deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Edited short descriptions

Browse Source 
Edited metadata descriptions below 100 characters.
This commit is contained in:
jdmartinez36 2020-04-14 11:34:03 -06:00
parent 4229fb61db
commit 9ec5b0b45e
55 changed files with 1071 additions and 1012 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
windows/deployment/add-store-apps-to-image.md
View File

@ -1,6 +1,6 @@
---
title: Add Microsoft Store for Business applications to a Windows 10 image
description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image.
description: This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image.
keywords: upgrade, update, windows, windows 10, deploy, store, image, wim
ms.prod: w10
ms.mktglfcycl: deploy
@ -13,6 +13,7 @@ ms.author: greglin
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Add Microsoft Store for Business applications to a Windows 10 image

3
windows/deployment/deploy-m365.md
View File

@ -3,7 +3,7 @@ title: Deploy Windows 10 with Microsoft 365
ms.reviewer:
manager: laurawi
ms.author: greglin
description: Concepts about deploying Windows 10 for M365
description: This article provides an overview about deploying Windows 10 for Microsoft 365, including how to use a free 90-day trial account.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -14,6 +14,7 @@ audience: itpro
author: greg-lindsay
ms.topic: article
ms.collection: M365-modern-desktop
ms.custom: seo-marvel-apr2020
---
# Deploy Windows 10 with Microsoft 365

5
windows/deployment/deploy-whats-new.md
View File

@ -3,7 +3,7 @@ title: What's new in Windows 10 deployment
ms.reviewer:
manager: laurawi
ms.author: greglin
description: Changes and new features related to Windows 10 deployment
description: This article provides an overview of the new features and solutions related to Windows 10 deployment.
keywords: deployment, automate, tools, configure, news
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@ -13,6 +13,7 @@ ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# What's new in Windows 10 deployment
@ -54,7 +55,7 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
- **Improved update notifications**: When theres an update requiring you to restart your device, youll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
- **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.

3
windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
View File

@ -1,6 +1,6 @@
---
title: Finalize operating system configuration for Windows 10 deployment
description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment.
description: This article provides a walk-through to finalize the configuration of your Windows 10 operating deployment.
ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
ms.reviewer:
manager: laurawi
@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager

21
windows/deployment/deploy-windows-to-go.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Windows To Go in your organization (Windows 10)
description: This topic helps you to deploy Windows To Go in your organization.
description: This article provides steps to deploy Windows To Go in your organization, including tips to plan and prepare for the deployment.
ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f
ms.reviewer:
manager: laurawi
@ -14,6 +14,7 @@ ms.pagetype: mobility
audience: itpro
author: greg-lindsay
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Deploy Windows To Go in your organization
@ -113,7 +114,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with New-Partition…) Validate that this is the correct disk that you want to completely erase.
#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase.
#
# To skip the confirmation prompt, append confirm:$False
Clear-Disk InputObject $Disk[0] -RemoveData
@ -161,7 +162,7 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
```
~~~
5. Apply SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step:
5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step:
```
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
@ -291,7 +292,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer
- A Windows To Go drive that hasnt been booted or joined to the domain using unattend settings.
- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings.
- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer
@ -319,7 +320,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with New-Partition…) Validate that this is the correct disk that you want to completely erase.
#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase.
#
# To skip the confirmation prompt, append confirm:$False
Clear-Disk InputObject $Disk[0] -RemoveData
@ -414,7 +415,7 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind
>[!NOTE]
>Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain.
You should now be able to access your organizations network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises.
You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises.
### Enable BitLocker protection for your Windows To Go drive
@ -467,7 +468,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with New-Partition…) Validate that this is the correct disk that you want to completely erase.
#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase.
#
# To skip the confirmation prompt, append confirm:$False
Clear-Disk InputObject $Disk[0] -RemoveData
@ -576,17 +577,17 @@ The sample script creates an unattend file that streamlines the deployment proce
* To run this sample script you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts.
* Using offline domain join is required by this script, since the script does not create a local administrator user account. However, domain membership will automatically put “Domain admins” into the local administrators group. Review your domain policies. If you are using DirectAccess you will need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters.
* Using offline domain join is required by this script, since the script does not create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you are using DirectAccess you will need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters.
* The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters.
#### To run the advanced deployment sample script
1. Copy entire the code sample titled “Windows To Go multiple drive provisioning sample script” into a PowerShell script (.ps1) file.
1. Copy entire the code sample titled "Windows To Go multiple drive provisioning sample script" into a PowerShell script (.ps1) file.
2. Make the modifications necessary for it to be appropriate to your deployment and save the file.
3. Configure the PowerShell execution policy. By default PowerShells execution policy is set to Restricted; that means that scripts wont run until you have explicitly given them permission to. To configure PowerShells execution policy to allow the script to run, use the following command from an elevated PowerShell prompt:
3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt:
```
Set-ExecutionPolicy RemoteSigned

3
windows/deployment/deploy.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Windows 10 (Windows 10)
description: Deploying Windows 10 for IT professionals.
description: This article contains information for IT professionals on how to deploy Windows 10 or upgrade from a previous version of Windows.
ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.reviewer:
manager: laurawi
@ -13,6 +13,7 @@ ms.localizationpriority: medium
audience: itpro
author: greg-lindsay
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Deploy Windows 10

3
windows/deployment/index.yml
View File

@ -5,7 +5,7 @@ title: Deploy and update Windows 10
metadata:
document_id:
title: Deploy and update Windows 10
description: Deploying and updating Windows 10 for IT professionals.
description: This landing page provides information about deploying and updating Windows 10 for IT professionals.
keywords: deploy, update, Windows, service, Microsoft365, e5, e3
ms.localizationpriority: high
author: greg-lindsay
@ -13,6 +13,7 @@ metadata:
manager: laurawi
ms.topic: article
ms.devlang: na
ms.custom: seo-marvel-apr2020
sections:
- items:

3
windows/deployment/mbr-to-gpt.md
View File

@ -1,6 +1,6 @@
---
title: MBR2GPT
description: How to use the MBR2GPT tool to convert MBR partitions to GPT
description: How to use the MBR2GPT tool to convert Master Boot Record (MBR) partitions to the GUID Partition Table (GPT).
keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt
ms.prod: w10
ms.mktglfcycl: deploy
@ -15,6 +15,7 @@ ms.audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# MBR2GPT.EXE

478
windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
View File

@ -1,238 +1,240 @@
---
title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
audience: itpro author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
# Available Data Types and Operators in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
## Available Data Types
Customized-compatibility databases in Compatibility Administrator contain the following data types.
- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
- **String**. A series of alphanumeric characters manipulated as a group.
- **Boolean**. A value of True or False.
## Available Attributes
The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Attribute</th>
<th align="left">Description</th>
<th align="left">Data type</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>APP_NAME</p></td>
<td align="left"><p>Name of the application.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>DATABASE_GUID</p></td>
<td align="left"><p>Unique ID for your compatibility database.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="odd">
<td align="left"><p>DATABASE_INSTALLED</p></td>
<td align="left"><p>Specifies if you have installed the database.</p></td>
<td align="left"><p>Boolean</p></td>
</tr>
<tr class="even">
<td align="left"><p>DATABASE_NAME</p></td>
<td align="left"><p>Descriptive name of your database.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="odd">
<td align="left"><p>DATABASE_PATH</p></td>
<td align="left"><p>Location of the database on your computer.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>FIX_COUNT</p></td>
<td align="left"><p>Number of compatibility fixes applied to a specific application.</p></td>
<td align="left"><p>Integer</p></td>
</tr>
<tr class="odd">
<td align="left"><p>FIX_NAME</p></td>
<td align="left"><p>Name of your compatibility fix.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>MATCH_COUNT</p></td>
<td align="left"><p>Number of matching files for a specific, fixed application.</p></td>
<td align="left"><p>Integer</p></td>
</tr>
<tr class="odd">
<td align="left"><p>MATCHFILE_NAME</p></td>
<td align="left"><p>Name of a matching file used to identify a specific, fixed application.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>MODE_COUNT</p></td>
<td align="left"><p>Number of compatibility modes applied to a specific, fixed application.</p></td>
<td align="left"><p>Integer</p></td>
</tr>
<tr class="odd">
<td align="left"><p>MODE_NAME</p></td>
<td align="left"><p>Name of your compatibility mode.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>PROGRAM_APPHELPTYPE</p></td>
<td align="left"><p>Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.</p></td>
<td align="left"><p>Integer</p></td>
</tr>
<tr class="odd">
<td align="left"><p>PROGRAM_DISABLED</p></td>
<td align="left"><p>Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.</p></td>
<td align="left"><p>Boolean</p></td>
</tr>
<tr class="even">
<td align="left"><p>PROGRAM_GUID</p></td>
<td align="left"><p>Unique ID for an application.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="odd">
<td align="left"><p>PROGRAM_NAME</p></td>
<td align="left"><p>Name of the application that you are fixing.</p></td>
<td align="left"><p>String</p></td>
</tr>
</tbody>
</table>
## Available Operators
The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Symbol</th>
<th align="left">Description</th>
<th align="left">Data type</th>
<th align="left">Precedence</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>&gt;</p></td>
<td align="left"><p>Greater than</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="even">
<td align="left"><p>&gt;=</p></td>
<td align="left"><p>Greater than or equal to</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>&lt;</p></td>
<td align="left"><p>Less than</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="even">
<td align="left"><p>&lt;=</p></td>
<td align="left"><p>Less than or equal to</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>&lt;&gt;</p></td>
<td align="left"><p>Not equal to</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="even">
<td align="left"><p>=</p></td>
<td align="left"><p>Equal to</p></td>
<td align="left"><p>Integer, string, or Boolean</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>HAS</p></td>
<td align="left"><p>A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.</p></td>
<td align="left"><p><strong>Left-hand operand</strong>. MATCHFILE_NAME, MODE_NAME, FIX_NAME</p>
<div class="alert">
<strong>Note</strong><br/><p>Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.</p>
</div>
<div>
</div>
<p><strong>Right-hand operand</strong>. String</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="even">
<td align="left"><p>OR</p></td>
<td align="left"><p>Logical OR operator</p></td>
<td align="left"><p>Boolean</p></td>
<td align="left"><p>2</p></td>
</tr>
<tr class="odd">
<td align="left"><p>AND</p></td>
<td align="left"><p>Logical AND operator</p></td>
<td align="left"><p>Boolean</p></td>
<td align="left"><p>2</p></td>
</tr>
</tbody>
</table>
## Related topics
[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
---
title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
description: In this article, learn how the Compatibility Administrator tool provides a way to query your custom-compatibility databases.
ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Available Data Types and Operators in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
## Available Data Types
Customized-compatibility databases in Compatibility Administrator contain the following data types.
- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
- **String**. A series of alphanumeric characters manipulated as a group.
- **Boolean**. A value of True or False.
## Available Attributes
The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Attribute</th>
<th align="left">Description</th>
<th align="left">Data type</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>APP_NAME</p></td>
<td align="left"><p>Name of the application.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>DATABASE_GUID</p></td>
<td align="left"><p>Unique ID for your compatibility database.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="odd">
<td align="left"><p>DATABASE_INSTALLED</p></td>
<td align="left"><p>Specifies if you have installed the database.</p></td>
<td align="left"><p>Boolean</p></td>
</tr>
<tr class="even">
<td align="left"><p>DATABASE_NAME</p></td>
<td align="left"><p>Descriptive name of your database.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="odd">
<td align="left"><p>DATABASE_PATH</p></td>
<td align="left"><p>Location of the database on your computer.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>FIX_COUNT</p></td>
<td align="left"><p>Number of compatibility fixes applied to a specific application.</p></td>
<td align="left"><p>Integer</p></td>
</tr>
<tr class="odd">
<td align="left"><p>FIX_NAME</p></td>
<td align="left"><p>Name of your compatibility fix.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>MATCH_COUNT</p></td>
<td align="left"><p>Number of matching files for a specific, fixed application.</p></td>
<td align="left"><p>Integer</p></td>
</tr>
<tr class="odd">
<td align="left"><p>MATCHFILE_NAME</p></td>
<td align="left"><p>Name of a matching file used to identify a specific, fixed application.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>MODE_COUNT</p></td>
<td align="left"><p>Number of compatibility modes applied to a specific, fixed application.</p></td>
<td align="left"><p>Integer</p></td>
</tr>
<tr class="odd">
<td align="left"><p>MODE_NAME</p></td>
<td align="left"><p>Name of your compatibility mode.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="even">
<td align="left"><p>PROGRAM_APPHELPTYPE</p></td>
<td align="left"><p>Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.</p></td>
<td align="left"><p>Integer</p></td>
</tr>
<tr class="odd">
<td align="left"><p>PROGRAM_DISABLED</p></td>
<td align="left"><p>Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.</p></td>
<td align="left"><p>Boolean</p></td>
</tr>
<tr class="even">
<td align="left"><p>PROGRAM_GUID</p></td>
<td align="left"><p>Unique ID for an application.</p></td>
<td align="left"><p>String</p></td>
</tr>
<tr class="odd">
<td align="left"><p>PROGRAM_NAME</p></td>
<td align="left"><p>Name of the application that you are fixing.</p></td>
<td align="left"><p>String</p></td>
</tr>
</tbody>
</table>
## Available Operators
The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Symbol</th>
<th align="left">Description</th>
<th align="left">Data type</th>
<th align="left">Precedence</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>&gt;</p></td>
<td align="left"><p>Greater than</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="even">
<td align="left"><p>&gt;=</p></td>
<td align="left"><p>Greater than or equal to</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>&lt;</p></td>
<td align="left"><p>Less than</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="even">
<td align="left"><p>&lt;=</p></td>
<td align="left"><p>Less than or equal to</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>&lt;&gt;</p></td>
<td align="left"><p>Not equal to</p></td>
<td align="left"><p>Integer or string</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="even">
<td align="left"><p>=</p></td>
<td align="left"><p>Equal to</p></td>
<td align="left"><p>Integer, string, or Boolean</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>HAS</p></td>
<td align="left"><p>A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.</p></td>
<td align="left"><p><strong>Left-hand operand</strong>. MATCHFILE_NAME, MODE_NAME, FIX_NAME</p>
<div class="alert">
<strong>Note</strong><br/><p>Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.</p>
</div>
<div>
</div>
<p><strong>Right-hand operand</strong>. String</p></td>
<td align="left"><p>1</p></td>
</tr>
<tr class="even">
<td align="left"><p>OR</p></td>
<td align="left"><p>Logical OR operator</p></td>
<td align="left"><p>Boolean</p></td>
<td align="left"><p>2</p></td>
</tr>
<tr class="odd">
<td align="left"><p>AND</p></td>
<td align="left"><p>Logical AND operator</p></td>
<td align="left"><p>Boolean</p></td>
<td align="left"><p>2</p></td>
</tr>
</tbody>
</table>
## Related topics
[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)

110
windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
View File

@ -1,54 +1,56 @@
---
title: Best practice recommendations for Windows To Go (Windows 10)
description: Best practice recommendations for Windows To Go
ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
ms.reviewer:
manager: laurawi
ms.author: greglin
keywords: best practices, USB, device, boot
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: mobility
ms.sitesec: library
audience: itpro author: greg-lindsay
ms.topic: article
---
# Best practice recommendations for Windows To Go
**Applies to**
- Windows 10
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
The following are the best practice recommendations for using Windows To Go:
- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive.
- Do not insert the Windows To Go drive into a running computer.
- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer.
- If available, use a USB 3.0 port with Windows To Go.
- Do not install non-Microsoft core USB drivers on Windows To Go.
- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection.
Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain.
## More information
[Windows To Go: feature overview](windows-to-go-overview.md)<br>
[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)<br>
[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)<br>
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)<br>
[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)<br>
 
 
---
title: Best practice recommendations for Windows To Go (Windows 10)
description: This article contains best practice recommendations for Windows To Go, such as using a USB 3.0 port.
ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
ms.reviewer:
manager: laurawi
ms.author: greglin
keywords: best practices, USB, device, boot
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: mobility
ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Best practice recommendations for Windows To Go
**Applies to**
- Windows 10
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
The following are the best practice recommendations for using Windows To Go:
- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive.
- Do not insert the Windows To Go drive into a running computer.
- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer.
- If available, use a USB 3.0 port with Windows To Go.
- Do not install non-Microsoft core USB drivers on Windows To Go.
- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection.
Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain.
## More information
[Windows To Go: feature overview](windows-to-go-overview.md)<br>
[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)<br>
[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)<br>
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)<br>
[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)<br>
 
 

5
windows/deployment/planning/deployment-considerations-for-windows-to-go.md
View File

@ -1,6 +1,6 @@
---
title: Deployment considerations for Windows To Go (Windows 10)
description: Deployment considerations for Windows To Go
description: This article provides information about deployment considerations for Windows To Go, such as boot experience, deployment methods, and tools.
ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
ms.reviewer:
manager: laurawi
@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Deployment considerations for Windows To Go
@ -51,7 +52,7 @@ When a Windows To Go workspace is first used at the workplace, the Windows To Go
![initial boot off-premises](images/wtg-first-boot-home.gif)
When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employees home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.
When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee's home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.
> [!TIP]
> Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](https://go.microsoft.com/fwlink/p/?LinkId=619076).

5
windows/deployment/planning/features-lifecycle.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 features lifecycle
description: Learn about the lifecycle of Windows 10 features
description: In this article, learn about the lifecycle of Windows 10 features, such as what's new and what's been removed.
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
@ -10,6 +10,7 @@ author: greg-lindsay
manager: laurawi
ms.author: greglin
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows 10 features lifecycle
@ -21,7 +22,7 @@ Each release of Windows 10 contains many new and improved features. Occasionally
The following topic lists features that are no longer being developed. These features might be removed in a future release.
[Windows 10 features were no longer developing](windows-10-deprecated-features.md)
[Windows 10 features we're no longer developing](windows-10-deprecated-features.md)
## Features removed

15
windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
View File

@ -1,6 +1,6 @@
---
title: Prepare your organization for Windows To Go (Windows 10)
description: Prepare your organization for Windows To Go
description: This article provides information to help you plan and design a new deployment of Windows To Go in your production environment.
ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff
ms.reviewer:
manager: laurawi
@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Prepare your organization for Windows To Go
@ -25,7 +26,7 @@ ms.topic: article
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go.
The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the "what", "why", and "when" questions an IT professional might have when planning to deploy Windows To Go.
## What is Windows To Go?
@ -51,16 +52,16 @@ The following scenarios are examples of situations in which Windows To Go worksp
- **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the very first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes.
- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the workers personal computer.
- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker's personal computer.
- **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer.
- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employees credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
- **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
> [!NOTE]
> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspaces computer object is not potentially deleted from Active Directory Domain Services (AD DS).
> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace's computer object is not potentially deleted from Active Directory Domain Services (AD DS).
@ -76,7 +77,7 @@ Windows To Go uses volume activation. You can use either Active Directory-based
Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Office 365 ProPlus, Office 365 ProPlus subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Office 365 ProPlus or Office 365 Enterprise SKUs containing Office 365 ProPlus via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922).
You should investigate other software manufacturers licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace.
You should investigate other software manufacturer's licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace.
> [!NOTE]
> Using Multiple Activation Key (MAK) activation is not a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive.
@ -102,7 +103,7 @@ If you configure Windows To Go drives for scenarios where drives may remain unus
## User account and data management
People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the users profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924).
People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924).
Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace.

190
windows/deployment/planning/using-the-compatibility-administrator-tool.md
View File

@ -1,94 +1,96 @@
---
title: Using the Compatibility Administrator Tool (Windows 10)
description: This section provides information about using the Compatibility Administrator tool.
ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
audience: itpro author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
# Using the Compatibility Administrator Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
This section provides information about using the Compatibility Administrator tool.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><a href="available-data-types-and-operators-in-compatibility-administrator.md" data-raw-source="[Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)">Available Data Types and Operators in Compatibility Administrator</a></p></td>
<td align="left"><p>The Compatibility Administrator tool provides a way to query your custom-compatibility databases.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="searching-for-fixed-applications-in-compatibility-administrator.md" data-raw-source="[Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)">Searching for Fixed Applications in Compatibility Administrator</a></p></td>
<td align="left"><p>With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md" data-raw-source="[Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)">Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator</a></p></td>
<td align="left"><p>You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="creating-a-custom-compatibility-fix-in-compatibility-administrator.md" data-raw-source="[Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)">Creating a Custom Compatibility Fix in Compatibility Administrator</a></p></td>
<td align="left"><p>The Compatibility Administrator tool uses the term <em>fix</em> to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="creating-a-custom-compatibility-mode-in-compatibility-administrator.md" data-raw-source="[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)">Creating a Custom Compatibility Mode in Compatibility Administrator</a></p></td>
<td align="left"><p>Windows® provides several <em>compatibility modes</em>, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="creating-an-apphelp-message-in-compatibility-administrator.md" data-raw-source="[Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)">Creating an AppHelp Message in Compatibility Administrator</a></p></td>
<td align="left"><p>The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="viewing-the-events-screen-in-compatibility-administrator.md" data-raw-source="[Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)">Viewing the Events Screen in Compatibility Administrator</a></p></td>
<td align="left"><p>The <strong>Events</strong> screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md" data-raw-source="[Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)">Enabling and Disabling Compatibility Fixes in Compatibility Administrator</a></p></td>
<td align="left"><p>You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md" data-raw-source="[Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)">Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator</a></p></td>
<td align="left"><p>The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.</p></td>
</tr>
</tbody>
</table>
---
title: Using the Compatibility Administrator Tool (Windows 10)
description: This article provides information about using the Compatibility Administrator tool, which provides functions like querying your custom-compatibility databases.
ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Using the Compatibility Administrator Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
This section provides information about using the Compatibility Administrator tool.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><a href="available-data-types-and-operators-in-compatibility-administrator.md" data-raw-source="[Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)">Available Data Types and Operators in Compatibility Administrator</a></p></td>
<td align="left"><p>The Compatibility Administrator tool provides a way to query your custom-compatibility databases.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="searching-for-fixed-applications-in-compatibility-administrator.md" data-raw-source="[Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)">Searching for Fixed Applications in Compatibility Administrator</a></p></td>
<td align="left"><p>With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md" data-raw-source="[Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)">Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator</a></p></td>
<td align="left"><p>You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="creating-a-custom-compatibility-fix-in-compatibility-administrator.md" data-raw-source="[Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)">Creating a Custom Compatibility Fix in Compatibility Administrator</a></p></td>
<td align="left"><p>The Compatibility Administrator tool uses the term <em>fix</em> to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="creating-a-custom-compatibility-mode-in-compatibility-administrator.md" data-raw-source="[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)">Creating a Custom Compatibility Mode in Compatibility Administrator</a></p></td>
<td align="left"><p>Windows&reg; provides several <em>compatibility modes</em>, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="creating-an-apphelp-message-in-compatibility-administrator.md" data-raw-source="[Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)">Creating an AppHelp Message in Compatibility Administrator</a></p></td>
<td align="left"><p>The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows&reg; operating system.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="viewing-the-events-screen-in-compatibility-administrator.md" data-raw-source="[Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)">Viewing the Events Screen in Compatibility Administrator</a></p></td>
<td align="left"><p>The <strong>Events</strong> screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md" data-raw-source="[Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)">Enabling and Disabling Compatibility Fixes in Compatibility Administrator</a></p></td>
<td align="left"><p>You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md" data-raw-source="[Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)">Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator</a></p></td>
<td align="left"><p>The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.</p></td>
</tr>
</tbody>
</table>

9
windows/deployment/planning/windows-10-removed-features.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 - Features that have been removed
description: Learn about features and functionality that has been removed or replaced in Windows 10
description: In this article, learn about features and functionality that has been removed or replaced in Windows 10.
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
@ -10,6 +10,7 @@ author: greg-lindsay
ms.author: greglin
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Features and functionality removed in Windows 10
@ -18,7 +19,7 @@ ms.topic: article
Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10. **The list below is subject to change and might not include every affected feature or functionality.**
For information about features that might be removed in a future release, see [Windows 10 features were no longer developing](windows-10-deprecated-features.md)
For information about features that might be removed in a future release, see [Windows 10 features we're no longer developing](windows-10-deprecated-features.md)
> [!NOTE]
> Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
@ -35,10 +36,10 @@ The following features and functionalities have been removed from the installed
|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| 1809 |
|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 |
|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 |
|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|Were no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We're no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 |
|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 |
|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 |
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.<br><br>When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.<br><br>Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: <br>- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) <br>- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 |
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| 1803 |
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 |

58
windows/deployment/planning/windows-to-go-frequently-asked-questions.md
View File

@ -1,6 +1,6 @@
---
title: Windows To Go frequently asked questions (Windows 10)
description: Windows To Go frequently asked questions
description: In this article, you can find answers to frequently asked questions (FAQs) about Windows To Go, such as hardware requirements and supported features.
ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e
ms.reviewer:
manager: laurawi
@ -49,13 +49,13 @@ The following list identifies some commonly asked questions about Windows To Go.
- [How do I make my computer boot from USB?](#wtf-faq-startup)
- [Why isnt my computer booting from USB?](#wtg-faq-noboot)
- [Why isn't my computer booting from USB?](#wtg-faq-noboot)
- [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise)
- [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker)
- [Why cant I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail)
- [Why can't I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail)
- [What power states does Windows To Go support?](#wtg-faq-power)
@ -63,11 +63,11 @@ The following list identifies some commonly asked questions about Windows To Go.
- [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump)
- [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg-faq-dualboot)
- [Do "Windows To Go Startup Options" work with dual boot computers?](#wtg-faq-dualboot)
- [I plugged my Windows To Go drive into a running computer and I cant see the partitions on the drive. Why not?](#wtg-faq-diskpart)
- [I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?](#wtg-faq-diskpart)
- [Im booted into Windows To Go, but I cant browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4)
- [I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4)
- [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr)
@ -95,17 +95,17 @@ The following list identifies some commonly asked questions about Windows To Go.
- [How is Windows To Go licensed?](#wtg-faq-lic)
- [Does Windows Recovery Environment work with Windows To Go? Whats the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery)
- [Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery)
- [Why wont Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos)
- [Why won't Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos)
- [Why does the operating system on the host computer matter?](#wtg-faq-oldos2)
- [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey)
- [I decided to stop using a drive for Windows To Go and reformatted it why doesnt it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat)
- [I decided to stop using a drive for Windows To Go and reformatted it why doesn't it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat)
- [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#bkmk-roamconflict)
- [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#bkmk-roamconflict)
- [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg)
@ -188,7 +188,7 @@ In the **Windows To Go Startup Options** dialog box select **Yes** and then clic
If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually.
To do this, early during boot time (usually when you see the manufacturers logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturers site to be sure if you do not know which key to use to enter firmware setup.)
To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you do not know which key to use to enter firmware setup.)
After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first.
@ -201,14 +201,14 @@ Configuring a computer to boot from USB will cause your computer to attempt to b
## <a href="" id="wtg-faq-noboot"></a>Why isnt my computer booting from USB?
## <a href="" id="wtg-faq-noboot"></a>Why isn't my computer booting from USB?
Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation:
1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device.
2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers dont support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port.
@ -229,7 +229,7 @@ You should never remove your Windows To Go drive when your workspace is running.
Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace.
## <a href="" id="wtg-faq-blfail"></a>Why cant I enable BitLocker from Windows To Go Creator?
## <a href="" id="wtg-faq-blfail"></a>Why can't I enable BitLocker from Windows To Go Creator?
Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types.
@ -265,27 +265,27 @@ When a Windows To Go workspace is hibernated, it will only successfully resume o
Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0.
## <a href="" id="wtg-faq-dualboot"></a>Do “Windows To Go Startup Options” work with dual boot computers?
## <a href="" id="wtg-faq-dualboot"></a>Do "Windows To Go Startup Options" work with dual boot computers?
Yes, if both operating systems are running the Windows 8 operating system. Enabling “Windows To Go Startup Options” should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported.
## <a href="" id="wtg-faq-diskpart"></a>I plugged my Windows To Go drive into a running computer and I cant see the partitions on the drive. Why not?
## <a href="" id="wtg-faq-diskpart"></a>I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?
Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. Thats why you cant see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
**Warning**  
It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
## <a href="" id="wtg-faq-san4"></a>Im booted into Windows To Go, but I cant browse to the internal hard drive of the host computer. Why not?
## <a href="" id="wtg-faq-san4"></a>I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?
Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. Thats why you cant see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
**Warning**  
It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
@ -340,7 +340,7 @@ If you are using a USB 3.0 port and a Windows To Go certified device, there shou
## <a href="" id="wtg-faq-safeloss"></a>If I lose my Windows To Go drive, will my data be safe?
Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you dont enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
## <a href="" id="wtg-faq-mac"></a>Can I boot Windows To Go on a Mac?
@ -361,12 +361,12 @@ For more information, see the MSDN article on the [Win32\_OperatingSystem class]
Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC.
## <a href="" id="wtg-faq-recovery"></a>Does Windows Recovery Environment work with Windows To Go? Whats the guidance for recovering a Windows To Go drive?
## <a href="" id="wtg-faq-recovery"></a>Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?
No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace.
## <a href="" id="wtg-faq-oldos"></a>Why wont Windows To Go work on a computer running Windows XP or Windows Vista?
## <a href="" id="wtg-faq-oldos"></a>Why won't Windows To Go work on a computer running Windows XP or Windows Vista?
Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
@ -374,7 +374,7 @@ Actually it might. If you have purchased a computer certified for Windows 7 or
## <a href="" id="wtg-faq-oldos2"></a>Why does the operating system on the host computer matter?
It doesnt other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
## <a href="" id="wtg-faq-blreckey"></a>My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
@ -406,10 +406,10 @@ The host computer will now be able to be booted from a USB drive without trigger
## <a href="" id="wtg-faq-reformat"></a>I decided to stop using a drive for Windows To Go and reformatted it why doesnt it have a drive letter assigned and how can I fix it?
## <a href="" id="wtg-faq-reformat"></a>I decided to stop using a drive for Windows To Go and reformatted it why doesn't it have a drive letter assigned and how can I fix it?
Reformatting the drive erases the data on the drive, but doesnt reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
1. Open a command prompt with full administrator permissions.
@ -424,14 +424,14 @@ Reformatting the drive erases the data on the drive, but doesnt reconfigure t
4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive.
## <a href="" id="bkmk-roamconflict"></a>Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?
## <a href="" id="bkmk-roamconflict"></a>Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?
One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
In certain cases, third party drivers for different hardware models or versions can reuse device IDs, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device IDs, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
In certain cases, third party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message “Installing devices…” displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers.
This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers.
## <a href="" id="bkmk-upgradewtg"></a>How do I upgrade the operating system on my Windows To Go drive?

9
windows/deployment/s-mode.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 Pro in S mode
description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
description: This article provides an overview of Windows 10 Pro/Enterprise in S mode, including information about configuration and features.
keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@ -15,6 +15,7 @@ author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows 10 in S mode - What is it?
@ -25,15 +26,15 @@ S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update
## S mode key features
**Microsoft-verified security**
With Windows 10 in S mode, youll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where theyre Microsoft-verified for security. You can also feel secure when youre online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
**Performance that lasts**
Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, youll enjoy a smooth, responsive experience, whether youre streaming HD video, opening apps, or being productive on the go.
Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go.
**Choice and flexibility**
Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you dont find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
![Switching out of S mode flow chart](images/s-mode-flow-chart.png)

3
windows/deployment/update/feature-update-conclusion.md
View File

@ -1,6 +1,6 @@
---
title: Best practices for feature updates - conclusion
description: Final thoughts about how to deploy feature updates
description: This article contains final thoughts about best practices when deploying feature updates for Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@ -12,6 +12,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Conclusion

7
windows/deployment/update/feature-update-maintenance-window.md
View File

@ -1,6 +1,6 @@
---
title: Best practices - deploy feature updates during maintenance windows
description: Learn how to deploy feature updates during a maintenance window
description: In this article, learn how to get ready and then deploy feature updates for Windows 10 during a maintenance window.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@ -12,6 +12,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Deploy feature updates during maintenance windows
@ -34,7 +35,7 @@ Use the following information to deploy feature updates during a maintenance win
### Step 2: Review computer restart device settings
If youre not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration.
If you're not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration.
For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update.
@ -51,7 +52,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc
### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later)
If youre deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini

5
windows/deployment/update/feature-update-mission-critical.md
View File

@ -1,6 +1,6 @@
---
title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices
description: Learn how to deploy feature updates to your mission-critical devices
description: In this article, learn about best practices to follow when deploying Windows 10 feature updates to your mission-critical devices.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@ -12,13 +12,14 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices
**Applies to**: Windows 10
Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often arent the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service).

5
windows/deployment/update/feature-update-user-install.md
View File

@ -1,6 +1,6 @@
---
title: Best practices - deploy feature updates for user-initiated installations
description: Learn how to manually deploy feature updates
description: In this article, learn how to prepare and then manually deploy feature updates for user-initiated installations.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@ -12,6 +12,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Deploy feature updates for user-initiated installations (during a fixed service window)
@ -29,7 +30,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc
### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later)
If youre deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini

7
windows/deployment/update/fod-and-lang-packs.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM
description: Learn how to make FoD and language packs available when you're using WSUS/SCCM
description: Learn how to make Features on Demand (FoD) and language packs available when you're using WSUS/SCCM.
ms.prod: w10
ms.mktglfcycl: manage
@ -13,6 +13,7 @@ ms.date: 03/13/2019
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# How to make Features on Demand and language packs available when you're using WSUS/SCCM
@ -20,11 +21,11 @@ ms.topic: article
As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, its important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
In Windows 10 version 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired.
In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. Its currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS or SCCM or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.

11
windows/deployment/update/how-windows-update-works.md
View File

@ -1,6 +1,6 @@
---
title: How Windows Update works
description: Learn how Windows Update works, including architecture and troubleshooting.
description: In this article, learn about the process Windows Update uses to download and install updates on a Windows 10 PC.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
@ -12,6 +12,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# How does Windows Update work?
@ -45,7 +46,7 @@ The Windows Update workflow has four core areas of functionality:
## How updating works
During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesnt disrupt your computer usage.
During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn't disrupt your computer usage.
## Scanning updates
![Windows Update scanning step](images/update-scan-step.png)
@ -80,7 +81,7 @@ Windows Update takes the following sets of actions when it runs a scan.
#### Starts the scan for updates
When users start scanning in Windows Update through the Settings panel, the following occurs:
- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates.
- The scan first generates a "ComApi" message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates.
- "Agent" messages: queueing the scan, then actually starting the work:
- Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers.
- Windows Update uses the thread ID filtering to concentrate on one particular task.
@ -119,7 +120,7 @@ Common update failure is caused due to network issues. To find the root of the i
> [!NOTE]
> Warning messages for SLS can be ignored if the search is against WSUS/SCCM.
- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and cant scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since its locally configured.
- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can't scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it's locally configured.
![Windows Update scan log 3](images/update-scan-log-3.png)
## Downloading updates
@ -127,7 +128,7 @@ Common update failure is caused due to network issues. To find the root of the i
Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer.
To ensure that your other downloads arent affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption.
To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption.
For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).

5
windows/deployment/update/olympia/olympia-enrollment-guidelines.md
View File

@ -1,6 +1,6 @@
---
title: Olympia Corp enrollment guidelines
description: Olympia Corp enrollment guidelines
description: Learn about the enrollment guidelines for Olympia Corp, a virtual corporation created as part of the Windows Insider Lab for Enterprise.
ms.author: jaimeo
ms.topic: article
ms.prod: w10
@ -11,6 +11,7 @@ author: jaimeo
ms.reviewer:
manager: laurawi
keywords: insider, trial, enterprise, lab, corporation, test
ms.custom: seo-marvel-apr2020
---
# Olympia Corp
@ -96,7 +97,7 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
![Settings -> Accounts](images/1-1.png)
2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
3. Click **Connect**, then click **Join this device to Azure Active Directory**.
![Update your password](images/2-3.png)

3
windows/deployment/update/servicing-stack-updates.md
View File

@ -1,6 +1,6 @@
---
title: Servicing stack updates (Windows 10)
description: Servicing stack updates improve the code that installs the other updates.
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@ -12,6 +12,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Servicing stack updates

5
windows/deployment/update/update-compliance-delivery-optimization.md
View File

@ -2,7 +2,7 @@
title: Delivery Optimization in Update Compliance (Windows 10)
ms.reviewer:
manager: laurawi
description: new Delivery Optimization data displayed in Update Compliance
description: Learn how new Delivery Optimization data displays in Update Compliance, including observed bandwidth savings across devices using peer-to-peer distribution.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@ -13,6 +13,7 @@ keywords: oms, operations management suite, optimization, downloads, updates, lo
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Delivery Optimization in Update Compliance
@ -41,5 +42,5 @@ The table breaks down the number of bytes from each download source into specifi
The download sources that could be included are:
- LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network
- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used)
- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used)
- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates.

5
windows/deployment/update/update-compliance-feature-update-status.md
View File

@ -2,7 +2,7 @@
title: Update Compliance - Feature Update Status report
ms.reviewer:
manager: laurawi
description: an overview of the Feature Update Status report
description: This article contains an overview of the Feature Update Status report, which provides information about the status of feature updates across all devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@ -12,6 +12,7 @@ author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Feature Update Status
@ -37,7 +38,7 @@ Refer to the following list for what each state means:
## Compatibility holds
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the devices upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release.
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device's upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release.
To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status).

3
windows/deployment/update/update-compliance-need-attention.md
View File

@ -2,7 +2,7 @@
title: Update Compliance - Need Attention! report
ms.reviewer:
manager: laurawi
description: an overview of the Update Compliance Need Attention! report
description: This article contains an overview of the Update Compliance Needs Attention! report, which provides information like the number of devices that have issues.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@ -12,6 +12,7 @@ author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Needs attention!

3
windows/deployment/update/update-compliance-perspectives.md
View File

@ -2,7 +2,7 @@
title: Update Compliance - Perspectives
ms.reviewer:
manager: laurawi
description: an overview of Update Compliance Perspectives
description: This article contains an overview of Update Compliance Perspectives, which provide elaborations on specific queries.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@ -12,6 +12,7 @@ author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Perspectives

3
windows/deployment/update/update-compliance-security-update-status.md
View File

@ -2,7 +2,7 @@
title: Update Compliance - Security Update Status report
ms.reviewer:
manager: laurawi
description: an overview of the Security Update Status report
description: This article is an overview of the Security Update Status report, providing information about security updates across all devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@ -10,6 +10,7 @@ author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Security Update Status

11
windows/deployment/update/update-compliance-using.md
View File

@ -2,7 +2,7 @@
title: Using Update Compliance (Windows 10)
ms.reviewer:
manager: laurawi
description: Explains how to begin using Update Compliance.
description: Learn how to begin using Update Compliance to monitor your device's Windows updates and Windows Defender Antivirus status.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@ -13,6 +13,7 @@ ms.author: jaimeo
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Use Update Compliance
@ -28,7 +29,7 @@ Update Compliance:
- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
## The Update Compliance tile
After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), youll see this tile:
After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you'll see this tile:
![Update Compliance tile no data](images/UC_tile_assessing.png)
@ -48,7 +49,7 @@ When you select this tile, you will be redirected to the Update Compliance works
![The Overview blade](images/UC_workspace_overview_blade.png)
Update Compliances overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability.
* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus.
@ -84,9 +85,9 @@ This means you should generally expect to see new data device data every 24 hour
Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance.
See below for a few topics related to Log Analytics:
* Learn how to effectively execute custom Log Searches by referring to Microsoft Azures excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches).
* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure's excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches).
* To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards).
* [Gain an overview of Log Analytics alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about.
* [Gain an overview of Log Analytics' alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about.
## Related topics

3
windows/deployment/update/update-compliance-wd-av-status.md
View File

@ -2,7 +2,7 @@
title: Update Compliance - Windows Defender AV Status report
ms.reviewer:
manager: laurawi
description: an overview of the Windows Defender AV Status report
description: This article is an overview of the Windows Defender AV Status report, which shows data about signature and threat status.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@ -12,6 +12,7 @@ author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows Defender AV Status

7
windows/deployment/update/waas-branchcache.md
View File

@ -1,6 +1,6 @@
---
title: Configure BranchCache for Windows 10 updates (Windows 10)
description: Use BranchCache to optimize network bandwidth during update deployment.
description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@ -9,6 +9,7 @@ ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Configure BranchCache for Windows 10 updates
@ -20,7 +21,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and its easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
@ -33,7 +34,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
## Configure clients for BranchCache
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopters Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx).
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter's Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx).
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.

11
windows/deployment/update/waas-delivery-optimization-reference.md
View File

@ -2,7 +2,7 @@
title: Delivery Optimization reference
ms.reviewer:
manager: laurawi
description: Reference of all Delivery Optimization settings and descriptions of same
description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@ -13,6 +13,7 @@ ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Delivery Optimization reference
@ -107,10 +108,10 @@ Download mode dictates which download sources clients are allowed to use when do
| --- | --- |
| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
| LAN (1 Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.|
| Group (2) | When group mode is set, the group is automatically selected based on the devices Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
>[!NOTE]
>Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
@ -152,7 +153,7 @@ This setting specifies the required minimum disk size (capacity in GB) for the d
### Max Cache Age
In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations might choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
### Max Cache Size
@ -184,7 +185,7 @@ This setting specifies the maximum download bandwidth that Delivery Optimization
### Max Upload Bandwidth
This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or "unlimited" which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
### Set Business Hours to Limit Background Download Bandwidth
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.

7
windows/deployment/update/waas-delivery-optimization-setup.md
View File

@ -2,7 +2,7 @@
title: Set up Delivery Optimization
ms.reviewer:
manager: laurawi
description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
description: In this article, learn how to set up Delivery Optimization, a new peer-to-peer distribution method in Windows 10.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,6 +12,7 @@ ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Set up Delivery Optimization for Windows 10 updates
@ -47,7 +48,7 @@ Quick-reference table:
### Hybrid WAN scenario
For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites arent aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
@ -97,7 +98,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
## Monitor Delivery Optimization
[//]: # (How to tell if its working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%)
[//]: # (How to tell if it's working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%)
### Windows PowerShell cmdlets

15
windows/deployment/update/waas-delivery-optimization.md
View File

@ -2,7 +2,7 @@
title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
ms.reviewer:
manager: laurawi
description: Delivery Optimization is a peer-to-peer distribution method in Windows 10
description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@ -13,6 +13,7 @@ ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Delivery Optimization for Windows 10 updates
@ -87,7 +88,7 @@ For complete list of every possible Delivery Optimization setting, see [Delivery
## How Microsoft uses Delivery Optimization
At Microsoft, to help ensure that ongoing deployments werent affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
At Microsoft, to help ensure that ongoing deployments weren't affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
@ -131,11 +132,11 @@ This section summarizes common problems and some solutions to try.
### If you don't see any bytes from peers
If you dont see any bytes coming from peers the cause might be one of the following issues:
If you don't see any bytes coming from peers the cause might be one of the following issues:
- Clients arent able to reach the Delivery Optimization cloud services.
- The cloud service doesnt see other peers on the network.
- Clients arent able to connect to peers that are offered back from the cloud service.
- Clients aren't able to reach the Delivery Optimization cloud services.
- The cloud service doesn't see other peers on the network.
- Clients aren't able to connect to peers that are offered back from the cloud service.
### Clients aren't able to reach the Delivery Optimization cloud services.
@ -155,7 +156,7 @@ If you suspect this is the problem, try these steps:
1. Download the same app on two different devices on the same network, waiting 10 15 minutes between downloads.
2. Run `Get-DeliveryOptimizationStatus` from an elevated Powershell window and ensure that **DownloadMode** is 1 or 2 on both devices.
3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated Powershell window on the second device. The **NumberOfPeers** field should be non-zero.
4. If the number of peers is zero and you have **DownloadMode** = 1, ensure that both devices are using the same public IP address to reach the internet. To do this, open a browser Windows and search for “what is my IP”. You can **DownloadMode 2** (Group) and a custom GroupID (Guid) to fix this if the devices arent reporting the same public IP address.
4. If the number of peers is zero and you have **DownloadMode** = 1, ensure that both devices are using the same public IP address to reach the internet. To do this, open a browser Windows and search for "what is my IP". You can **DownloadMode 2** (Group) and a custom GroupID (Guid) to fix this if the devices aren't reporting the same public IP address.
### Clients aren't able to connect to peers offered by the cloud service

13
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -2,13 +2,14 @@
title: Deploy updates using Windows Update for Business (Windows 10)
ms.reviewer:
manager: laurawi
description: Windows Update for Business lets you manage when devices received updates from Windows Update.
description: Learn how Windows Update for Business lets you manage when devices received updates from Windows Update.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Deploy updates using Windows Update for Business
@ -88,16 +89,16 @@ The branch readiness level enables administrators to specify which channel of fe
- Windows Insider Release Preview
- Semi-annual Channel for released updates
Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a releases Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.
Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release's Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.
### Recommendations
For the best experience with Windows Update, follow these guidelines:
- Use devices for at least 6 hours per month, including at least 2 hours of continuous use.
- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours.
- Make sure that devices have at least 10 GB of free space.
- Give devices unobstructed access to the Windows Update service.
- Use devices for at least 6 hours per month, including at least 2 hours of continuous use.
- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours.
- Make sure that devices have at least 10 GB of free space.
- Give devices unobstructed access to the Windows Update service.
## Monitor Windows Updates by using Update Compliance

15
windows/deployment/update/waas-servicing-differences.md
View File

@ -2,7 +2,7 @@
title: Servicing differences between Windows 10 and older operating systems
ms.reviewer:
manager: laurawi
description: Learn the differences between servicing Windows 10 and servicing older operating systems.
description: In this article, learn the differences between servicing Windows 10 and servicing older operating systems.
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
@ -13,6 +13,7 @@ ms.audience: itpro
author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
ms.custom: seo-marvel-apr2020
---
# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems
@ -32,7 +33,7 @@ Prior to Windows 10, all updates to operating system (OS) components were publis
As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft.
This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If youve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you've seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
## Windows 10 Next generation
Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation.
@ -65,12 +66,12 @@ While Windows 10 updates could have been controlled as cumulative from "Day 1,"
Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems.
The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current months Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month's Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
![Legacy OS security-only update model](images/security-only-update.png)
*Figure 2.0 - Legacy OS security-only update model*
Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsofts test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft's test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
### Points to consider
- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages.
@ -84,7 +85,7 @@ Moving to the cumulative model for legacy OS versions continues to improve predi
- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version.
## Public preview releases
Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that months B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next months B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month's B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month's B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
> [!NOTE]
> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10.
@ -103,9 +104,9 @@ All of these updates are cumulative and build on each other for Windows 10. This
*Figure 3.0 - Preview releases within the Windows 10 LCU model*
## Previews vs. on-demand releases
In 2018, we experienced incidents which required urgent remediation that didnt map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
In 2018, we experienced incidents which required urgent remediation that didn't map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next months Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month's Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
### Point to consider
- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.

13
windows/deployment/update/waas-wu-settings.md
View File

@ -1,6 +1,6 @@
---
title: Manage additional Windows Update settings (Windows 10)
description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
description: In this article, learn about additional settings to control the behavior of Windows Update (WU) in Windows 10.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,6 +12,7 @@ author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Manage additional Windows Update settings
@ -66,7 +67,7 @@ This setting lets you specify a server on your network to function as an interna
To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization dont have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
@ -91,9 +92,9 @@ If the setting is set to **Enabled**, Windows will check for available updates a
If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours.
>[!NOTE]
>The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect.
>The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect.
>
>If the “Configure Automatic Updates” policy is disabled, this policy has no effect.
>If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency).
@ -121,7 +122,7 @@ If the setting is set to **Disabled** or **Not Configured**, no target group inf
If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
>[!NOTE]
>This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect.
>This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect.
### Allow signed updates from an intranet Microsoft update service location
@ -129,7 +130,7 @@ This policy setting allows you to manage whether Automatic Updates accepts updat
To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer.
If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
>[!NOTE]

13
windows/deployment/update/waas-wufb-intune.md
View File

@ -1,6 +1,6 @@
---
title: Walkthrough use Intune to configure Windows Update for Business (Windows 10)
description: Configure Windows Update for Business settings using Microsoft Intune.
description: In this article, learn how to configure Windows Update for Business settings using Microsoft Intune.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@ -12,6 +12,7 @@ ms.date: 07/27/2017
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Walkthrough: use Microsoft Intune to configure Windows Update for Business
@ -29,7 +30,7 @@ ms.topic: article
>
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
You can use Intune to configure Windows Update for Business even if you dont have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
You can use Intune to configure Windows Update for Business even if you don't have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
@ -42,7 +43,7 @@ To use Intune to manage quality and feature updates in your environment, you mus
In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as theyre released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they're released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
>[!NOTE]
@ -71,7 +72,7 @@ In this example, you use two security groups to manage your updates: **Ring 4 Br
![Settings for this policy](images/waas-wufb-intune-step7a.png)
8. For this deployment ring, youre required to enable only CBB, so click **Save Policy**.
8. For this deployment ring, you're required to enable only CBB, so click **Save Policy**.
9. In the **Deploy Policy: Windows Update for Business CBB1** dialog box, click **Yes**.
@ -175,7 +176,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
10. In the **Manage Deployment: Windows Update for Business CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**.
You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as theyre available.
You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they're available.
### Configure Ring 4 Broad business users policy
@ -216,7 +217,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
14. In the **Manage Deployment: Windows Update for Business CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as theyre available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates.
You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they're available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates.
### Configure Ring 5 Broad business users \#2 policy

3
windows/deployment/update/windows-update-error-reference.md
View File

@ -1,6 +1,6 @@
---
title: Windows Update error code list by component
description: Reference information for Windows Update error codes
description: In this article, you can find reference information for Windows Update error codes, such as Automatic Update and UI errors.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
@ -13,6 +13,7 @@ ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows Update error codes by component

3
windows/deployment/update/windows-update-errors.md
View File

@ -1,6 +1,6 @@
---
title: Windows Update common errors and mitigation
description: Learn about some common issues you might experience with Windows Update
description: In this article, learn about some common issues you might experience with Windows Update, as well as steps to resolve them.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
@ -13,6 +13,7 @@ ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows Update common errors and mitigation

13
windows/deployment/update/windows-update-logs.md
View File

@ -1,6 +1,6 @@
---
title: Windows Update log files
description: Learn about the Windows Update log files
description: In this article, learn about the Windows Update log files, including file generation, components, and structure.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
@ -13,6 +13,7 @@ ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows Update log files
@ -66,7 +67,7 @@ The WU engine has different component names. The following are some of the most
- IdleTimer - Tracking active calls, stopping a service
>[!NOTE]
>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on whats important.
>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important.
### Windows Update log structure
The Windows update log structure is separated into four main identities:
@ -114,7 +115,7 @@ Search for and identify the components that are associated with the IDs. Differe
#### Update identifiers
##### Update ID and revision number
There are different identifiers for the same update in different contexts. Its important to know the identifier schemes.
There are different identifiers for the same update in different contexts. It's important to know the identifier schemes.
- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time
- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service
- Revision numbers are reused from one update to another (not a unique identifier).
@ -123,8 +124,8 @@ There are different identifiers for the same update in different contexts. It
##### Revision ID
- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service.
- An existing update thats revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID.
- A Revision ID (do no confuse this with "revision number") is a serial number that's issued when an update is initially published or revised on a given service.
- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID.
- Revision IDs are unique on a given update source, but not across multiple sources.
- The same update revision may have completely different revision IDs on WU and WSUS.
- The same revision ID may represent different updates on WU and WSUS.
@ -133,7 +134,7 @@ There are different identifiers for the same update in different contexts. It
- Local ID is a serial number issued when an update is received from a service by a given WU client
- Usually seen in debug logs, especially involving the local cache for update info (Datastore)
- Different client PCs will assign different Local IDs to the same update
- You can find the local IDs that a client is using by getting the clients %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
- You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
##### Inconsistent terminology
- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs.

3
windows/deployment/update/windows-update-resources.md
View File

@ -1,6 +1,6 @@
---
title: Windows Update - Additional resources
description: Additional resources for Windows Update
description: In this article, you can find additional resources for Windows Update, such as WSUS troubleshooting.
ms.prod: w10
ms.mktglfcycl:
@ -13,6 +13,7 @@ ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows Update - additional resources

5
windows/deployment/update/windows-update-troubleshooting.md
View File

@ -1,6 +1,6 @@
---
title: Windows Update troubleshooting
description: Learn how to troubleshoot Windows Update
description: In this article, learn how to troubleshoot issues with Windows Update, such as why a device is frozen at scan.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
@ -12,6 +12,7 @@ author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows Update troubleshooting
@ -204,7 +205,7 @@ From the WU logs:
In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results.
Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that wont happen here.
Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won't happen here.
```console
2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57]

842
windows/deployment/windows-autopilot/autopilot-mbr.md
View File

@ -1,420 +1,422 @@
---
title: Windows Autopilot motherboard replacement
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment MBR scenarios
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot motherboard replacement scenario guidance
**Applies to**
- Windows 10
This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios.
Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEMs require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios.
**Motherboard Replacement (MBR)**
If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended:
1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot
2. [Replace the motherboard](#replace-the-motherboard)
3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device)
4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot
5. [Reset the device](#reset-the-device)
6. [Return the device](#return-the-repaired-device-to-the-customer)
Each of these steps is described below.
## Deregister the Autopilot device from the Autopilot program
Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admins Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC.
**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves.
**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didnt register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune.
### Deregister from Intune
To deregister an Autopilot device from Intune, an IT Admin would:
1. Sign in to their Intune account
2. Navigate to Intune > Groups > All groups
3. Remove the desired device from its group
4. Navigate to Intune > Devices > All devices
5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu
6. Navigate to Intune > Devices > Azure AD devices
7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu
8. Navigate to Intune > Device enrollment > Windows enrollment > Devices
9. Select the checkbox next to the device you want to deregister
10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user”
11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored
12. With the unassigned device still selected, click the Delete button along the top menu to remove this device
**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance.
The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present.
More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group).
### Deregister from MPC
To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would:
1. Log into MPC
2. Navigate to Customer > Devices
3. Select the device to be deregistered and click the “Delete device” button
![devices](images/devices.png)
**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section.
Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call.
Because the repair facility will not have access to the users login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair:
1. Copy all important data off the device.
2. Let the repair facility know which version of Windows they should reinstall after the repair.
3. If applicable, let the repair facility know which version of Office they should reinstall after the repair.
## Replace the motherboard
Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected.
Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after a MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum:
- DiskSerialNumber
- SmbiosSystemSerialNumber
- SmbiosSystemManufacturer
- SmbiosSystemProductName
- SmbiosUuid
- TPM EKPub
- MacAddress
- ProductKeyID
- OSType
**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in a MBR, such as:
- Verify that the device is still functional
- Disable BitLocker*
- Repair the Boot Configuration Data (BCD)
- Repair and verify the network driver operation
*BitLocker can be suspended rather than disbled if the technician has the ability to resume it after the repair.
## Capture a new Autopilot device ID (4K HH) from the device
Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customers login credentials, they will have to reimage the device in order to gain access, per the following steps:
1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition).
2. The repair technician boots the device to WinPE.
3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images).
**NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example.
4. The repair technician boots the device into the new Windows image.
5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below.
Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH).
Alternatively, the [WindowsAutoPilotInfo Powershell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps:
1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below).
2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example.
```powershell
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
>If you are prompted to install the NuGet package, choose **Yes**.<br>
>If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.<br>
>If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**.
The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually.
**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device.
## Reregister the repaired device using the new device ID
If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below.
### Reregister from Intune
To reregister an Autopilot device from Intune, an IT Admin would:
1. Sign in to Intune.
2. Navigate to Device enrollment > Windows enrollment > Devices > Import.
3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document).
The following video provides a good overview of how to (re)register devices via MSfB.<br>
> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0]
### Reregister from MPC
To reregister an Autopilot device from MPC, an OEM or CSP would:
1. Sign in to MPC.
2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file.
![device](images/device2.png)<br>
![device](images/device3.png)
In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple were used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID.
**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below:
![hash](images/hh.png)
## Reset the device
Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows:
On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset.
![reset](images/reset.png)
However, its likely the repair facility wont have access to Windows because they lack the user credentials to login, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image).
## Return the repaired device to the customer
After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE.
**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., theres no way to log into the device because its been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves.
**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isnt actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step.
## Specific repair scenarios
This section covers the most common repair scenarios, and their impact on Autopilot enablement.
NOTES ON TEST RESULTS:
- Scenarios below were tested using Intune only (no other MDMs were tested).
- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled.
- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to backup data (if possible) prior to repair.
- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot.
- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID)
In the following table:<br>
- Supported = **Yes**: the device can be reenabled for Autopilot
- Supported = **No**: the device cannot be reenabled for Autopilot
<table border="1">
<th>Scenario<th>Supported<th>Microsoft Recommendation
<tr><td>Motherboard Replacement (MBR) in general<td>Yes<td>The recommended course of action for MBR scenarios is:
1. Autopilot device is deregistered from the Autopilot program
2. The motherboard is replace
3. The device is reimaged (with BIOS info and DPK reinjected)*
4. A new Autopilot device ID (4K HH) is captured off the device
5. The repaired device is reregistered for the Autopilot program using the new device ID
6. The repaired device is reset to boot to OOBE
7. The repaired device is shipped back to the customer
*Its not necessary to reimage the device if the repair technician has access to the customers login credentials. Its technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes.
<tr><td>MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write device info into BIOS
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboard<td>No<td>This scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution.
<tr><td>MBR where the NIC card, HDD, and WLAN all remain the same after the repair<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write old device info into BIOS (same s/n, model, etc.)*
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device
<tr><td>MBR where the NIC card remains the same, but the HDD and WLAN are replaced<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Insert new HDD and WLAN
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where the NIC card and WLAN remains the same, but the HDD is replaced<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Insert new HDD
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.<td>Yes<td>
1. Deregister old device from which MB will be taken
2. Deregister damaged device (that you want to repair)
3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS)
4. Reimage device (to gain access), unless have access to customers login credentials
5. Write old device info into BIOS (same s/n, model, etc.)
6. Capture new 4K HH
7. Reregister repaired device
8. Reset device back to OOBE
9. Go through Autopilot OOBE (customer)
10. Autopilot successfully enabled
<b>NOTE</b>: The repaired device can also be used successfully as a normal, non-Autopilot device.
<tr><td>BIOS info excluded from MBR device<td>No<td>Repair facility does not have BIOS tool to write device info into BIOS after MBR.
1. Deregister damaged device
2. Replace motherboard (BIOS does NOT contain device info)
3. Reimage and write DPK into image
4. Capture new 4K HH
5. Reregister repaired device
6. Create Autopilot profile for device
7. Go through Autopilot OOBE (customer)
8. Autopilot FAILS to recognize repaired device
<tr><td>MBR when there is no TPM chip<td>Yes<td>Though we do not recommend enabling an Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot devices in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would:
1. Deregister damaged device
2. Replace motherboard
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>New DPK written into image on repaired Autopilot device with a new MB<td>Yes<td>Repair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR.
1. Deregister damaged device
2. Replace motherboard BIOS does NOT contain DPK info
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reset or reimage device to pre-OOBE and write DPK into image
7. Reregister repaired device
8. Go through Autopilot OOBE
9. Autopilot successfully enabled
<tr><td>New Repair Product Key (RDPK)<td>Yes<td>Using a MB with a new RDPK preinjected results in a successful Autopilot refurbishment scenario.
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage or rest image to pre-OOBE
4. Write device info into BIOS
5. Capture new 4K HH
6. Reregister repaired device
7. Reimage or reset image to pre-OOBE
8. Go through Autopilot OOBE
9. Autopilot successfully enabled
<tr><td>No Repair Product Key (RDPK) injected<td>No<td>This scenario violates Microsoft policy and breaks the Windows Autopilot experience.
<tr><td>Reimage damaged Autopilot device that was not deregistered prior to repair<td>Yes, but the device will still be associated with previous tenant ID, so should only be returned to same customer<td>
1. Reimage damaged device
2. Write DPK into image
3. Go through Autopilot OOBE
4. Autopilot successfully enabled (to previous tenant ID)
<tr><td>Disk replacement from a non-Autopilot device to an Autopilot device<td>Yes<td>
1. Do not deregister damaged device prior to repair
2. Replace HDD on damaged device
3. Reimage or reset image back to OOBE
4. Go through Autopilot OOBE (customer)
5. Autopilot successfully enabled (repaired device recognized as its previous self)
<tr><td>Disk replacement from one Autopilot device to another Autopilot device<td>Maybe<td>If the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience.
Assuming the used HDD was previously deregistered (before being used in this repair):
1. Deregister damaged device
2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device
3. Reimage or rest the repaired device back to a pre-OOBE state
4. Go through Autopilot OOBE (customer)
5. Autopilot successfully enabled
<tr><td>Third party network card replacement <td>No<td>Whether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended.
<tr><td>A device repaired more than 3 times<td>No<td>Autopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future.
<tr><td>Memory replacement<td>Yes<td>Replacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory.
<tr><td>GPU replacement<td>Yes<td>Replacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU.
</table>
>When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two.
**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps:
- Memory (RAM or ROM)
- Power Supply
- Video Card
- Card Reader
- Sound card
- Expansion card
- Microphone
- Webcam
- Fan
- Heat sink
- CMOS battery
Other repair scenarios not yet tested and verified include:
- Daughterboard replacement
- CPU replacement
- Wifi replacement
- Ethernet replacement
## FAQ
| Question | Answer |
| --- | --- |
| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. |
| What if only some components are replaced rather than the full motherboard? | While its true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. |
| How does a repair technician gain access to a broken device if they dont have the customers login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. |
## Related topics
[Device guidelines](autopilot-device-guidelines.md)<br>
---
title: Windows Autopilot motherboard replacement
ms.reviewer:
manager: laurawi
description: Find guidance for Windows Autopilot device repairs that Microsoft partners can use for servicing scenarios like Motherboard Replacement (MBR).
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows Autopilot motherboard replacement scenario guidance
**Applies to**
- Windows 10
This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios.
Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM's require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios.
**Motherboard Replacement (MBR)**
If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended:
1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot
2. [Replace the motherboard](#replace-the-motherboard)
3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device)
4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot
5. [Reset the device](#reset-the-device)
6. [Return the device](#return-the-repaired-device-to-the-customer)
Each of these steps is described below.
## Deregister the Autopilot device from the Autopilot program
Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admin's Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC.
**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves.
**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didn't register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune.
### Deregister from Intune
To deregister an Autopilot device from Intune, an IT Admin would:
1. Sign in to their Intune account
2. Navigate to Intune > Groups > All groups
3. Remove the desired device from its group
4. Navigate to Intune > Devices > All devices
5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu
6. Navigate to Intune > Devices > Azure AD devices
7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu
8. Navigate to Intune > Device enrollment > Windows enrollment > Devices
9. Select the checkbox next to the device you want to deregister
10. Click the extended menu icon ("…") on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to "unassign user"
11. Click "Unassign user" if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored
12. With the unassigned device still selected, click the Delete button along the top menu to remove this device
**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance.
The deregistration process will take about 15 minutes. You can accelerate the process by clicking the "Sync" button, then "Refresh" the display until the device is no longer present.
More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group).
### Deregister from MPC
To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would:
1. Log into MPC
2. Navigate to Customer > Devices
3. Select the device to be deregistered and click the "Delete device" button
![devices](images/devices.png)
**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section.
Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call.
Because the repair facility will not have access to the user's login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair:
1. Copy all important data off the device.
2. Let the repair facility know which version of Windows they should reinstall after the repair.
3. If applicable, let the repair facility know which version of Office they should reinstall after the repair.
## Replace the motherboard
Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected.
Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after a MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum:
- DiskSerialNumber
- SmbiosSystemSerialNumber
- SmbiosSystemManufacturer
- SmbiosSystemProductName
- SmbiosUuid
- TPM EKPub
- MacAddress
- ProductKeyID
- OSType
**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in a MBR, such as:
- Verify that the device is still functional
- Disable BitLocker*
- Repair the Boot Configuration Data (BCD)
- Repair and verify the network driver operation
*BitLocker can be suspended rather than disbled if the technician has the ability to resume it after the repair.
## Capture a new Autopilot device ID (4K HH) from the device
Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customer's login credentials, they will have to reimage the device in order to gain access, per the following steps:
1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition).
2. The repair technician boots the device to WinPE.
3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images).
**NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example.
4. The repair technician boots the device into the new Windows image.
5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below.
Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH).
Alternatively, the [WindowsAutoPilotInfo Powershell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps:
1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below).
2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example.
```powershell
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
>If you are prompted to install the NuGet package, choose **Yes**.<br>
>If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.<br>
>If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**.
The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually.
**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device.
## Reregister the repaired device using the new device ID
If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below.
### Reregister from Intune
To reregister an Autopilot device from Intune, an IT Admin would:
1. Sign in to Intune.
2. Navigate to Device enrollment > Windows enrollment > Devices > Import.
3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document).
The following video provides a good overview of how to (re)register devices via MSfB.<br>
> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0]
### Reregister from MPC
To reregister an Autopilot device from MPC, an OEM or CSP would:
1. Sign in to MPC.
2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file.
![device](images/device2.png)<br>
![device](images/device3.png)
In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple were used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially "new" device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID.
**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below:
![hash](images/hh.png)
## Reset the device
Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows:
On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset.
![reset](images/reset.png)
However, it's likely the repair facility won't have access to Windows because they lack the user credentials to login, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image).
## Return the repaired device to the customer
After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE.
**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., there's no way to log into the device because it's been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves.
**IMPORTANT**: A device can be "registered" for Autopilot prior to being powered-on, but the device isn't actually "deployed" to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step.
## Specific repair scenarios
This section covers the most common repair scenarios, and their impact on Autopilot enablement.
NOTES ON TEST RESULTS:
- Scenarios below were tested using Intune only (no other MDMs were tested).
- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled.
- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to backup data (if possible) prior to repair.
- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot.
- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID)
In the following table:<br>
- Supported = **Yes**: the device can be reenabled for Autopilot
- Supported = **No**: the device cannot be reenabled for Autopilot
<table border="1">
<th>Scenario<th>Supported<th>Microsoft Recommendation
<tr><td>Motherboard Replacement (MBR) in general<td>Yes<td>The recommended course of action for MBR scenarios is:
1. Autopilot device is deregistered from the Autopilot program
2. The motherboard is replace
3. The device is reimaged (with BIOS info and DPK reinjected)*
4. A new Autopilot device ID (4K HH) is captured off the device
5. The repaired device is reregistered for the Autopilot program using the new device ID
6. The repaired device is reset to boot to OOBE
7. The repaired device is shipped back to the customer
*It's not necessary to reimage the device if the repair technician has access to the customer's login credentials. It's technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes.
<tr><td>MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard
3. Reimage device (to gain access), unless have access to customers' login credentials
4. Write device info into BIOS
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboard<td>No<td>This scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution.
<tr><td>MBR where the NIC card, HDD, and WLAN all remain the same after the repair<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage device (to gain access), unless have access to customers' login credentials
4. Write old device info into BIOS (same s/n, model, etc.)*
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device
<tr><td>MBR where the NIC card remains the same, but the HDD and WLAN are replaced<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Insert new HDD and WLAN
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where the NIC card and WLAN remains the same, but the HDD is replaced<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Insert new HDD
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage device (to gain access), unless have access to customers' login credentials
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.<td>Yes<td>
1. Deregister old device from which MB will be taken
2. Deregister damaged device (that you want to repair)
3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS)
4. Reimage device (to gain access), unless have access to customers' login credentials
5. Write old device info into BIOS (same s/n, model, etc.)
6. Capture new 4K HH
7. Reregister repaired device
8. Reset device back to OOBE
9. Go through Autopilot OOBE (customer)
10. Autopilot successfully enabled
<b>NOTE</b>: The repaired device can also be used successfully as a normal, non-Autopilot device.
<tr><td>BIOS info excluded from MBR device<td>No<td>Repair facility does not have BIOS tool to write device info into BIOS after MBR.
1. Deregister damaged device
2. Replace motherboard (BIOS does NOT contain device info)
3. Reimage and write DPK into image
4. Capture new 4K HH
5. Reregister repaired device
6. Create Autopilot profile for device
7. Go through Autopilot OOBE (customer)
8. Autopilot FAILS to recognize repaired device
<tr><td>MBR when there is no TPM chip<td>Yes<td>Though we do not recommend enabling an Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot devices in "standard user" mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would:
1. Deregister damaged device
2. Replace motherboard
3. Reimage device (to gain access), unless have access to customers' login credentials
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>New DPK written into image on repaired Autopilot device with a new MB<td>Yes<td>Repair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR.
1. Deregister damaged device
2. Replace motherboard BIOS does NOT contain DPK info
3. Reimage device (to gain access), unless have access to customers' login credentials
4. Write device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reset or reimage device to pre-OOBE and write DPK into image
7. Reregister repaired device
8. Go through Autopilot OOBE
9. Autopilot successfully enabled
<tr><td>New Repair Product Key (RDPK)<td>Yes<td>Using a MB with a new RDPK preinjected results in a successful Autopilot refurbishment scenario.
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage or rest image to pre-OOBE
4. Write device info into BIOS
5. Capture new 4K HH
6. Reregister repaired device
7. Reimage or reset image to pre-OOBE
8. Go through Autopilot OOBE
9. Autopilot successfully enabled
<tr><td>No Repair Product Key (RDPK) injected<td>No<td>This scenario violates Microsoft policy and breaks the Windows Autopilot experience.
<tr><td>Reimage damaged Autopilot device that was not deregistered prior to repair<td>Yes, but the device will still be associated with previous tenant ID, so should only be returned to same customer<td>
1. Reimage damaged device
2. Write DPK into image
3. Go through Autopilot OOBE
4. Autopilot successfully enabled (to previous tenant ID)
<tr><td>Disk replacement from a non-Autopilot device to an Autopilot device<td>Yes<td>
1. Do not deregister damaged device prior to repair
2. Replace HDD on damaged device
3. Reimage or reset image back to OOBE
4. Go through Autopilot OOBE (customer)
5. Autopilot successfully enabled (repaired device recognized as its previous self)
<tr><td>Disk replacement from one Autopilot device to another Autopilot device<td>Maybe<td>If the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience.
Assuming the used HDD was previously deregistered (before being used in this repair):
1. Deregister damaged device
2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device
3. Reimage or rest the repaired device back to a pre-OOBE state
4. Go through Autopilot OOBE (customer)
5. Autopilot successfully enabled
<tr><td>Third party network card replacement <td>No<td>Whether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended.
<tr><td>A device repaired more than 3 times<td>No<td>Autopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future.
<tr><td>Memory replacement<td>Yes<td>Replacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory.
<tr><td>GPU replacement<td>Yes<td>Replacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU.
</table>
>When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two.
**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps:
- Memory (RAM or ROM)
- Power Supply
- Video Card
- Card Reader
- Sound card
- Expansion card
- Microphone
- Webcam
- Fan
- Heat sink
- CMOS battery
Other repair scenarios not yet tested and verified include:
- Daughterboard replacement
- CPU replacement
- Wifi replacement
- Ethernet replacement
## FAQ
| Question | Answer |
| --- | --- |
| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. |
| What if only some components are replaced rather than the full motherboard? | While it's true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. |
| How does a repair technician gain access to a broken device if they don't have the customer's login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. |
## Related topics
[Device guidelines](autopilot-device-guidelines.md)<br>

9
windows/deployment/windows-autopilot/autopilot-support.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot support
description: Find out who to contact for help with your Windows Autopilot installation.
description: This article provides support information and contacts to get help with your Windows Autopilot installation.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
@ -15,6 +15,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows Autopilot support information
@ -28,10 +29,10 @@ Before contacting the resources listed below for Windows Autopilot-related issue
| Audience | Support contact |
|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if youre a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. |
| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you're a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. |
| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority: <br>Low 120 hours <br>Normal 72 hours <br>High 24 hours <br>Immediate 4 hours |
| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether youre a CSP or not), you may first try working through your accounts specific Partner Technology Strategist (PTS). |
| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether youre a CSP or not), you may first try working through your accounts specific Ecosystem PM, especially for technical issues. To learn more about Ecosystem PMs and the services they offer, contact epsoinfo@microsoft.com. |
| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you're a CSP or not), you may first try working through your account's specific Partner Technology Strategist (PTS). |
| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you're a CSP or not), you may first try working through your account's specific Ecosystem PM, especially for technical issues. To learn more about Ecosystem PMs and the services they offer, contact epsoinfo@microsoft.com. |
| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. |
| End-user | Contact your IT administrator. |
| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. |

32
windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
View File

@ -2,7 +2,7 @@
title: Demonstrate Autopilot deployment
ms.reviewer:
manager: laurawi
description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
description: In this article, find step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
ms.prod: w10
ms.mktglfcycl: deploy
@ -13,7 +13,9 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: autopilot
ms.custom:
- autopilot
- seo-marvel-apr2020
---
@ -225,7 +227,7 @@ Ensure the VM booted from the installation ISO, click **Next** then click **Inst
![Windows setup](images/winsetup5.png)
![Windows setup](images/winsetup6.png)
After the VM restarts, during OOBE, its fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
![Windows setup](images/winsetup7.png)
@ -244,7 +246,7 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
> [!NOTE]
> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but youre not going to use the OA3 Tool to capture the full 4K HH for various reasons (youd have to install the OA3 tool, your device couldnt have a volume license version of Windows, its a more complicated process than using a PS script, etc.). Instead, youll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PS script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
Follow these steps to run the PS script:
@ -303,7 +305,7 @@ Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory
![Serial number and hardware hash](images/hwid.png)
You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If youre using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you're using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
@ -331,7 +333,7 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a
![MDM and Intune](images/mdm-intune2.png)
If the configuration blade shown above does not appear, its likely that you dont have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
@ -376,7 +378,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
> [!NOTE]
> If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). Its okay if other fields (Windows Product ID) are left blank.
2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
![HWID CSV](images/hwid-csv.png)
@ -473,7 +475,7 @@ To create a Group, open the Azure Portal and select **Azure Active Directory** >
![All groups](images/all-groups.png)
Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
Select New group from the Groups blade to open the new groups UI. Select the "Security" group type, name the group, and select the "Assigned" membership type:
Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
@ -497,7 +499,7 @@ Click **Select** and then click **Save**.
![Include group](images/include-group2.png)
Its also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
It's also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
### Create a Windows Autopilot deployment profile using MSfB
@ -544,14 +546,14 @@ Confirm the profile was successfully assigned to the intended device by checking
## See Windows Autopilot in action
If you shut down your VM after the last reset, its time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
![Device status](images/device-status.png)
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
> [!TIP]
> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience youre expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you're expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
- Ensure your device has an internet connection.
- Turn on the device
@ -610,7 +612,7 @@ If you also (optionally) want to remove your device from AAD, navigate to **Azur
## Appendix A: Verify support for Hyper-V
Starting with Windows 8, the host computers microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
@ -654,13 +656,13 @@ EPT * Supports Intel extended page tables (SLAT)
#### Prepare the app for Intune
Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
Before we can pull an application into Intune to make it part of our AP profile, we need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
1. The source folder for your application
2. The name of the setup executable file
3. The output folder for the new file
For the purposes of this lab, well use the Notepad++ tool as our Win32 app.
For the purposes of this lab, we'll use the Notepad++ tool as our Win32 app.
Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then copy the file to a known location, such as C:\Notepad++msi.
@ -700,7 +702,7 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
![Add app](images/app06.png)
Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesnt actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Click **OK** to save your input and activate the **Requirements** blade.

3
windows/deployment/windows-autopilot/enrollment-status.md
View File

@ -2,7 +2,7 @@
title: Windows Autopilot Enrollment Status Page
ms.reviewer:
manager: laurawi
description: Gives an overview of the Enrollment Status Page capabilities, configuration
description: This article provides an overview of the Windows Autopilot Enrollment Status Page capabilities and configuration.
keywords: Autopilot Plug and Forget, Windows 10
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,6 +14,7 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---

3
windows/deployment/windows-autopilot/index.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot deployment
description: Discover resources for Windows Autopilot deployment with this guide.
description: In this article, discover resources for the zero-touch, self-service Windows deployment platform Windows Autopilot.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
@ -14,6 +14,7 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---

17
windows/deployment/windows-autopilot/known-issues.md
View File

@ -2,7 +2,7 @@
title: Windows Autopilot known issues
ms.reviewer:
manager: laurawi
description: Inform yourself about known issues that may occur during Windows Autopilot deployment.
description: Use this article to learn about known issues that might occur during a Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,6 +14,7 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
@ -42,14 +43,14 @@ This happens because Windows 10, version 1903 and 1909 deletes the AutopilotConf
<li>Add a new <b>Run command line</b> step that runs <b>c:\windows\system32\sysprep\sysprep.exe /oobe /reboot</b>.</ol>
<a href="https://oofhours.com/2019/09/19/a-challenge-with-windows-autopilot-for-existing-devices-and-windows-10-1903/">More information</a></tr>
<tr><td>TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate. (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them dont, so that validation will be removed).
<tr><td>TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate. (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don't, so that validation will be removed).
<td>Download and install the <a href="https://support.microsoft.com/help/4517211/windows-10-update-kb4517211">KB4517211 update</a>.
<tr><td>The following known issues are resolved by installing the August 30, 2019 KB4512941 update (OS Build 18362.329):
- Windows Autopilot for existing devices feature does not properly suppress “Activities” page during OOBE. (Because of this, youll see that extra page during OOBE).
- TPM attestation state is not cleared by sysprep /generalize, causing TPM attestation failure during later OOBE flow. (This isnt a particularly common issue, but you could run into it while testing if you are running sysprep /generalize and then rebooting or reimaging the device to go back through an Autopilot white glove or self-deploying scenario).
- Windows Autopilot for existing devices feature does not properly suppress "Activities" page during OOBE. (Because of this, you'll see that extra page during OOBE).
- TPM attestation state is not cleared by sysprep /generalize, causing TPM attestation failure during later OOBE flow. (This isn't a particularly common issue, but you could run into it while testing if you are running sysprep /generalize and then rebooting or reimaging the device to go back through an Autopilot white glove or self-deploying scenario).
- TPM attestation may fail if the device has a valid AIK cert but no EK cert. (This is related to the previous item).
- If TPM attestation fails during the Windows Autopilot white glove process, the landing page appears to be hung. (Basically, the white glove landing page, where you click “Provision” to start the white glove process, isnt reporting errors properly).
- If TPM attestation fails during the Windows Autopilot white glove process, the landing page appears to be hung. (Basically, the white glove landing page, where you click "Provision" to start the white glove process, isn't reporting errors properly).
- TPM attestation fails on newer Infineon TPMs (firmware version > 7.69). (Prior to this fix, only a specific list of firmware versions was accepted).
- Device naming templates may truncate the computer name at 14 characters instead of 15.
- Assigned Access policies cause a reboot which can interfere with the configuration of single-app kiosk devices.
@ -58,8 +59,8 @@ This happens because Windows 10, version 1903 and 1909 deletes the AutopilotConf
- Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success."
- Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image.
- BitLocker encryption is not correctly configured. Ex: BitLocker didnt get an expected notification after policies were applied to begin encryption.
- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, youve probably seen this error.
- BitLocker encryption is not correctly configured. Ex: BitLocker didn't get an expected notification after policies were applied to begin encryption.
- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you've probably seen this error.
- A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue.
<td>Download and install the <a href="https://support.microsoft.com/help/4505903">KB4505903 update</a>. <br><br>See the section: <b>How to get this update</b> for information on specific release channels you can use to obtain the update.
<tr><td>Windows Autopilot <a href="https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying">self-deploying mode</a> fails with an error code:
@ -68,7 +69,7 @@ This happens because Windows 10, version 1903 and 1909 deletes the AutopilotConf
<tr><td>0x801c03ea<td>This error indicates that TPM attestation failed, causing a failure to join Azure Active Directory with a device token.
<tr><td>0xc1036501<td>The device cannot do an automatic MDM enrollment because there are multiple MDM configurations in Azure AD. See <a href="https://oofhours.com/2019/10/01/inside-windows-autopilot-self-deploying-mode/">Inside Windows Autopilot self-deploying mode</a>.
</table>
<tr><td>White glove gives a red screen and the <b>Microsoft-Windows-User Device Registration/Admin</b> event log displays <b>HResult error code 0x801C03F3</b><td>This can happen if Azure AD cant find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.<br>
<tr><td>White glove gives a red screen and the <b>Microsoft-Windows-User Device Registration/Admin</b> event log displays <b>HResult error code 0x801C03F3</b><td>This can happen if Azure AD can't find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.<br>
<br>To obtain troubleshooting logs use: <b>Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab</b>
<tr><td>White glove gives a red screen<td>White glove is not supported on a VM.
<tr><td>Error importing Windows Autopilot devices from a .csv file<td>Ensure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid.

5
windows/deployment/windows-autopilot/profiles.md
View File

@ -1,6 +1,6 @@
---
title: Configure Autopilot profiles
description: Learn how to configure device profiles while performing a Windows Autopilot deployment.
description: In this article, learn how to configure device profiles while performing a Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
@ -14,6 +14,7 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
@ -33,7 +34,7 @@ The following profile settings are available:
- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process.
- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organizations name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings.
- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization's name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings.
- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool.

31
windows/deployment/windows-autopilot/troubleshooting.md
View File

@ -1,6 +1,6 @@
---
title: Troubleshooting Windows Autopilot
description: Learn how to handle issues as they arise during the Windows Autopilot deployment process.
description: In this article, learn how to handle issues as they arise during the Windows Autopilot deployment process.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
@ -14,6 +14,7 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
@ -92,18 +93,18 @@ To see details related to the Autopilot profile settings and OOBE flow, Windows
| Event ID | Type | Description |
|----------|------|-------------|
| 100 | Warning | “AutoPilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. |
| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. |
| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. |
| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. |
| 111 | Info | “AutoPilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. |
| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. |
| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. |
| 161 | Info | “AutoPilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. |
| 163 | Info | AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this. This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. |
| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” |
| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. |
| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. |
| 100 | Warning | "AutoPilot policy [name] not found." This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. |
| 101 | Info | "AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value]." This shows Autopilot retrieving and processing numeric OOBE settings. |
| 103 | Info | "AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value]." This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. |
| 109 | Info | "AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state]." This shows Autopilot retrieving and processing state-related OOBE settings. |
| 111 | Info | "AutoPilotRetrieveSettings succeeded." This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. |
| 153 | Info | "AutoPilotManager reported the state changed from [original state] to [new state]." Typically this should say "ProfileState_Unknown" to "ProfileState_Available" to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. |
| 160 | Info | "AutoPilotRetrieveSettings beginning acquisition." This shows that Autopilot is getting ready to download the needed Autopilot profile settings. |
| 161 | Info | "AutoPilotManager retrieve settings succeeded." The Autopilot profile was successfully downloaded. |
| 163 | Info | "AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this." This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. |
| 164 | Info | "AutoPilotManager determined Internet is available to attempt policy download." |
| 171 | Error | "AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code]." This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. |
| 172 | Error | "AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code]." This is typically related to event ID 171. |
In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above.
@ -114,8 +115,8 @@ On Windows 10 version 1709 and above, information about the Autopilot profile se
| Value | Description |
|-------|-------------|
| AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. |
| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. |
| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isnt registered with Autopilot, this value will be blank.|
| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. "contosomn.onmicrosoft.com." If the device is not registered with Autopilot, this value will be blank. |
| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn't registered with Autopilot, this value will be blank.|
| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. |
| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. |
| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |

11
windows/deployment/windows-autopilot/white-glove.md
View File

@ -1,6 +1,6 @@
---
title: Windows Autopilot for white glove deployment
description: Windows Autopilot for white glove deployment
description: Learn how to use Windows Autopilot for a white glove deployment that enables partners or IT staff to pre-provision a Windows 10 PC.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, pre-provisioning
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,6 +14,7 @@ ms.audience: itpro
author: greg-lindsay
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Windows Autopilot for white glove deployment
@ -24,7 +25,7 @@ Windows Autopilot enables organizations to easily provision new devices - levera
![OEM](images/wg01.png)
Windows Autopilot can also provide a <I>white glove</I> service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end users perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
Windows Autopilot can also provide a <I>white glove</I> service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user's perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few necessary settings and polices and then they can begin using their device.
@ -42,7 +43,7 @@ In addition to [Windows Autopilot requirements](windows-autopilot-requirements.m
- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
>[!IMPORTANT]
>Because the OEM or vendor performs the white glove process, this <u>doesnt require access to an end-user's on-prem domain infrastructure</u>. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user.
>Because the OEM or vendor performs the white glove process, this <u>doesn't require access to an end-user's on-prem domain infrastructure</u>. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user.
## Preparation
@ -110,8 +111,8 @@ If the pre-provisioning process completed successfully and the device was reseal
- Power on the device.
- Select the appropriate language, locale, and keyboard layout.
- Connect to a network (if using Wi-Fi). If using Hybrid Azure AD Join, there must be connectivity to a domain controller; if using Azure AD Join, internet connectivity is required.
- On the branded sign-on screen, enter the users Azure Active Directory credentials.
- If using Hybrid Azure AD Join, the device will reboot; after the reboot, enter the users Active Directory credentials.
- On the branded sign-on screen, enter the user's Azure Active Directory credentials.
- If using Hybrid Azure AD Join, the device will reboot; after the reboot, enter the user's Active Directory credentials.
- Additional policies and apps will be delivered to the device, as tracked by the Enrollment Status Page (ESP). Once complete, the user will be able to access the desktop.
## Related topics

7
windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
View File

@ -2,7 +2,7 @@
title: Windows Autopilot what's new
ms.reviewer:
manager: laurawi
description: Read news and resources about the latest updates and past versions of Windows Autopilot.
description: In this article, read news and resources about the latest updates and past versions of Windows Autopilot.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,6 +14,7 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
@ -45,9 +46,9 @@ Also new in this version of Windows:
## New in Windows 10, version 1809
Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the "Next" button during the deployment process.
You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organizations MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization's MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
>[!NOTE]
>Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.