false</EnableQuarantineChecks>
<RequireCryptoBinding>true</RequireCryptoBinding>
<PeapExtensions>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName>
</PeapExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</Configuration>
</Eap>
</Authentication>
<!--Sample routing policy: in this case, this is a split tunnel configuration with two routes configured-->
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
</NativeProfile>
<Route>
<Address>192.168.0.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
<Route>
<Address>10.10.0.0</Address>
<PrefixSize>16</PrefixSize>
</Route>
<!--VPN will be triggered for the two apps specified here-->
<AppTrigger>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
</AppTrigger>
<AppTrigger>
<App>
<Id>C:\windows\system32\ping.exe</Id>
</App>
</AppTrigger>
<!--Example of per-app VPN. This configures traffic filtering rules for two apps. Internet Explorer is configured for force tunnel, meaning that all traffic allowed through this app must go over VPN. Microsoft Edge is configured as split tunnel, so whether data goes over VPN or the physical interface is dictated by the routing configuration.-->
<TrafficFilter>
<App>
<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
</App>
<Protocol>6</Protocol>
<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
</TrafficFilter>
<TrafficFilter>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
</TrafficFilter>
<!--Name resolution configuration. The AutoTrigger node configures name-based triggering. In this profile, the domain "hrsite.corporate.contoso.com" triggers VPN.-->
<DomainNameInformation>
<DomainName>hrsite.corporate.contoso.com</DomainName>
<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
<WebProxyServers>5.5.5.5</WebProxyServers>
<AutoTrigger>true</AutoTrigger>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>.corp.contoso.com</DomainName>
<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
<WebProxyServers>100.100.100.100</WebProxyServers>
</DomainNameInformation>
<!--EDPMode is turned on for the enterprise ID "corp.contoso.com". When a user accesses an app with that ID, VPN will be triggered.-->
<EdpModeId>corp.contoso.com</EdpModeId>
<RememberCredentials>true</RememberCredentials>
<!--Always On is turned off, and triggering VPN for the apps and domain name specified earlier in the profile will not occur if the user is connected to the trusted network "contoso.com".-->
<AlwaysOn>false</AlwaysOn>
<DnsSuffix>corp.contoso.com</DnsSuffix>
<TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
<Proxy>
<Manual>
<Server>HelloServer</Server>
</Manual>
<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
</Proxy>
<!--Device compliance is enabled and an alternate certificate is specified for domain resource authentication.-->
<DeviceCompliance>
<Enabled>true</Enabled>
<Sso>
<Enabled>true</Enabled>
<Eku>This is my Eku</Eku>
<IssuerHash>This is my issuer hash</IssuerHash>
</Sso>
</DeviceCompliance>
</VPNProfile>
```
There can be many sets of rules which are linked by **OR**. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by **AND**. This gives the IT admins a lot of power to craft the perfect policy befitting their use case.
## Sample plug-in VPN profile
## LockDown VPN
The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
- The system attempts to keep the VPN connected at all times.
- The user cannot disconnect the VPN connection.
- The user cannot delete or modify the VPN profile.
- The VPN LockDown profile uses forced tunnel connection.
- If the VPN connection is not available, outbound network traffic is blocked.
- Only one VPN LockDown profile is allowed on a device.
> **Note:**  For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
 
## Learn about VPN and the Conditional Access Framework in Azure Active Directory
```
<VPNProfile>
<ProfileName>TestVpnProfile</ProfileName>
<PluginProfile>
<ServerUrlList>testserver1.contoso.com;testserver2.contoso..com</ServerUrlList>
<PluginPackageFamilyName>JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy</PluginPackageFamilyName>
<CustomConfiguration>&lt;pulse-schema&gt;&lt;isSingleSignOnCredential&gt;true&lt;/isSingleSignOnCredential&gt;&lt;/pulse-schema&gt;</CustomConfiguration>
</PluginProfile>
<Route>
<Address>192.168.0.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
<Route>
<Address>10.10.0.0</Address>
<PrefixSize>16</PrefixSize>
</Route>
<AppTrigger>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
</AppTrigger>
<AppTrigger>
<App>
<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
</App>
</AppTrigger>
<TrafficFilter>
<App>
<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
</App>
<Protocol>6</Protocol>
<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
<!--<RoutingPolicyType>ForceTunnel</RoutingPolicyType>-->
</TrafficFilter>
<TrafficFilter>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
</TrafficFilter>
<TrafficFilter>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
<Claims>O:SYG:SYD:(A;;CC;;;AU)</Claims>
<!--<RoutingPolicyType>SplitTunnel</RoutingPolicyType>-->
</TrafficFilter>
<DomainNameInformation>
<DomainName>corp.contoso.com</DomainName>
<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
<WebProxyServers>5.5.5.5</WebProxyServers>
<AutoTrigger>false</AutoTrigger>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>corp.contoso.com</DomainName>
<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
<WebProxyServers>100.100.100.100</WebProxyServers>
</DomainNameInformation>
<!--<EdpModeId>corp.contoso.com</EdpModeId>-->
<RememberCredentials>true</RememberCredentials>
<AlwaysOn>false</AlwaysOn>
<DnsSuffix>corp.contoso.com</DnsSuffix>
<TrustedNetworkDetection>contoso.com,test.corp.contoso.com</TrustedNetworkDetection>
<Proxy>
<Manual>
<Server>HelloServer</Server>
</Manual>
<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
</Proxy>
</VPNProfile>
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
```
## Apply ProfileXML using Intune
After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
The OMS-URI setting to apply ProfileXML is **./user/vendor/MSFT/*VPN profile name*/ProfileXML**.
![Paste your ProfileXML in OMA-URI Setting value field](images/vpn-profilexml-intune.png)
## Learn more
@ -65,3 +305,13 @@ A VPN profile configured with LockDown secures the device to only allow network
- [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
- [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)

68
windows/keep-secure/vpn-routing.md Normal file
View File

@ -0,0 +1,68 @@
---
title: VPN routing decisions (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerMS
localizationpriority: high
---
# VPN routing decisions
**Applies to**
- Windows 10
- Windows 10 Mobile
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection.
## Split tunnel configuration
In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface.
Routes can be configured using the VPNv2/*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
For each route item in the list the following can be specified:
- **Address**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Address
- **Prefix size**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Prefix
- **Exclusion route**: VPNv2/*ProfileName*/RouteList/*routeRowId*/ExclusionRoute
Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface.
Routes can also be added at connect time through the server for UWP VPN apps.
## Force tunnel configuration
In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified.
The only implication of this setting is the manipulation of routing entries. In the case of a force Tunnel VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower Metric than ones for other interfaces. This sends traffic through the VPN as long as there isnt a specific route on the Physical Interface itself.
For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in passes only 2 include routes (default route for both v4 and v6), the Windows VPN Platform marks the VPN as force tunnel.
## Configure routing
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
![split tunnel](images/vpn-split.png)
Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.
![add route for split tunnel](images/vpn-split-route.png)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

87
windows/keep-secure/vpn-security-features.md Normal file
View File

@ -0,0 +1,87 @@
---
title: VPN security features (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerMS
localizationpriority: high
---
# VPN security features
**Applies to**
- Windows 10
- Windows 10 Mobile
## LockDown VPN
A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
- The system attempts to keep the VPN connected at all times.
- The user cannot disconnect the VPN connection.
- The user cannot delete or modify the VPN profile.
- The VPN LockDown profile uses forced tunnel connection.
- If the VPN connection is not available, outbound network traffic is blocked.
- Only one VPN LockDown profile is allowed on a device.
>[!NOTE]
>For built-in VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected.
## Windows Information Protection (WIP) integration with VPN
Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
- Core functionality: File encryption and file access blocking
- UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
- WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN
- Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN
The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app.
Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect.
[Learn more about Windows Information Protection](protect-enterprise-data-using-wip.md)
## Traffic filters
Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins to effectively add interface specific firewall rules on the VPN Interface.There are two types of Traffic Filter rules:
- App-based rules. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level.
For example, an admin could define rules that specify:
- The Contoso HR App must be allowed to go through the VPN and only access port 4545.
- The Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889.
- All other apps on the device should be able to access only ports 80 or 443.
## Configure traffic filters
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
The following image shows the interface to configure traffic rules in a VPN Profile configuration policy using Microsoft Intune.
![Add a traffic rule](images/vpn-traffic-rules.png)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN profile options](vpn-profile-options.md)

7
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -12,6 +12,13 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## October 2016
| New or changed topic | Description |
| --- | --- |
| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. |
## September 2016
| New or changed topic | Description |

2
windows/manage/lockdown-xml.md
View File

@ -88,7 +88,7 @@ The following example is a complete lockdown XML file that disables Action Cente
![XML for Apps](images/AppsXML.png)
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. If you don't include the Apps setting in the file, all apps on the device are available to the user.
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running.
You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)

2
windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1353,3 +1353,5 @@ You can turn off automatic updates by doing one of the following. This is not re
- **5**. Turn off automatic updates.
To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.

4
windows/manage/manage-cortana-in-enterprise.md
View File

@ -24,6 +24,10 @@ Cortana in Windows 10 is already great at letting your employees quickly see wh
But Cortana works even harder when she connects to Office 365, helping employees prepare for meetings, learn about co-workers, and receive reminders about where they need to be so they wont be late.
>**Important**<br>
>Before your employees can use Cortana with Office 365, they must sign into Cortana using a Microsoft account (such as, @outlook.com), and then they must go to the **Connected Accounts** section of Cortanas notebook to turn on and connect to Office 365.
**More info:**
- For specific info about what you need to know as a company administrator, including how to turn off Cortana with Office 365, see the [Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717378) support topic.

5
windows/manage/waas-overview.md
View File

@ -81,7 +81,7 @@ To align with the new method of delivering feature updates and quality updates i
The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
>[!NOTE]
>Servicing branches are not the only way to separate groups of machines when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
>Servicing branches are not the only way to separate groups of devices when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
### Current Branch
@ -110,6 +110,9 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale
Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 23 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
>[!NOTE]
>Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesnt contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, its important to remember that Microsoft has positioned the LTSB model primarily for specialized devices.
>[!NOTE]

22
windows/manage/waas-wufb-intune.md
View File

@ -47,7 +47,7 @@ In this example, you use two security groups to manage your updates: **Ring 3 Br
5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
7. In the **Value** box, type **1**, and then click **OK**.
@ -78,7 +78,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to enable the CB
4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**.
6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
7. Click **OK** to save the setting.
@ -86,7 +86,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to enable the CB
9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**.
11. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**.
11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**.
12. In the **Value** box, type **1**.
@ -96,7 +96,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to enable the CB
15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**.
17. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
18. In the **Value** box, type **1**.
@ -134,7 +134,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
7. In the **Value** box, type **0**, and then click **OK**.
@ -146,7 +146,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 14 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
8. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list.
10. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
11. In the **Value** box, type **14**, and then click **OK**.
![Settings for this policy](images/waas-wufb-intune-step11a.png)
@ -174,7 +174,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
7. In the **Value** box, type **1**, and then click **OK**.
@ -186,7 +186,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
8. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list.
10. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
11. In the **Value** box, type **0**, and then click **OK**.
@ -216,7 +216,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f
4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
7. In the **Value** box, type **1**, and then click **OK**.
@ -228,7 +228,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f
8. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list.
10. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**.
10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**.
11. In the **Value** box, type **7**, and then click **OK**.
@ -236,7 +236,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f
8. In **Setting name**, type **Defer feature updates for 30 days**, and then select **Integer** from the **Data type** list.
10. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
11. In the **Value** box, type **30**, and then click **OK**.

5
windows/manage/windows-10-start-layout-options-and-policies.md
View File

@ -80,11 +80,6 @@ The following table lists the different parts of Start and any applicable policy
<td align="left">Group Policy: <strong>Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands</strong></td>
<td align="left">None</td>
</tr>
<tr class="odd">
<td align="left">All apps</td>
<td align="left">Group Policy: <strong>Remove All Programs list from the Start menu</strong></td>
<td align="left">None</td>
</tr>
<tr class="even">
<td align="left">Start layout</td>
<td align="left"><p>MDM: <strong>Start layout</strong></p>

5
windows/whats-new/whats-new-windows-10-version-1607.md
View File

@ -57,7 +57,7 @@ Windows 10, version 1607, provides administrators with increased control over up
- Quality Updates can be deferred up to 30 days and paused for 35 days
- Feature Updates can be deferred up to 180 days and paused for 60 days
- Update deferrals can be applied to both Current Branch (CB) and Current Branch for Business (CBB)
- Drivers can be excluded from udpates
- Drivers can be excluded from updates
## Security
@ -67,12 +67,13 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it
### Windows Hello for Business
When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Additional changes for Windows Hello in Windows 10, version 1607:
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
- Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
<!--- Users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser.-->
[Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)