| Expand a category. |  |
| Select a setting. |  |
| Enter a value for the setting. Click **Add** if the button is displayed. |  |
| Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed. |  |
| When the setting is configured, it is displayed in the **Selected customizations** pane. |  |
The receiving device uses this information to understand information in the Data field. | +| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. | + + + +### NFC provisioning helper + +The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format: + +
| **Version**(1 byte) | **Leading** (1 byte) | **Order**(1 byte) | **Total**(1 byte) | **Chunk payload**(N bytes) |
| Topic | Description | Time + + |
| [About MDT](#about-mdt) | A high-level overview of the Microsoft Deployment Toolkit (MDT). | Informational + |
| [Install MDT](#install-mdt) | Download and install MDT. | 40 minutes + |
| [Create a deployment share and reference image](#create-a-deployment-share-and-reference-image) | A reference image is created to serve as the template for deploying new images. | 90 minutes + |
| [Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt) | The reference image is deployed in the PoC environment. | 60 minutes + |
| [Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10) | Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. | 60 minutes + |
| [Replace a computer with Windows 10](#replace-a-computer-with-windows-10) | Back up an existing client computer, then restore this backup to a new computer. | 60 minutes + |
| [Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities) | Log locations and troubleshooting hints. | Informational + |
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + + +7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +10. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next** + - Progress: wait for files to be copied + - Confirmation: click **Finish** + + >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library. + +11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + + +12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. + +14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change. + +15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +18. Click **OK** to complete editing the task sequence. + +19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab. + +20. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +22. Click **OK** to complete the configuration of the deployment share. + +23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + +
+ + New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 ++
+ + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. + +## Deploy a Windows 10 image using MDT + +This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. + +1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: + - **Deployment share path**: C:\MDTProd + - **Share name**: MDTProd$ + - **Deployment share description**: MDT Production + - **Options**: accept the default + + +2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**. + +3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. + +4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +5. On the **OS Type** page, choose **Custom image file** and then click **Next**. + +6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**. + +7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. + +8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. + +9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**. + +10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example: + +  + + +### Create the deployment task sequence + +1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**. + +2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 + - Task sequence name: Windows 10 Enterprise x64 Custom Image + - Task sequence comments: Production Image + - Select Template: Standard Client Task Sequence + - Select OS: Windows 10 Enterprise x64 Custom Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: http://www.contoso.com + - Admin Password: pass@word1 + +### Configure the MDT production deployment share + +1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + ``` + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force + copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force + ``` +2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**. + +3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet): + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + OSDComputername=#Left("PC-%SerialNumber%",7)# + AdminPassword=pass@word1 + JoinDomain=contoso.com + DomainAdmin=administrator + DomainAdminDomain=CONTOSO + DomainAdminPassword=pass@word1 + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + EventService=http://SRV1:9800 + ``` + **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. + + >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. + + If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui): + + ``` + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + ``` + + For example, to migrate **all** users on the computer, replace this line with the following: + + ``` + ScanStateArgs=/all + ``` + + For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx). + +4. Click **Edit Bootstap.ini** and replace text in the file with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTProd$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` +5. Click **OK** when finished. + +### Update the deployment share + +1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. + +2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. + +3. Click **Finish** when the update is complete. + +### Enable deployment monitoring + +1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. + +2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). + +4. Close Internet Explorer. + +### Configure Windows Deployment Services + +1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" + WDSUTIL /Set-Server /AnswerClients:All + ``` + +2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. + +3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**. + +4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. + +### Deploy the client image + +1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. + + >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** + + Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` + +2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 + ``` + >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. + +3. Start the new VM and connect to it: + + ``` + Start-VM PC2 + vmconnect localhost PC2 + ``` +4. When prompted, hit ENTER to start the network boot process. + +5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed. +8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. + +  + + +This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. + +## Refresh a computer with Windows 10 + +This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). + +If the PC1 VM is not already running, then start and connect to it: + + ``` + Start-VM PC1 + vmconnect localhost PC1 + ``` + +1. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` + +2. Sign on to PC1 using the CONTOSO\Administrator account. + + >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. + +3. Open an elevated command prompt on PC1 and type the following: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` + + **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. + +4. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. + +5. Choose **Do not back up the existing computer** and click **Next**. + + **Note**: The USMT will still back up the computer. + +6. Lite Touch Installation will perform the following actions: + - Back up user settings and data using USMT. + - Install the Windows 10 Enterprise X64 operating system. + - Update the operating system via Windows Update. + - Restore user settings and data using USMT. + + You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. + +7. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). + +8. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName RefreshState + ``` + +9. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false + Start-VM PC1 + vmconnect localhost PC1 + ``` + +10. Sign in to PC1 using the contoso\administrator account. + +## Replace a computer with Windows 10 + +At a high level, the computer replace process consists of:
+- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
+- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. + +### Create a backup-only task sequence + +1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. +2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. +3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -Path C:\MigData -ItemType directory + New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE + icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' + ``` +4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. +5. Name the new folder **Other**, and complete the wizard using default options. +6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: + - **Task sequence ID**: REPLACE-001 + - **Task sequence name**: Backup Only Task Sequence + - **Task sequence comments**: Run USMT to back up user data and settings + - **Template**: Standard Client Replace Task Sequence (note: this is not the default template) +7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. +8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. + +### Run the backup-only task sequence + +1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: + + ``` + whoami + ``` +2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: + + ``` + Remove-Item c:\minint -recurse + Remove-Item c:\_SMSTaskSequence -recurse + Restart-Computer + ``` +2. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: + + ``` + cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ``` +3. Complete the deployment wizard using the following: + - **Task Sequence**: Backup Only Task Sequence + - **User Data**: Specify a location: **\\SRV1\MigData$\PC1** + - **Computer Backup**: Do not back up the existing computer. +4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. +5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: + + ``` + PS C:\> dir C:\MigData\PC1\USMT + + Directory: C:\MigData\PC1\USMT + + Mode LastWriteTime Length Name + ---- ------------- ------ ---- + -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG + ``` +### Deploy PC3 + +1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: + + ``` + New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + ``` +2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Disable-NetAdapter "Ethernet 2" -Confirm:$false + ``` +3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Start-VM PC3 + vmconnect localhost PC3 + ``` +4. When prompted, press ENTER for network boot. + +6. On PC3, ue the following settings for the Windows Deployment Wizard: + - **Task Sequence**: Windows 10 Enterprise x64 Custom Image + - **Move Data and Settings**: Do not move user data and settings + - **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1** +5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: + + ``` + Enable-NetAdapter "Ethernet 2" + ``` +7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. + +8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. + +9. Verify that settings have been migrated from PC1, and then shut down PC3 in preparation for the next procedure. + +## Troubleshooting logs, events, and utilities + +Deployment logs are available on the client computer in the following locations: +- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS +- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS +- After deployment: %WINDIR%\TEMP\DeploymentLogs + +You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. + +Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012) + +Also see [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. + +## Related Topics + +[Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)
+[Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md) + + + + + + + diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md new file mode 100644 index 0000000000..d9278a15c5 --- /dev/null +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -0,0 +1,1040 @@ +--- +title: Deploy Windows 10 using System Center Configuration Manager +description: Deploy Windows 10 in a test lab using System Center Configuration Manager +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +--- + +# Deploy Windows 10 in a test lab using System Center Configuration Manager + +**Applies to** + +- Windows 10 + +**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: +- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) +- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) + +Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. + +The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): +- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. +- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. + +This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. + +>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. + +## In this guide + +This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
| Topic | Description | Time + + |
| [Install prerequisites](#install-prerequisites) | Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK. | 60 minutes + |
| [Install System Center Configuration Manager](#install-system-center-configuration-manager) | Download System Center Configuration Manager, configure prerequisites, and install the package. | 45 minutes + |
| [Download MDOP and install DaRT](#download-mdop-and-install-dart) | Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10. | 15 minutes + |
| [Prepare for Zero Touch installation](#prepare-for-zero-touch-installation) | Prerequisite procedures to support Zero Touch installation. | 60 minutes + |
| [Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager) | Use the MDT wizard to create the boot image in Configuration Manager. | 20 minutes + |
| [Create a Windows 10 reference image](#create-a-windows-10-reference-image) | This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image. | 0-60 minutes + |
| [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image) | Add a Windows 10 operating system image and distribute it. | 10 minutes + |
| [Create a task sequence](#Create a task sequence) | Create a Configuration Manager task sequence with MDT integration using the MDT wizard | 15 minutes + |
| [Finalize the operating system configuration](#finalize-the-operating-system-configuration) | Enable monitoring, configure rules, and distribute content. | 30 minutes + |
| [Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager) | Deploy Windows 10 using Configuration Manager deployment packages and task sequences. | 60 minutes + |
| [Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager) | Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT | 90 minutes + |
| [Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager) | Replace a client computer with Windows 10 using Configuration Manager. | 90 minutes + + |
+
+5. Click **OK**.
+6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+
+ ```
+ cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
+
+ abortpxe.com
+ bootmgfw.efi
+ bootmgr.exe
+ pxeboot.com
+ pxeboot.n12
+ wdsmgfw.efi
+ wdsnbp.com
+ ```
+ >If these files are not present, type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+
+ The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the C:\RemoteInstall\SMSBoot\x64 directory. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the C:\RemoteInstall directory is being populated with necessary files:
+
+ Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
+
+ Once the files are present in C:\RemoteInstall, you can close the cmtrace tool.
+
+### Create a branding image file
+
+1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
+2. Type the following command at an elevated Windows PowerShell prompt:
+
+ ```
+ copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
+ ```
+ >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
+
+
+## Create a boot image for Configuration Manager
+
+1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
+2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
+ - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
+3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
+4. On the Options page, under **Platform** choose **x64**, and click **Next**.
+5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
+6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
+7. Click **Finish**.
+8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
+9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
+10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+ >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
+
+ ```
+ STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C)
+ ```
+11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Doublt-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
+13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
+14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
+
+ ```
+ cmd /c dir /s /b C:\RemoteInstall\SMSImages
+
+ C:\RemoteInstall\SMSImages\PS100004
+ C:\RemoteInstall\SMSImages\PS100005
+ C:\RemoteInstall\SMSImages\PS100006
+ C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
+ C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
+ C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
+ ```
+
+ >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
+
+## Create a Windows 10 reference image
+
+If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
+
+1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
+ ```
+2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
+
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+
+4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+
+5. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTBuildLab**+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +8. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next** + - Confirmation: click **Finish** + +9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library. + +10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + +11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. + +13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. + +14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +17. Click **OK** to complete editing the task sequence. + +18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. + +19. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard TimeZoneName + OSDComputername=#Left("PC-%SerialNumber%",7)# + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=NO + ``` + +20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +21. Click **OK** to complete the configuration of the deployment share. + +22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + + ``` + New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 + ``` +26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine. + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. + +## Add a Windows 10 operating system image + +1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:Sources\OSD\OS\Windows 10 Enterprise x64" + cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" + ``` + +2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. + +3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. + +4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. + +5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. + +6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. + + >If content distribution is not successful, verify that sufficient disk space is available. + +## Create a task sequence + +>Complete this section slowly. There are a large number of similar settings from which to choose. + +1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. + +3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. + +4. On the Details page, enter the following settings:
+ - Join a domain: contoso.com
+ - Account: click **Set**
+ - User name: contoso\CM_JD
+ - Password: pass@word1
+ - Confirm password: pass@word1
+ - Click **OK**
+ - Windows Settings
+ - User name: Contoso
+ - Organization name: Contoso
+ - Product key: \
+ - Administrator Account: Enable the account and specify the local administrator password
+ - Password: pass@word1
+ - Confirm password: pass@word1
+ - Click Next
+ +5. On the Capture Settings page, accept the default settings and click **Next**. + +6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package and then click **Next**. + +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT 2013**, and then click **Next**. + +8. On the MDT Details page, next to **Name:** type **MDT 2013** and then click **Next**. + +9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, and then click **Next**. + +10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. + +11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package** and then click **Next**. + +12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 8 10.0.14393.0** package, and then click **Next**. + +13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. + +14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. + +15. On the Sysprep Package page, click **Next** twice. + +16. On the Confirmation page, click **Finish**. + +### Edit the task sequence + +1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**. + +2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action. + +3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**. + +4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. + +5. Configure the **Request State Store** action that was just added with the following settings:
+ - Request state storage location to: **Restore state from another computer**
+ - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **Apply**
. + +6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. + +7. Configure the **Release State Store** action that was just added with the following settings:
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **OK**
. + + +## Finalize the operating system configuration + +>If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. + +1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. + +2. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTProduction**
+ - Share name: **MDTProduction$**
+ - Deployment share description: **MDT Production**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + +3. Right-click the **MDT Production** deployment share, and click **Properties**. + +4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. + +5. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" + ``` +6. Replace the contents of the file with the following text, and then save the file: + + ``` + [Settings] + Priority=Default + Properties=OSDMigrateConfigFiles,OSDMigrateMode + + [Default] + DoCapture=NO + ComputerBackupLocation=NONE + OSDMigrateMode=Advanced + OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* + OSDMigrateConfigFiles=Miguser.xml,Migapp.xml + SLSHARE=\\SRV1\Logs$ + EventService=http://SRV1:9800 + ApplyGPOPack=NO + ``` +7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. + +8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. + +9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. + +10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. + +### Create a deployment for the task sequence + +1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. + +2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. + +3. On the Deployment Settings page, use the following settings:
+ - Purpose: **Available**
+ - Make available to the following: **Only media and PXE**
+ - Click **Next**.
+4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. + +5. Click **Close**. + +## Deploy Windows 10 using PXE and Configuration Manager + +1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 + Start-VM PC4 + vmconnect localhost PC4 + ``` + +2. Press ENTER when prompted to start the network boot service. + +3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**. + +4. Before you click Next in the Task Sequence Wizard, press the **F8** key. A command prompt will open. + +5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. + +6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: + - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. + - x:\smstslog\smsts.log after disks are formatted. + - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\smsts.log when the task sequence is complete. + + Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. + +7. In the explorer window, click **Tools** and then click **Map Network Drive**. + +8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. + +9. Close the Map Network Drive window, the Explorer window, and the command prompt. + +10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment. + +11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: + - Install Windows 10 + - Install the Configuration Manager client and hotfix + - Join the computer to the contoso.com domain + - Install any applications that were specified in the reference image + +12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. + +13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click Turn Windows features on or off, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. + +14. Shut down the PC4 VM. + +## Refresh a client with Windows 10 using Configuration Manager + +>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console to remove stale entries under contoto.com\Computers, but **do not delete the computer account (hostname) for PC1**. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. + +### Install the Configuration Manager client on PC1 + +1. Verify that PC1 is in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). + +2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName BeginState + ``` +3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarcy Configuration** and click on **Discovery Methods**. +4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. +5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. +6. When a popup dialog box asks if you want to run full discovery, click **Yes**. +7. In the Assets and Compliance workspace, expand **Devices** and click **All Systems**. Verify that a computer account for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the hostname of PC1 in this example): + +  + + >If you only see the **Devices** parent node, you can add and view device collections in the tree by clicking **Device Collections** and then double-clicking a device collection. + + The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. + +8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists: + + ``` + sc stop ccmsetup + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall + ``` + >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/). + +9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue: + + ``` + net stop wuauserv + net stop BITS + ``` + + Verify that both services were stopped successfully, then type the following at an elevated command prompt: + + ``` + del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + net start BITSexit + bitsadmin /list /allusers + ``` + + Verify that BITSAdmin displays 0 jobs. + +10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: + + ``` + "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 + ``` +11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. +12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: + + ``` + Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait + ``` + + Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation. A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. + +13. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` + +14. Click the **Site** tab and click **Find Site**. The client will report that it has found the PS1 site. See the following example: + +  + + If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. + +15. On SRV1, in the Assets and Compliance workspace, click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: + +  + + >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. + +### Create a device collection and deployment + +1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. + +2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **Install Windows 10 Enterprise x64**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM
+ - Click **Next** twice and then click **Close** in both windows. + +3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. + +4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. + +5. Use the following settings in the Deploy Sofware wizard: + - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
+ - Deployment Settings > Purpose: **Available**
+ - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
+ - Scheduling > Click **Next**
+ - User Experience > Click **Next**
+ - Alerts > Click **Next**
+ - Distribution Points > Click **Next**
+ - Summary > Click **Next**
+ - Verify that the wizard completed successfully and then click **Close** + +6. **Important** Before initiating a computer refresh, save a checkpoint for all three computers: PC1, SRV1, and DC1. This ensures that we can restore all computers, including Active Directory and the Configuration Manager client status to the pre-Windows 10 installation state prior to running the replace procedure. To save checkpoints, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name PC1 -SnapshotName cm-start + Checkpoint-VM -Name SRV1 -SnapshotName cm-start + Checkpoint-VM -Name DC1 -SnapshotName cm-start + ``` + +### Initiate the computer refresh + +1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. +3. On PC1, in the notification area, click **New sofware is available** and then click **Open Sofware Center**. +4. In the Sofware Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: + +  + + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: + +  + + You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. + + When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. + +  + +5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required. To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + ``` + Checkpoint-VM -Name DC1 -SnapshotName cm-refresh + Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh + Checkpoint-VM -Name PC1 -SnapshotName cm-refresh + ``` + +## Replace a client with Windows 10 using Configuration Manager + +Before starting the replace procedure, restore all three VMs using the checkpoints created in the previous procedure. To restore the checkpoints and connect to the VMs again, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +``` +Restore-VMSnapshot -VMName DC1 -Name cm-start -Confirm:$false +Restore-VMSnapshot -VMName SRV1 -Name cm-start -Confirm:$false +Restore-VMSnapshot -VMName PC1 -Name cm-start -Confirm:$false +Start-VM DC1 +vmconnect localhost DC1 +Start-VM SRV1 +vmconnect localhost SRV1 +Start-VM PC1 +vmconnect localhost PC1 +``` + +>If resources are limited in the Hyper-V environment, SRV1 can require several minutes for all services to start and present the sign-in screen after restoring VMs. Verify that all required services are running, and start any service that are not running. Use the Server Manager dashboard to view and start services. When all services are running, open the Configuration Manager console. + +### Create a replace task sequence + +1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. + +2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. + +3. On the General page, type the following: + - Task sequence name: **Replace Task Sequence** + - Task sequence comments: **USMT backup only** + +4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT 2013** package. Click **OK** and then click **Next** to continue. +6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. +7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. +8. On the Summary page, review the details and then click **Next**. +9. On the Confirmation page, click **Finish**. + +>If you receive an error at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. + +### Deploy PC4 + +Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +``` +New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 +Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 +Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF +``` + +>Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. + +### Associate PC4 with PC1 + +1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. + +2. On the Select Source page, choose **Import single computer** and click **Next**. + +3. On the Single Computer page, use the following settings: + - Computer Name: **PC4** + - MAC Address: **00:15:5D:83:26:FF** + - Source Computer:
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM.
+ - Click **Next** twice and then click **Close** in both windows. + +3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. + +### Create a new deployment + +In the Configuration Manager console, in the Software Library workspace, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: +- General > Collection: **USMT Backup (Replace)**
+- Deployment Settings > Purpose: **Available**
+- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
+- Scheduling: Click **Next**
+- User Experience: Click **Next**
+- Alerts: Click **Next**
+- Distribution Points: Click **Next**
+- Click **Next** and then click **Close**. + +### Verify the backup + +1. On PC1, open the Configuration Manager control panel applet by typing the following command: + + ``` + control smscfgrc + ``` +2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is another method that can be used in addition to the Client Notification method used previously. + +3. Using the Software Center as was done in the previous procedure, click **Operating Systems** and then click **Replace Task Sequence**. See the following example: + +  + +4. Click **Install** and then click **INSTALL OPERATING SYSTEM**. +5. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. + +### Deploy the new computer + +1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host: + + ``` + Start-VM PC4 + vmconnect localhost PC4 + ``` +2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and click **Next**. +3. Choose the **Windows 10 Enterprise X64** image. +4. Setup will install the operating system, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. + + +## Related Topics + +[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) + + + + + + + diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md new file mode 100644 index 0000000000..6156ac502d --- /dev/null +++ b/windows/deploy/windows-10-poc.md @@ -0,0 +1,1074 @@ +--- +title: Configure a test lab to deploy Windows 10 +description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +--- + +# Step by step guide: Configure a test lab to deploy Windows 10 + +**Applies to** + +- Windows 10 + +This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: + +- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
+- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+ +The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. + +Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. + +Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. + +>Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. + +>A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. + +Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-in-this-guide) used in this guide before starting. + +## In this guide + +This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. + +After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
| Topic | Description | Time + + |
| [Hardware and software requirements](#hardware-and-software-requirements) | Prerequisites to complete this guide. | Informational + |
| [Lab setup](#lab-setup) | A description and diagram of the PoC environment. | Informational + |
| [Configure the PoC environment](#configure-the-poc-environment) | Parent topic for procedures. | Informational + |
| [Verify support and install Hyper-V](#verify-support-and-install-hyper-v) | Verify that installation of Hyper-V is supported, and install the Hyper-V server role. | 10 minutes + |
| [Download VHD and ISO files](#download-vhd-and-iso-files) | Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host. | 30 minutes + |
| [Convert PC to VM](#convert-pc-to-vm) | Convert a physical computer on your network to a VM hosted in Hyper-V. | 30 minutes + |
| [Resize VHD](#resize-vhd) | Increase the storage capacity for one of the Windows Server VMs. | 5 minutes + |
| [Configure Hyper-V](#configure-hyper-v) | Create virtual switches, determine available RAM for virtual machines, and add virtual machines. | 15 minutes + |
| [Configure VHDs](#configure-vhds) | Start virtual machines and configure all services and settings. | 60 minutes + |
| [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) | Verify and troubleshoot network connectivity and services in the PoC environment. | 30 minutes + |
| [Appendix B: Terminology in this guide](#appendix-d-terminology-in-this-guide) | Terms used in this guide. | Informational + |
| + | **Computer 1** (required) | +**Computer 2** (recommended) | +
| **Role** | +Hyper-V host | +Client computer | +
| **Description** | +This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module. | +This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process. | +
| **OS** | +Windows 8.1/10 or Windows Server 2012/2012 R2/2016* | +Windows 7 or a later | +
| **Edition** | +Enterprise, Professional, or Education | +Any | +
| **Architecture** | +64-bit | +Any Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade. |
+
| **RAM** | +8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
+ 16 GB RAM to test Windows 10 deployment with System Center Configuration Manager. |
+ Any | +
| **Disk** | +50 GB available hard disk space (100 GB recommended), any format. | +Any size, MBR formatted. | +
| **CPU** | +SLAT-Capable CPU | +Any | +
| **Network** | +Internet connection | +Any | +
+
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. + +
+[Download VHD and ISO files](#download-vhd-and-iso-files)
+[Convert PC to VHD](#convert-pc-to-vhd)
+[Resize VHD](#resize-vhd)
+[Configure Hyper-V](#configure-hyper-v)
+[Configure VMs](#configure-vms)
+ +### Verify support and install Hyper-V + +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. + +1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: + +
+ C:\>systeminfo + + ... + Hyper-V Requirements: VM Monitor Mode Extensions: Yes + Virtualization Enabled In Firmware: Yes + Second Level Address Translation: Yes + Data Execution Prevention Available: Yes ++ + In this example, the computer supports SLAT and Hyper-V. + + If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + + You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/en-us/library/cc731397.aspx) tool, or you can download the [coreinfo](http://technet.microsoft.com/en-us/sysinternals/cc835722) utility and run it, as shown in the following example: + +
+ C:\>coreinfo -v + + Coreinfo v3.31 - Dump information on system CPU and memory topology + Copyright (C) 2008-2014 Mark Russinovich + Sysinternals - www.sysinternals.com + + Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz + Intel64 Family 6 Model 42 Stepping 7, GenuineIntel + Microcode signature: 0000001B + HYPERVISOR - Hypervisor is present + VMX * Supports Intel hardware-assisted virtualization + EPT * Supports Intel extended page tables (SLAT) ++ + Note: A 64-bit operating system is required to run Hyper-V. + +2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: + +
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All+ + This command works on all operating systems that support Hyper-V. + + When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. + + >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + +  + +  + +
If you choose to install Hyper-V using Server Manager, accept all default selections. + +### Download VHD and ISO files + +When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account. + +1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. + + **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. + + After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. + +
|  |
+C:\>mkdir VHD +C:\>cd VHD +C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd +C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd + 1 file(s) copied. +C:\VHD ren *.iso w10-enterprise.iso +C:\VHD>dir /B +2012R2-poc-1.vhd +2012R2-poc-2.vhd +w10-enterprise.iso ++ +### Convert PC to VM + +>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. + +
|
+If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
+ +
|
| + | Architecture | +Operating system | +Partition style | +
| Generation 1 | +32-bit or 64-bit | +Windows 7 or later | +MBR | +
| Generation 2 | +64-bit | +Windows 8 or later | +MBR or GPT | +
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type ++ +If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: + +
+PS C:\> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type + +SystemName Caption Type +---------- ------- ---- +USER-PC1 Disk #0, Partition #0 GPT: System +USER-PC1 Disk #0, Partition #1 GPT: Basic Data ++ +On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: + +
+PS C:\> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type + +SystemName Caption Type +---------- ------- ---- +PC-X1 Disk #0, Partition #0 GPT: Unknown +PC-X1 Disk #0, Partition #1 GPT: System +PC-X1 Disk #0, Partition #2 GPT: Basic Data +PC-X1 Disk #0, Partition #3 GPT: Basic Data +PC-X1 Disk #0, Partition #4 GPT: Basic Data + +PS C:\> Get-Disk + +Number Friendly Name OperationalStatus Total Size Partition Style +------ ------------- ----------------- ---------- --------------- +0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT ++ +**Choosing a VM generation** + +The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. + +
| OS | +Partition style | +Architecture | +VM generation | +Procedure | +
| Windows 7 | +MBR | +32 | +1 | +[Prepare a generation 1 VM](#prepare-a-generation-1-vm) | +
| 64 | +1 | +[Prepare a generation 1 VM](#prepare-a-generation-1-vm) | +||
| GPT | +32 | +N/A | +N/A | +|
| 64 | +1 | +[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk) | +||
| Windows 8 or later | +MBR | +32 | +1 | +[Prepare a generation 1 VM](#prepare-a-generation-1-vm) | +
| 64 | +1, 2 | +[Prepare a generation 1 VM](#prepare-a-generation-1-vm) | +||
| GPT | +32 | +1 | +[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk) | +|
| 64 | +2 | +[Prepare a generation 2 VM](#prepare-a-generation-2-vm) | +
+
-
+
- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). +
- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the **mountvol** command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm). +
- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm). +
+ C:\vhd>dir /B + 2012R2-poc-1.vhd + 2012R2-poc-2.vhd + w10-enterprise.iso + w7.VHDX ++ +#### Prepare a generation 2 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, open an elevated command prompt and type the following command: + +
mountvol s: /s+ + This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). + +3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +4. Select the checkboxes next to the **C:\** and the **S:\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. + + **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. + +5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: + +  + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + +
+ C:\vhd>dir /B + 2012R2-poc-1.vhd + 2012R2-poc-2.vhd + w10-enterprise.iso + PC1.VHDX ++ +#### Prepare a generation 1 VM from a GPT disk + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkbox next to the **C:\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. +4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: + +  + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + +
+ C:\vhd>dir /B + 2012R2-poc-1.vhd + 2012R2-poc-2.vhd + w10-enterprise.iso + w7.VHD ++ + >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. + +### Resize VHD + +**Important**: You should take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. + +As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. + +The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. + +1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + +
+ Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB + $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter + Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax ++ +2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: + +
+ Get-Volume -DriveLetter $x + Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd+ +### Configure Hyper-V + +1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": + + >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
+ A) Remove the existing external virtual switch, then add the poc-external switch
+ B) Rename the existing external switch to "poc-external"
+ C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ If you choose B) or C), then do not run the second command below. + +
+ New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
+ New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
+
+
+ **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host.
+
+ >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
+
+2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
+
+ + (Get-VMHostNumaNode).MemoryAvailable ++ + This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. + +3. Determine the available memory for VMs by dividing the available RAM by 4. For example: + +
+ (Get-VMHostNumaNode).MemoryAvailable/4 + 2775.5 ++ + In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. + +4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. + >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. + +
+ $maxRAM = 2700MB + New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal + Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1 + New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal + Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external" + Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1 ++ + **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. + +5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. + + To create a generation 1 VM (using c:\vhd\w7.vhdx): + +
+ New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal + Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1 ++ + To create a generation 2 VM (using c:\vhd\PC1.vhdx): + +
+ New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal + Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1 ++ + To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): + + >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. + + First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: + +
+ New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
+ Mount-VHD -Passthru |
+ Get-Disk -Number {$_.DiskNumber} |
+ Initialize-Disk -PartitionStyle MBR -PassThru |
+ New-Partition -UseMaximumSize |
+ Format-Volume -Confirm:$false -FileSystem NTFS -force
+ Dismount-VHD -Path c:\vhd\d.vhd
+
+
+ Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt):
+
+ + New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal + Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd + Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso + Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 + Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1 + Start-VM PC1 + vmconnect localhost PC1 ++ + The VM will automatically boot into Windows Setup. In the PC1 window: + + 1. Click **Next**. + 2. Click **Repair your computer**. + 3. Click **Troubleshoot**. + 4. Click **Command Prompt**. + 5. Type the following command to save an image of the OS drive: + +
+ dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C ++ + 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: + +
+ diskpart + select disk 0 + clean + convert MBR + create partition primary size=100 + format fs=ntfs quick + active + create partition primary + format fs=ntfs quick label=OS + assign letter=c + exit ++ + 7. Type the following commands to restore the OS image and boot files: + +
+ dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\ + bcdboot c:\windows + exit ++ + 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). + 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. + 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: + +
+ Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1 + Set-VMDvdDrive -VMName PC1 -Path $null ++ +### Configure VMs + +1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: + +
+ Start-VM DC1 + vmconnect localhost DC1 ++ +2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of **pass@word1**, and click **Finish**. +3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. +4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. +5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: + +
+ Rename-Computer DC1 + New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2 + Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2 ++ + >The default gateway at 192.168.0.2 will be configured later in this guide. + + >Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. + +6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: + +
+ Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools ++ +7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: + +
+ Restart-Computer ++ +8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: + +
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force + Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force ++ + Ignore any warnings that are displayed. The computer will automatically reboot upon completion. + +9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and supress the post-DHCP-install alert: + +
+ Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest + Add-WindowsFeature -Name DHCP -IncludeManagementTools + netsh dhcp add securitygroups + Restart-Service DHCPServer + Add-DhcpServerInDC dc1.contoso.com 192.168.0.1 + Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2 ++ +10. Next, add a DHCP scope and set option values: + +
+ Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active + Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force ++ + >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. + +11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: + +
+ Get-DnsServerForwarder ++ + The following output should be displayed: + +
+ UseRootHint : True + Timeout(s) : 3 + EnableReordering : True + IPAddress : 192.168.0.2 + ReorderedIPAddress : 192.168.0.2 ++ + If this output is not displayed, you can use the following command to add SRV1 as a forwarder: + +
+ Add-DnsServerForwarder -IPAddress 192.168.0.2 ++ +12. Minimize the DC1 VM window but **do not stop** the VM. + + Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. + +13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: + +
+ Start-VM PC1 + vmconnect localhost PC1 ++ +14. Sign in to PC1 using an account that has local administrator rights. + + >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. + +15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. + +  + + >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. + +16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. + +17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. + + To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: + + ``` + ipconfig + + Windows IP Configuration + + Ethernet adapter Local Area Connection 3: + Connection-specific DNS Suffix . : contoso.com + Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 + Ipv4 Address. . . . . . . . . . . : 192.168.0.101 + Subnet Mask . . . . . . . . . . . : 255.255.255.0 + Default Gateway . . . . . . . . . : 192.168.0.2 + + ping dc1.contoso.com + + Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + + nltest /dsgetdc:contoso.com + DC: \\DC1 + Address: \\192.168.0.1 + Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 + Dom Name: CONTOSO + Forest Name: contoso.com + Dc Site Name: Default-First-Site-Name + Our Site Name: Default-First-Site-Name + Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 + ``` + + >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. + +18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: + +
+ (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0) + $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force + $user = "contoso\administrator" + $cred = New-Object System.Management.Automation.PSCredential($user,$pass) + Add-Computer -DomainName contoso.com -Credential $cred + Restart-Computer ++ + >If you do not see the script pane, click **View** and then click **Show Script Pane Top**. + + See the following example: + +  + +19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. +20. In the (lower) terminal input window, type the following command to copy the script to PC1 using integration services: + +
+ Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1" –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host ++ + >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM. This can be done by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server operating systems that are running the Hyper-V role service. Otherwise, just create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. Be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. + +21. On PC1, type the following commands at an elevated Windows PowerShell prompt: + +
+ Get-Content c:\pc1.ps1 | powershell.exe -noprofile - ++ + >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. + +22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. + >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all use accounts, or only other specific accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. +23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. +24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: + +
+ Start-VM SRV1 + vmconnect localhost SRV1 ++ +25. Accept the default settings, read license terms and accept them, provide an administrator password of **pass@word1**, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. +26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. +27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: + +
+ Rename-Computer SRV1 + New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24 + Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2 + Restart-Computer ++ +28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: + +
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force + $user = "contoso\administrator" + $cred = New-Object System.Management.Automation.PSCredential($user,$pass) + Add-Computer -DomainName contoso.com -Credential $cred + Restart-Computer ++ +29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: + +
+ Install-WindowsFeature -Name DNS -IncludeManagementTools + Install-WindowsFeature -Name WDS -IncludeManagementTools + Install-WindowsFeature -Name Routing -IncludeManagementTools ++ +30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. + + To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: + +
+ Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias + + IPAddress InterfaceAlias + --------- -------------- + 10.137.130.118 Ethernet 2 + 192.168.0.2 Ethernet ++ + In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. + +31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: + +
+ Install-RemoteAccess -VpnType Vpn + cmd /c netsh routing ip nat install + cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL + cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE + cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE ++ +32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: + +
+ Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1 ++ +33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: + +
+ ping www.microsoft.com ++ + If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. + + **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: + +
+ Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses ++ +34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): + +
+ PS C:\> ping www.microsoft.com + + Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data: + Reply from 23.222.146.170: bytes=32 time=3ms TTL=51 + Reply from 23.222.146.170: bytes=32 time=2ms TTL=51 + Reply from 23.222.146.170: bytes=32 time=2ms TTL=51 + Reply from 23.222.146.170: bytes=32 time=1ms TTL=51 + + Ping statistics for 23.222.146.170: + Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), + Approximate round trip times in milli-seconds: + Minimum = 1ms, Maximum = 3ms, Average = 2ms ++ +35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-b-verify-the-configuration) for more information. +36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: + +
+ runas /noprofile /env /user:administrator@contoso.com "cmd slmgr -rearm" + Restart-Computer ++ +### Configure service and user accounts + +Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + +>To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +On DC1, open an elevated Windows PowerShell prompt and type the following commands: + +
+New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true +New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true +New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true +New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true +Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA +Set-ADUser -Identity user1 -PasswordNeverExpires $true +Set-ADUser -Identity administrator -PasswordNeverExpires $true +Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true +Set-ADUser -Identity CM_JD -PasswordNeverExpires $true +Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true ++ +## Appendix A: Verify the configuration + +Use the following procedures to verify that the PoC environment is configured properly and working as expected. + +1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: + +
+ Get-Service NTDS,DNS,DHCP + DCDiag -a + Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A + Get-DnsServerForwarder + Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com + Get-DhcpServerInDC + Get-DhcpServerv4Statistics + ipconfig /all ++ + **Get-Service** displays a status of "Running" for all three services.
+ **DCDiag** displays "passed test" for all tests.
+ **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
+ **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
+ **Resolve-DnsName** displays public IP address results for www.microsoft.com.
+ **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
+ **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
+ **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. + +2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + +
+ Get-Service DNS,RemoteAccess + Get-DnsServerForwarder + Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com + ipconfig /all + netsh int ipv4 show address ++ + **Get-Service** displays a status of "Running" for both services.
+ **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
+ **Resolve-DnsName** displays public IP address results for www.microsoft.com.
+ **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
+ **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. + +3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: + +
+ whoami + hostname + nslookup www.microsoft.com + ping -n 1 dc1.contoso.com + tracert www.microsoft.com ++ + **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
+ **hostname** displays the name of the local computer, for example W7PC-001.
+ **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
+ **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
+ **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. + + +## Appendix B: Terminology used in this guide + +
+ +
| Term | Definition + |
| GPT | GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. + |
| Hyper-V | Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. + |
| Hyper-V host | The computer where Hyper-V is installed. + |
| Hyper-V Manager | The user-interface console used to view and configure Hyper-V. + |
| MBR | Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. + |
| Proof of concept (PoC) | Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. + |
| Shadow copy | A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. + |
| Virtual machine (VM) | A VM is a virtual computer with its own operating system, running on the Hyper-V host. + |
| Virtual switch | A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. + |
| VM snapshot | A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. + |
-```text -https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=
+ + An Azure login page appears. + > [!NOTE] + > - Replace *tenant ID* with your actual tenant ID. + > - Keep the *clientSecret* as is. This is a dummy value, but the parameter must appear. 15. Sign in with the credentials of a user from your tenant. @@ -80,7 +78,37 @@ An Azure login page appears. 23. Save the application changes. -After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use. +After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM. + +## Obtain a refresh token using an events URL +Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token. +>[!NOTE] +>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md). + +### Before you begin +Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: + + - OAuth 2 Client ID + - OAuth 2 Client secret + +You'll use these values to obtain a refresh token. + +>[!IMPORTANT] +>Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret. + +### Obtain a refresh token +1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=
- > **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector``` - > -- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. -- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet. -- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide. + - **client_ID**: OAuth 2 Client ID + - **client_secret**: OAuth 2 Client secret + - **auth_url**: ```https://login.microsoftonline.com/
For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). **To get your refresh token using the restutil tool:** a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide. diff --git a/windows/keep-secure/images/atp-refresh-token.png b/windows/keep-secure/images/atp-refresh-token.png new file mode 100644 index 0000000000..3f7e8c7c69 Binary files /dev/null and b/windows/keep-secure/images/atp-refresh-token.png differ diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 3e1ed57822..1307bc7110 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -17,19 +17,19 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure. | Topic | Description | | - | - | | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. | -| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | | [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. | | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. | -| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | +| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | +| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | | [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. | -| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. | +| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. | | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. | |[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. | | [VPN technical guide](vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. | -| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. | -| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. | +| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. For example, learn about AppLocker, BitLocker, and Security auditing. | +| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Review technology overviews that help you understand Windows 10 security technologies in the context of the enterprise. | | [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). | ## Related topics diff --git a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index c0577fe786..3712b6aed0 100644 --- a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -75,5 +75,5 @@ Another Windows 10 feature that employs VBS is [Credential Guard](credential-gua Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. -In addition to the client-side enabling of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. For more information, see the [Additional mitigations](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard#additional-mitigations) section in “Protect derived domain credentials with Credential Guard.” + diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index c95ae45458..39aaeb8dc5 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -25,8 +25,8 @@ This table provides info about the most common problems you might encounter whil
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
Note
For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).
(Replace "contoso" with your domain name(s) | |-----------------------------|---------------------------------------------------------------------| -|Office 365 for Business |
- contoso.sharepoint.com
- contoso-my.sharepoint.com
- contoso-files.sharepoint.com
- tasks.office.com
- lists.office.com
- collabdb.com
- www.collabdb.com
- protection.office.com
- meet.lync.com
- teams.microsoft.com
- contoso.sharepoint.com
- contoso-my.sharepoint.com
- contoso-files.sharepoint.com
- tasks.office.com
- protection.office.com
- meet.lync.com
- teams.microsoft.com
- www.yammer.com
- yammer.com
- persona.yammer.com
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).
**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | > **Important** The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md index 8bd5183126..6b82a956c7 100644 --- a/windows/keep-secure/security-technologies.md +++ b/windows/keep-secure/security-technologies.md @@ -11,21 +11,23 @@ author: brianlic-msft # Security technologies -Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. +As an IT professional, you can use these topics to learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. -| Topic | Description | +| Section | Description | |-|-| | [Access control](access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. | -| [AppLocker](applocker-overview.md)| This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.| -| [BitLocker](bitlocker-overview.md)| This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.| -| [Encrypted Hard Drive](encrypted-hard-drive.md) | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.| -| [Security auditing](security-auditing-overview.md)| Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.| -| [Security policy settings](security-policy-settings.md)| This reference topic describes the common scenarios, architecture, and processes for security settings.| -| [Trusted Platform Module](trusted-platform-module-overview.md)| This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.| -| [User Account Control](user-account-control-overview.md)| User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.| -| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| -| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.| -| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. | +| [AppLocker](applocker-overview.md)| Describes AppLocker, and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.| +| [BitLocker](bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. | +| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.| +| [Security auditing](security-auditing-overview.md)| Describes how the IT professional can use the security auditing features in Windows, and how organizations can benefit from using these technologies, to enhance the security and manageability of networks.| +| [Security policy settings](security-policy-settings.md)| Provides a collection of reference topics that describe the common scenarios, architecture, and processes for security settings.| +| [Smart Cards](smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. | +| [Trusted Platform Module](trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. | +| [User Account Control](user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.| +| [Virtual Smart Cards](virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. | +| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Provides information about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| +| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| Provides information about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.| +| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. | diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 1f8ff19c14..d68415cde7 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -1,6 +1,19 @@ # [Manage and update Windows 10](index.md) ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) -## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) +## [Cortana integration in your business or enterprise](cortana-at-work-overview.md) +### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md) +#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md) +#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md) +#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md) +#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md) +#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md) +#### [Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-6.md) +### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md) +### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md) +### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md) +### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md) +### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md) +### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md) ## [Update Windows 10 in the enterprise](waas-update-windows-10.md) ### [Quick guide to Windows as a service](waas-quick-start.md) ### [Overview of Windows as a service](waas-overview.md) @@ -32,6 +45,8 @@ ## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) ### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) ### [Customize and export Start layout](customize-and-export-start-layout.md) +### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) ### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) ### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) ### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index b42a844ee5..26af07a521 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -14,12 +14,23 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). +## January 2017 + +| New or changed topic | Description | +| --- | --- | +| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New | +| [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) | +| [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) | + + + ## December 2016 | New or changed topic | Description | | --- | --- | | [Quick guide to Windows as a service](waas-quick-start.md) | New | | [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Added video demonstration of the latest in modern management for Windows 10 | +| [Windows Store for Business overview](windows-store-for-business-overview.md) | Updated list of supported markets. | ## November 2016 diff --git a/windows/manage/cortana-at-work-crm.md b/windows/manage/cortana-at-work-crm.md new file mode 100644 index 0000000000..834bde8a92 --- /dev/null +++ b/windows/manage/cortana-at-work-crm.md @@ -0,0 +1,62 @@ +--- +title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization (Windows 10) +description: How to set up Cortana to help your salespeople get proactive insights on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization +**Applies to:** + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. + +>[!NOTE] +>For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/p/?LinkId=746819). + + + +## Turn on Cortana with Dynamics CRM in your organization +You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](http://go.microsoft.com/fwlink/p/?LinkId=746817)? + +**To turn on Cortana with Dynamics CRM** + +1. Go to **Settings**, and then click **Administration**. + +2. Choose **System Settings**, and then click the **Previews** tab. + +3. Read the license terms, and if you agree, select the **I’ve read and agree to the license terms** check box. + +4. For each preview feature you want to enable, click **Yes**. + +## Turn on Cortana with Dynamics CRM on your employees’ devices +You must tell your employees to turn on Cortana, before they’ll be able to use it with Dynamics CRM. + +**To turn on local Cortana with Dynamics CRM** + +1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon. + +2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**. + +  + + The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen. + +## Turn off Cortana with Dynamics CRM +Cortana can only access data in Dynamics CRM when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off. + +**To turn off Cortana with Dynamics CRM** +1. Go to **Settings**, and then click **Administration**. + +2. Choose **System Settings**, and then click the **Previews** tab. + +3. Click **No** for **Cortana**. + + All Dynamics CRM functionality related to Cortana is turned off in your organization. \ No newline at end of file diff --git a/windows/manage/cortana-at-work-feedback.md b/windows/manage/cortana-at-work-feedback.md new file mode 100644 index 0000000000..ca24c22703 --- /dev/null +++ b/windows/manage/cortana-at-work-feedback.md @@ -0,0 +1,24 @@ +--- +title: Send feedback about Cortana at work back to Microsoft (Windows 10) +description: How to send feedback to Microsoft about Cortana at work. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Send feedback about Cortana at work back to Microsoft +**Applies to:** + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems. + + + +If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Preview feedback app. For info about the Insider Preview feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc). + diff --git a/windows/manage/cortana-at-work-o365.md b/windows/manage/cortana-at-work-o365.md new file mode 100644 index 0000000000..d58663dc00 --- /dev/null +++ b/windows/manage/cortana-at-work-o365.md @@ -0,0 +1,72 @@ +--- +title: Set up and test Cortana with Office 365 in your organization (Windows 10) +description: How to connect Cortana to Office 365 so your employees are notified about regular meetings, unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Set up and test Cortana with Office 365 in your organization +**Applies to:** + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, do meeting prep work like researching people in LinkedIn or getting documents ready, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips. + +But Cortana works even harder when she connects to Office 365, helping employees to be notified about unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late. + + + +We’re continuing to add more and more capabilities to Cortana so she can become even more helpful with your productivity-related tasks, such as emailing, scheduling, and other tasks that are important to help you be successful. + +>[!NOTE] +>For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379). + +## Before you begin +There are a few things to be aware of before you start using Cortana with Office 365 in your organization. + +- **Software requirements.** O365 integration with Cortana is available in all countries/regions where Cortana is supported for consumers today. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, it will also become available to organizations. + +- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana’s notebook. They must also authorize Cortana to access Office 365 on their behalf. + +- **Office 365 Trust Center.** Cortana isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana treats your data](http://go.microsoft.com/fwlink/p/?LinkId=536419). + +- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](http://go.microsoft.com/fwlink/p/?LinkId=620763). + +## Turn on Cortana with Office 365 on employees’ devices +You must tell your employees to turn on Cortana before they’ll be able to use it with Office 365. + +**To turn on local Cortana with Office 365** + +1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon. + +2. Click on **Connected Services**, click **Office 365**, and then click **Connect**. + +  + + The employee can also disconnect by clicking **Disconnect** from the **Office 365** screen. + +## Turn off Cortana with Office 365 +Cortana can only access data in your Office 365 org when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off in the Office 365 admin center. + +**To turn off Cortana with Office 365** +1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account. + +2. Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). + +3. Expand **Service Settings**, and select **Cortana**. + +4. Click **Cortana** to toggle Cortana off. + + All Office 365 functionality related to Cortana is turned off in your organization and your employees are unable to use her at work. + + + + + + diff --git a/windows/manage/cortana-at-work-overview.md b/windows/manage/cortana-at-work-overview.md new file mode 100644 index 0000000000..96064364c3 --- /dev/null +++ b/windows/manage/cortana-at-work-overview.md @@ -0,0 +1,64 @@ +--- +title: Cortana integration in your business or enterprise (Windows 10) +description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Cortana integration in your business or enterprise +**Applies to:** + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Who is Cortana? +Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. +Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. + +Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. + + + +## Where is Cortana available for use in my organization? +You can use Cortana at work in all countries/regions where Cortana is supported for consumers. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, she will also become available to enterprise customers. + +Cortana is available on Windows 10, Windows Insider Program and with limited functionality on Windows Phone 8.1, Windows Insider Program. + +## Required hardware and software +Cortana requires the following hardware and software to successfully run the included scenario in your organization. + +|Hardware |Description | +|---------|------------| +|Microphone |For speech interaction with Cortana. If you don't have a microphone, you can still interact with Cortana by typing in the Cortana Search Box in the taskbar. | +|Windows Phone |For location-specific reminders. You can also use a desktop device to run through this scenario, but location accuracy is usually better on phones. | +|Desktop devices |For non-phone-related scenarios. | + + +|Software |Minimum version | +|---------|------------| +|Client operating system |
- **Desktop:** Windows 10, Windows Insider Program
- **Mobile:** Windows 8.1, Windows Insider Program (with limited functionality) | +|Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isn’t required. | +|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.
For example:
If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.
If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. | +|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md)
If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.| + +## Signing in using Azure AD +Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx) + +## Cortana and privacy +We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](http://windows.microsoft.com/windows-10/cortana-privacy-faq) topic. + +Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement). + +## See also +- [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818) + +- [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384) + +- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US) + +- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/manage/cortana-at-work-policy-settings.md b/windows/manage/cortana-at-work-policy-settings.md new file mode 100644 index 0000000000..83f10f7d3e --- /dev/null +++ b/windows/manage/cortana-at-work-policy-settings.md @@ -0,0 +1,44 @@ +--- +title: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization (Windows 10) +description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization +**Applies to:** + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>[!NOTE] +>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381). + +|Group policy |MDM policy |Description | +|-------------|-----------|------------| +|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
**NOTE**
This setting only applies to Windows 10 for desktop devices. |
+|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled).|
+|None|System/AllowLocation|Specifies whether to allow app access to the Location service.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled).|
+|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
Use this setting if you only want to support Azure AD in your organization.| +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.| +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.
**NOTE**
This setting only applies to Windows 10 Mobile.|
+|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.
**In Windows 10 Pro edition**
This setting can’t be managed.
**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled).|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
**IMPORTANT**
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/manage/cortana-at-work-powerbi.md
new file mode 100644
index 0000000000..98b90f572f
--- /dev/null
+++ b/windows/manage/cortana-at-work-powerbi.md
@@ -0,0 +1,138 @@
+---
+title: Set up and test Cortana for Power BI in your organization (Windows 10)
+description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Set up and test Cortana for Power BI in your organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
+
+>[!Note]
+>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
+
+## Before you begin
+To use this walkthrough, you’ll need:
+
+- **Windows 10**. You’ll need to be running at least Windows 10 with the latest version from the Windows Insider Program.
+
+- **Cortana**. You need to have Cortana turned on and be logged into your account.
+
+- **Power BI account with data**. You can use an existing Power BI account, or else you can get a trial account by signing up at http://powerbi.com. Just make sure that either way, you enter some data that you can use.
+
+- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
+
+ **To connect your account to Windows**
+ a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
+
+ b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.
+
+## Set up your test environment for Cortana for Power BI
+Before you can start this testing scenario, you must first set up your test environment and data, and then you must turn on and set up Cortana to connect and work with Power BI.
+
+**To set up your test environment with Cortana and Power BI**
+
+1. Go to http://powerbi.com and sign-in with the same O365 credentials you used in the Set up and use Cortana with Office 365 topic.
+
+2. Expand the left rail by clicking the **Show the navigation pane** icon.
+
+ 
+
+3. Click **Get Data** from the left-hand navigation in Power BI.
+
+ 
+
+4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
+
+ 
+
+5. Click **Retail Analysis Sample**, and then click **Connect**.
+
+ 
+
+ The sample data is imported and you’re returned to the **Power BI** screen.
+
+6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
+
+ 
+
+7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
+
+ 
+
+8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
+
+9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
+
+ 
+
+ >[!NOTE]
+ >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana. + +## Create a custom Answer Page for Cortana +You must create special reports, known as _Answer Pages_, to display the most commonly asked answers in Cortana. For example, if you want Cortana to quickly show sales data to your employees, you can create a 2016 sales data Answer Page that shows sales data, with various pivots, in Cortana. + +After you’ve finished creating your Answer Page, you can continue to the included testing scenarios. + + >[!NOTE] + >It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately. + +**To create a custom sales data Answer Page for Cortana** +1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**. + +  + +2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**. + + A blank report page appears. + +3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list. + +  + +4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**. + +  + + The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders. + +5. In the **Visualizations** pane, click the paint roller icon again, expand **Page Information**, type _Sales data 2016_ into the **Name** box, turn on **Q&A**, and then add alternate report names (separated by commas) into the text box. + + The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns. + +  + +6. Click **File**, click **Save as**, and save the report as _Sales data 2016_. + + Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows 10, or otherwise restart Cortana, before the new content appears. + +## Test Scenario: Use Cortana to show info from Power BI in your organization +Now that you’ve set up your device, you can use Cortana to show your info from within Power BI. + +**To use Cortana with Power BI** +1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. + +2. Type _This year in sales_. + + Cortana shows you the available results. + +  + +3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**. + + Cortana returns your custom report. + +  + +>[!NOTE] +>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/manage/cortana-at-work-scenario-1.md b/windows/manage/cortana-at-work-scenario-1.md new file mode 100644 index 0000000000..4a9714a455 --- /dev/null +++ b/windows/manage/cortana-at-work-scenario-1.md @@ -0,0 +1,58 @@ +--- +title: Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook (Windows 10) +description: A test scenario walking you through signing in and managing the notebook. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>[!IMPORTANT] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario turns on Azure AD and let's your employee use Cortana to manage an entry in the notebook. + +## Turn on Azure AD +This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account. + +1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**. + +2. Click your email address. + + A dialog box appears, showing the associated account info. + +3. Click your email address again, and then click **Sign out**. + + This signs out the Microsoft account, letting you continue to add and use the Azure AD account. + +4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request. + +5. Click **Sign-In** and follow the instructions. + +6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com. + + >[!IMPORTANT] + >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it. + +## Use Cortana to manage the notebook content +This process helps you to manage the content Cortana shows in your Notebook. + +1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, scroll down and click **Weather**. + +2. In the **Weather** settings, scroll down to the **Cities your tracking** area, and then click **Add a city**. + +3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**. + +  + +4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington. + +  \ No newline at end of file diff --git a/windows/manage/cortana-at-work-scenario-2.md b/windows/manage/cortana-at-work-scenario-2.md new file mode 100644 index 0000000000..fb7b00d578 --- /dev/null +++ b/windows/manage/cortana-at-work-scenario-2.md @@ -0,0 +1,41 @@ +--- +title: Test scenario 2 - Perform a quick search with Cortana at work (Windows 10) +description: A test scenario about how to perform a quick search with Cortana at work. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Test scenario 2 - Perform a quick search with Cortana at work + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>[!IMPORTANT] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you perform a quick search using Cortana, both by typing and through voice commands. + +## Search using Cortana +This process helps you use Cortana at work to perform a quick search. + +1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. + +2. Type *Weather in New York*. + + You should see the weather in New York, New York at the top of the search results. + +  + +## Search with Cortana, by using voice commands +This process helps you to use Cortana at work and voice commands to perform a quick search. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). + +2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago. + +  \ No newline at end of file diff --git a/windows/manage/cortana-at-work-scenario-3.md b/windows/manage/cortana-at-work-scenario-3.md new file mode 100644 index 0000000000..89610c7093 --- /dev/null +++ b/windows/manage/cortana-at-work-scenario-3.md @@ -0,0 +1,86 @@ +--- +title: Test scenario 3 - Set a reminder for a specific location using Cortana at work (Windows 10) +description: A test scenario about how to set a location-based reminder using Cortana at work. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +--- + +# Test scenario 3 - Set a reminder for a specific location using Cortana at work + +- Windows 10, Windows Insider Program +- Windows 10 Mobile, Windows Insider Program + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>[!IMPORTANT] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house. + +>[!NOTE] +>You can set each reminder location individually as you create the reminders, or you can go into the **About me** screen and add both **Work** and **Home** addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario.
Additionally, if you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
+
+## Create a reminder for a specific location
+This process helps you to create a reminder based on a specific location.
+
+1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
+
+2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**.
+
+ 
+
+3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
+
+ 
+
+4. Click **Done**.
+
+ >[!NOTE]
+ >If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the **Favorites list** in Windows Maps.
+
+5. Choose to be reminded the **Next time you arrive at the location** or on a specific day of the week from the drop-down box.
+
+6. Take a picture of your receipts and store them locally on your device.
+
+7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
+
+ The photo is stored with the reminder.
+
+ 
+
+8. Review the reminder info, and then click **Remind**.
+
+ The reminder is saved and ready to be triggered.
+
+ 
+
+## Create a reminder for a specific location by using voice commands
+This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
+
+2. Say _Remind me to grab my expense report receipts before I leave home_.
+
+ Cortana opens a new reminder task and asks if it sounds good.
+
+ 
+
+3. Say _Yes_ so Cortana can save the reminder.
+
+ 
+
+## Edit or archive an existing reminder
+This process helps you to edit or archive and existing or completed reminder.
+
+1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
+
+ 
+
+2. Click the pending reminder you want to edit.
+
+ 
+
+3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-4.md b/windows/manage/cortana-at-work-scenario-4.md
new file mode 100644
index 0000000000..56f1f6af66
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-4.md
@@ -0,0 +1,51 @@
+---
+title: Test scenario 4 - Use Cortana at work to find your upcoming meetings (Windows 10)
+description: A test scenario about how to use Cortana at work to find your upcoming meetings.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 4 - Use Cortana at work to find your upcoming meetings
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally.
+
+>[!NOTE]
+>If you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
+
+## Find out about upcoming meetings
+This process helps you find your upcoming meetings.
+
+1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
+
+2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+3. Type _Show me my meetings for tomorrow_.
+
+ You’ll see all your meetings scheduled for the next day.
+
+ 
+
+## Find out about upcoming meetings by using voice commands
+This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
+
+2. Say _Show me what meeting I have at 3pm tomorrow_.
+
+ >[!IMPORTANT]
+ >Make sure that you have a meeting scheduled for the time you specify here.
+
+ 
+
+
diff --git a/windows/manage/cortana-at-work-scenario-5.md b/windows/manage/cortana-at-work-scenario-5.md
new file mode 100644
index 0000000000..8373a4f4c2
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-5.md
@@ -0,0 +1,57 @@
+---
+title: Test scenario 5 - Use Cortana to send email to a co-worker (Windows 10)
+description: A test scenario about how to use Cortana at work to send email to a co-worker.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 5 - Use Cortana to send email to a co-worker
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally.
+
+## Send an email to a co-worker
+This process helps you to send a quick message to a co-worker from the work address book.
+
+1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
+
+2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+3. Type _Send an email to <contact_name>_.
+
+ Where _<contact_name>_ is the name of someone in your work address book.
+
+4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
+
+ 
+
+## Send an email to a co-worker by using voice commands
+This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
+
+2. Say _Send an email to <contact_name>_.
+
+ Where _<contact_name>_ is the name of someone in your work address book.
+
+3. Add your email message by saying, _Hello this is a test email using Cortana at work._
+
+ The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**.
+
+ 
+
+4. Say _Send it_.
+
+ The email is sent.
+
+ 
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-6.md b/windows/manage/cortana-at-work-scenario-6.md
new file mode 100644
index 0000000000..ac15463824
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-6.md
@@ -0,0 +1,37 @@
+---
+title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
+description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
+
+## Use Cortana and WIP to protect your organization’s data
+
+1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+
+2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
+
+3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
+
+4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
+
+5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/manage/cortana-at-work-testing-scenarios.md b/windows/manage/cortana-at-work-testing-scenarios.md
new file mode 100644
index 0000000000..41f734e006
--- /dev/null
+++ b/windows/manage/cortana-at-work-testing-scenarios.md
@@ -0,0 +1,32 @@
+---
+title: Testing scenarios using Cortana in your business or organization (Windows 10)
+description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Testing scenarios using Cortana in your business or organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
+
+- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana.
+
+- Set a reminder and have it remind you when you’ve reached a specific location.
+
+- Search for your upcoming meetings on your work calendar.
+
+- Send an email to a co-worker from your work email app.
+
+- Use WIP to secure content on a device and then try to manage your organization’s entries in the notebook.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/manage/cortana-at-work-voice-commands.md
new file mode 100644
index 0000000000..766a5914ad
--- /dev/null
+++ b/windows/manage/cortana-at-work-voice-commands.md
@@ -0,0 +1,64 @@
+---
+title: Set up and test custom voice commands in Cortana for your organization (Windows 10)
+description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Set up and test custom voice commands in Cortana for your organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
+
+>[!NOTE]
+>For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions).
+
+## High-level process
+Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
+
+To enable voice commands in Cortana
+
+1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized.
+
+ Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
+
+ - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana).
+
+ - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana).
+
+2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
+
+## Test Scenario: Use voice commands in a Windows Store app
+While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
+
+**To get a Windows Store app**
+1. Go to the Windows Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**.
+
+2. Click **Uber**, and then click **Install**.
+
+3. Open Uber, create an account or sign in, and then close the app.
+
+**To set up the app with Cortana**
+1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
+
+2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
+
+ 
+
+**To use the voice-enabled commands with Cortana**
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
+
+2. Say _Uber get me a taxi_.
+
+ Cortana changes, letting you provide your trip details for Uber.
+
+## See also
+- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)
\ No newline at end of file
diff --git a/windows/manage/images/cortana-about-me.png b/windows/manage/images/cortana-about-me.png
new file mode 100644
index 0000000000..32c1ccefab
Binary files /dev/null and b/windows/manage/images/cortana-about-me.png differ
diff --git a/windows/manage/images/cortana-add-reminder.png b/windows/manage/images/cortana-add-reminder.png
new file mode 100644
index 0000000000..3f03528e11
Binary files /dev/null and b/windows/manage/images/cortana-add-reminder.png differ
diff --git a/windows/manage/images/cortana-chicago-weather.png b/windows/manage/images/cortana-chicago-weather.png
new file mode 100644
index 0000000000..9273bf201b
Binary files /dev/null and b/windows/manage/images/cortana-chicago-weather.png differ
diff --git a/windows/manage/images/cortana-complete-send-email-coworker-mic.png b/windows/manage/images/cortana-complete-send-email-coworker-mic.png
new file mode 100644
index 0000000000..3238c8d31d
Binary files /dev/null and b/windows/manage/images/cortana-complete-send-email-coworker-mic.png differ
diff --git a/windows/manage/images/cortana-connect-crm.png b/windows/manage/images/cortana-connect-crm.png
new file mode 100644
index 0000000000..c70c42f75e
Binary files /dev/null and b/windows/manage/images/cortana-connect-crm.png differ
diff --git a/windows/manage/images/cortana-connect-o365.png b/windows/manage/images/cortana-connect-o365.png
new file mode 100644
index 0000000000..df1ffa449b
Binary files /dev/null and b/windows/manage/images/cortana-connect-o365.png differ
diff --git a/windows/manage/images/cortana-connect-uber.png b/windows/manage/images/cortana-connect-uber.png
new file mode 100644
index 0000000000..724fecb5b5
Binary files /dev/null and b/windows/manage/images/cortana-connect-uber.png differ
diff --git a/windows/manage/images/cortana-crm-screen.png b/windows/manage/images/cortana-crm-screen.png
new file mode 100644
index 0000000000..ded5d80a59
Binary files /dev/null and b/windows/manage/images/cortana-crm-screen.png differ
diff --git a/windows/manage/images/cortana-feedback.png b/windows/manage/images/cortana-feedback.png
new file mode 100644
index 0000000000..6e14018c98
Binary files /dev/null and b/windows/manage/images/cortana-feedback.png differ
diff --git a/windows/manage/images/cortana-final-reminder.png b/windows/manage/images/cortana-final-reminder.png
new file mode 100644
index 0000000000..f114e058e5
Binary files /dev/null and b/windows/manage/images/cortana-final-reminder.png differ
diff --git a/windows/manage/images/cortana-meeting-specific-time.png b/windows/manage/images/cortana-meeting-specific-time.png
new file mode 100644
index 0000000000..a108355133
Binary files /dev/null and b/windows/manage/images/cortana-meeting-specific-time.png differ
diff --git a/windows/manage/images/cortana-meeting-tomorrow.png b/windows/manage/images/cortana-meeting-tomorrow.png
new file mode 100644
index 0000000000..13273b6600
Binary files /dev/null and b/windows/manage/images/cortana-meeting-tomorrow.png differ
diff --git a/windows/manage/images/cortana-newyork-weather.png b/windows/manage/images/cortana-newyork-weather.png
new file mode 100644
index 0000000000..b3879737be
Binary files /dev/null and b/windows/manage/images/cortana-newyork-weather.png differ
diff --git a/windows/manage/images/cortana-o365-screen.png b/windows/manage/images/cortana-o365-screen.png
new file mode 100644
index 0000000000..ba06dd6de5
Binary files /dev/null and b/windows/manage/images/cortana-o365-screen.png differ
diff --git a/windows/manage/images/cortana-place-reminder.png b/windows/manage/images/cortana-place-reminder.png
new file mode 100644
index 0000000000..89ccdab3e3
Binary files /dev/null and b/windows/manage/images/cortana-place-reminder.png differ
diff --git a/windows/manage/images/cortana-powerbi-create-report.png b/windows/manage/images/cortana-powerbi-create-report.png
new file mode 100644
index 0000000000..a22789d72a
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-create-report.png differ
diff --git a/windows/manage/images/cortana-powerbi-expand-nav.png b/windows/manage/images/cortana-powerbi-expand-nav.png
new file mode 100644
index 0000000000..c8b47943f9
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-expand-nav.png differ
diff --git a/windows/manage/images/cortana-powerbi-field-selection.png b/windows/manage/images/cortana-powerbi-field-selection.png
new file mode 100644
index 0000000000..8aef58c23a
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-field-selection.png differ
diff --git a/windows/manage/images/cortana-powerbi-getdata-samples.png b/windows/manage/images/cortana-powerbi-getdata-samples.png
new file mode 100644
index 0000000000..3bfa4792df
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-getdata-samples.png differ
diff --git a/windows/manage/images/cortana-powerbi-getdata.png b/windows/manage/images/cortana-powerbi-getdata.png
new file mode 100644
index 0000000000..55b7b61589
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-getdata.png differ
diff --git a/windows/manage/images/cortana-powerbi-myreport.png b/windows/manage/images/cortana-powerbi-myreport.png
new file mode 100644
index 0000000000..cc04d9c6f0
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-myreport.png differ
diff --git a/windows/manage/images/cortana-powerbi-pagesize.png b/windows/manage/images/cortana-powerbi-pagesize.png
new file mode 100644
index 0000000000..fd1c1ef917
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-pagesize.png differ
diff --git a/windows/manage/images/cortana-powerbi-report-qna.png b/windows/manage/images/cortana-powerbi-report-qna.png
new file mode 100644
index 0000000000..d17949aa8a
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-report-qna.png differ
diff --git a/windows/manage/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/manage/images/cortana-powerbi-retail-analysis-dashboard.png
new file mode 100644
index 0000000000..5b94a2e2fc
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-retail-analysis-dashboard.png differ
diff --git a/windows/manage/images/cortana-powerbi-retail-analysis-dataset.png b/windows/manage/images/cortana-powerbi-retail-analysis-dataset.png
new file mode 100644
index 0000000000..b2ffec3b70
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-retail-analysis-dataset.png differ
diff --git a/windows/manage/images/cortana-powerbi-retail-analysis-sample.png b/windows/manage/images/cortana-powerbi-retail-analysis-sample.png
new file mode 100644
index 0000000000..e3b61dcaa2
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-retail-analysis-sample.png differ
diff --git a/windows/manage/images/cortana-powerbi-search.png b/windows/manage/images/cortana-powerbi-search.png
new file mode 100644
index 0000000000..88a8b40296
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-search.png differ
diff --git a/windows/manage/images/cortana-powerbi-settings.png b/windows/manage/images/cortana-powerbi-settings.png
new file mode 100644
index 0000000000..0f51229895
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-settings.png differ
diff --git a/windows/manage/images/cortana-redmond-weather.png b/windows/manage/images/cortana-redmond-weather.png
new file mode 100644
index 0000000000..7e8adc1929
Binary files /dev/null and b/windows/manage/images/cortana-redmond-weather.png differ
diff --git a/windows/manage/images/cortana-reminder-edit.png b/windows/manage/images/cortana-reminder-edit.png
new file mode 100644
index 0000000000..79cc280947
Binary files /dev/null and b/windows/manage/images/cortana-reminder-edit.png differ
diff --git a/windows/manage/images/cortana-reminder-list.png b/windows/manage/images/cortana-reminder-list.png
new file mode 100644
index 0000000000..1f57fc0f05
Binary files /dev/null and b/windows/manage/images/cortana-reminder-list.png differ
diff --git a/windows/manage/images/cortana-reminder-mic.png b/windows/manage/images/cortana-reminder-mic.png
new file mode 100644
index 0000000000..46a18e8e0b
Binary files /dev/null and b/windows/manage/images/cortana-reminder-mic.png differ
diff --git a/windows/manage/images/cortana-reminder-pending-mic.png b/windows/manage/images/cortana-reminder-pending-mic.png
new file mode 100644
index 0000000000..159d408e0a
Binary files /dev/null and b/windows/manage/images/cortana-reminder-pending-mic.png differ
diff --git a/windows/manage/images/cortana-reminder-pending.png b/windows/manage/images/cortana-reminder-pending.png
new file mode 100644
index 0000000000..a6b64b5621
Binary files /dev/null and b/windows/manage/images/cortana-reminder-pending.png differ
diff --git a/windows/manage/images/cortana-send-email-coworker-mic.png b/windows/manage/images/cortana-send-email-coworker-mic.png
new file mode 100644
index 0000000000..0cfa8fb731
Binary files /dev/null and b/windows/manage/images/cortana-send-email-coworker-mic.png differ
diff --git a/windows/manage/images/cortana-send-email-coworker.png b/windows/manage/images/cortana-send-email-coworker.png
new file mode 100644
index 0000000000..40ce18bdca
Binary files /dev/null and b/windows/manage/images/cortana-send-email-coworker.png differ
diff --git a/windows/manage/images/cortana-weather-multipanel.png b/windows/manage/images/cortana-weather-multipanel.png
new file mode 100644
index 0000000000..e8db031744
Binary files /dev/null and b/windows/manage/images/cortana-weather-multipanel.png differ
diff --git a/windows/manage/images/mobile-start-layout.png b/windows/manage/images/mobile-start-layout.png
new file mode 100644
index 0000000000..d1055d6c87
Binary files /dev/null and b/windows/manage/images/mobile-start-layout.png differ
diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md
index 5fb13a4fac..33b7160191 100644
--- a/windows/manage/manage-cortana-in-enterprise.md
+++ b/windows/manage/manage-cortana-in-enterprise.md
@@ -1,84 +1,5 @@
---
title: Cortana integration in your business or enterprise (Windows 10)
description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
-ms.assetid: db7b05da-186f-4628-806a-f8b134e2af2c
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: eross-msft
-localizationpriority: high
----
-
-# Cortana integration in your business or enterprise
-**Applies to:**
-
-- Windows 10
-- Windows 10 Mobile
-
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
-
-The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
-
-## Cortana integration with Office 365
-Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips.
-
-But Cortana works even harder when she connects to Office 365, helping employees prepare for meetings, learn about co-workers, and receive reminders about where they need to be so they won’t be late.
-
->**Important**
->Before your employees can use Cortana with Office 365, they must sign into Cortana using a Microsoft account (such as, @outlook.com), and then they must go to the **Connected Accounts** section of Cortana’s notebook to turn on and connect to Office 365.
-
-
-**More info:**
-
-- For specific info about what you need to know as a company administrator, including how to turn off Cortana with Office 365, see the [Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717378) support topic.
-
-- For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717379).
-
-## Cortana and Power BI
-Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana answers using the full capabilities of Power BI Desktop.
-
-**More info:**
-
-- For specific info about how to start using Power BI and Cortana integration, how to customize your data results, and how to use the “Hey Cortana” functionality, see the [Power BI: Announcing Power BI integration with Cortana and new ways to quickly find insights in your data](https://go.microsoft.com/fwlink/p/?LinkId=717382) blog.
-
-## Cortana and Microsoft Dynamics CRM
-Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
-
-**More info:**
-- For more info about Preview features, see [What are Preview features and how do I enable them?](https://go.microsoft.com/fwlink/p/?LinkId=746817).
-- For more info about Cortana, see [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818).
-- For more info about CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819).
-
-## Cortana and privacy
-We understand that there are concerns about Cortana and enterprise privacy, so we’ve put together the [Cortana, Search, and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=717383) topic that covers many of the frequently asked questions. These questions include things such as what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services.
-
-## Set up Cortana using Group Policy and MDM policies
-Set up and manage Cortana by using the following Group Policy and mobile device management (MDM) policies.
-
-|Group policy |MDM policy |Description |
-|-------------|-----------|------------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
**Note**
This setting only applies to Windows 10 for desktop devices. |
-|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). |
-|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). |
-|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
**Note**
This setting only applies to Windows 10 Mobile. |
-|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.
**In Windows 10 Pro edition**
This setting can’t be managed.
**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled). |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
**Important**
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off. |
-
-**More info:**
-- For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=717381).
-
-## Related topics
-- [Cortana and Windows](https://go.microsoft.com/fwlink/p/?LinkId=717384)
-- [Cortana for developers](https://go.microsoft.com/fwlink/p/?LinkId=717385)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/cortana-at-work-overview
+---
\ No newline at end of file
diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/manage/start-layout-xml-desktop.md
new file mode 100644
index 0000000000..aa6a1bd126
--- /dev/null
+++ b/windows/manage/start-layout-xml-desktop.md
@@ -0,0 +1,493 @@
+---
+title: Start layout XML for desktop editions of Windows 10 (Windows 10)
+description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
+keywords: ["start screen"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Start layout XML for desktop editions of Windows 10 (reference)
+
+
+**Applies to**
+
+- Windows 10
+
+>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+
+On Windows 10 for desktop editions, the customized Start works by:
+
+- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region.
+
+- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints:
+ - 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles.
+ - 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
+ - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
+
+## LayoutModification XML
+
+IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions.
+
+>[!NOTE]
+>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file:
+>- Do not leave spaces or white lines in between each element.
+>- Do not add comments inside the StartLayout node or any of its children elements.
+>- Do not add multiple rows of comments.
+
+The following table lists the supported elements and attributes for the LayoutModification.xml file.
+
+| Element | Attributes | Description |
+| --- | --- | --- |
+| LayoutModificationTemplate | xmlnsxmlns:defaultlayoutxmlns:startVersion | Use to describe the changes to the default Start layout |
+| [LayoutOptions](#layoutoptions)Parent:LayoutModificationTemplate | StartTileGroupsColumnCountFullScreenStart | Use to specify:- Whether to use full screen Start on the desktop- The number of tile columns in the Start menu |
+| RequiredStartGroupsCollectionParent:LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups |
+| [RequiredStartGroups](#requiredstartgroups)Parent:RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
+| [AppendGroup](#appendgroup)Parent:RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
+| [start:Tile](#specify-start-tiles)Parent:AppendGroup | AppUserModelIDSizeRowColumn | Use to specify any of the following:- A Universal Windows app- A Windows 8 or Windows 8.1 app |
+| start:DesktopApplicationTileParent:AppendGroup | DesktopApplicationIDDesktopApplicationLinkPathSizeRowColumn | Use to specify any of the following:- A Windows desktop application with a known AppUserModelID- An application in a known folder with a link in a legacy Start Menu folder- A Windows desktop application link in a legacy Start Menu folder- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
+| start:SecondaryTileParent:AppendGroup | AppUserModelIDTileIDArgumentsDisplayNameSquare150x150LogoUriShowNameOnSquare150x150LogoShowNameOnWide310x150LogoWide310x150LogoUriBackgroundColorForegroundTextIsSuggestedAppSizeRowColumn | Use to pin a Web link through a Microsoft Edge secondary tile |
+| TopMFUAppsParent:LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area |
+| TileParent:TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID |
+| DesktopApplicationTileParent:TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID |
+| AppendOfficeSuiteParent:LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to StartDo not use this tag with AppendDownloadOfficeTile |
+| AppendDownloadOfficeTileParent:LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in StartDo not use this tag with AppendOfficeSuite |
+
+### LayoutOptions
+
+New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:
+
+- Boot to tablet mode can be set on or off.
+- Set full screen Start on desktop to on or off.
+ To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false.
+- Specify the number of columns in the Start menu to 1 or 2.
+ To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2.
+
+The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu:
+
+```XML
+Cellular
Device is only connected to a cellular network (standard data charges apply)
Will skip a daily scan if scan was successfully completed in the last 5 days
-Will only occur if update package is small and does not exceed the mobile operator data limit or the user clicks “download now”.
-Yes, if the user clicked “download now”
+Will only occur if update package is small and does not exceed the mobile operator data limit.
+Yes
Idem