diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index aeef690e51..62b310e4e4 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,11 @@ { "redirections": [ { +"source_path": "devices/hololens/hololens-whats-new.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes", +"redirect_document_id": true +}, +{ "source_path": "devices/hololens/hololens-upgrade-enterprise.md", "redirect_url": "https://docs.microsoft.com/hololens/hololens-requirements#upgrade-to-windows-holographic-for-business", "redirect_document_id": true @@ -1377,11 +1382,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score", -"redirect_document_id": true -}, -{ "source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1727,17 +1727,12 @@ "redirect_document_id": false }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/overview-secure-score.md", +"source_path": "windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/secure-score-dashboard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", -"redirect_document_id": false -}, -{ -"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/enable-secure-score.md", +"source_path": "windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", "redirect_document_id": false }, @@ -15612,6 +15607,11 @@ "redirect_document_id": false }, { +"source_path": "windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt", +"redirect_document_id": false +}, +{ "source_path": "windows/deployment/update/windows-analytics-azure-portal.md", "redirect_url": "https://docs.microsoft.com/configmgr/desktop-analytics/overview", "redirect_document_id": false @@ -15720,6 +15720,26 @@ "source_path": "windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md", "redirect_url": "https://docs.microsoft.com/configmgr/desktop-analytics/overview", "redirect_document_id": false +}, +{ +"source_path": "windows/deployment/update/waas-manage-updates-configuration-manager.md", +"redirect_url": "https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service", +"redirect_document_id": false +}, +{ +"source_path": "windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit", +"redirect_document_id": false +}, +{ +"source_path": "windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#mdt-lite-touch-components", +"redirect_document_id": false +}, +{ +"source_path": "windows/deployment/deploy-windows-mdt/key-features-in-mdt.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#key-features-in-mdt", +"redirect_document_id": false } ] } diff --git a/.vscode/settings.json b/.vscode/settings.json index e7f59d08ec..9c0086e560 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,5 +1,6 @@ { "cSpell.words": [ + "intune", "kovter", "kovter's", "poshspy" diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md index 2f61f0bd35..28d551cfac 100644 --- a/browsers/edge/group-policies/new-tab-page-settings-gp.md +++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md @@ -22,8 +22,8 @@ ms.topic: reference Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. ->[!NOTE] ->New tab pages do not load while running InPrivate mode. +> [!NOTE] +> New tab pages do not load while running InPrivate mode. ## Relevant group policies diff --git a/browsers/edge/img-microsoft-edge-infographic-lg.md b/browsers/edge/img-microsoft-edge-infographic-lg.md index 9b329c580b..84a79eea55 100644 --- a/browsers/edge/img-microsoft-edge-infographic-lg.md +++ b/browsers/edge/img-microsoft-edge-infographic-lg.md @@ -9,6 +9,8 @@ ms.author: dansimp author: dansimp --- +# Microsoft Edge Infographic + Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892) diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md index d64fe44479..4ec95259a1 100644 --- a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md +++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md @@ -13,8 +13,8 @@ ms.topic: include By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List. ->[!NOTE] ->If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. +> [!NOTE] +> If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. You can find the group policy settings in the following location of the Group Policy Editor: diff --git a/browsers/edge/managing-group-policy-admx-files.md b/browsers/edge/managing-group-policy-admx-files.md index 8b93e0ebc2..11dede91d3 100644 --- a/browsers/edge/managing-group-policy-admx-files.md +++ b/browsers/edge/managing-group-policy-admx-files.md @@ -19,8 +19,8 @@ ms.date: 10/19/2018 ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language. ->[!NOTE] ->The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks. +> [!NOTE] +> The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks. Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files. diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md index 21efc17c35..ff7107b46a 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md @@ -35,8 +35,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all 2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). - >[!Note] - >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. + > [!NOTE] + > You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. 3. Open File Explorer and then open the **EMIEWebPortal/** folder. @@ -105,8 +105,8 @@ Create a new Application Pool and the website, by using the IIS Manager. 9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. - >[!Note] - >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. + > [!NOTE] + > You must also make sure that **Anonymous Authentication** is marked as **Enabled**. 10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon. @@ -116,8 +116,8 @@ Create a new Application Pool and the website, by using the IIS Manager. - **Initial catalog.** The name of your database. - >[!Note] - >Step 3 of this topic provides the steps to create your database. + > [!NOTE] + > Step 3 of this topic provides the steps to create your database. ## Step 3 - Create and prep your database Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. @@ -216,8 +216,8 @@ Register the EMIEScheduler tool and service for production site list changes. 1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. - >[!Important] - >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. + > [!IMPORTANT] + > If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. 2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md index 1a704aa67e..4651adf5cf 100644 --- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -1,8 +1,8 @@ Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. ->[!NOTE] ->We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. +> [!NOTE] +> We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. **Group Policy** diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md index f351c57bb9..78f0903d6f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -7,7 +7,8 @@ author: dansimp ms.prod: ie11 ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd ms.reviewer: -audience: itpro manager: dansimp +audience: itpro +manager: dansimp ms.author: dansimp title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) ms.sitesec: library @@ -62,15 +63,15 @@ Each XML file must include: The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). -``` +```xml - + EnterpriseSitelistManager 10240 20150728.135021 - + IE8Enterprise MSEdge @@ -115,8 +116,3 @@ After you’ve added all of your sites to the tool and saved the file to XML, yo - [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) - [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) - - - - - diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md index 2ab127eec5..cb419efe7f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md @@ -81,8 +81,8 @@ Every add-on has a Class ID (CLSID) that you use to enable and disable specific 2. From the copied information, select and copy just the **Class ID** value. - >[!NOTE] - >You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. + > [!NOTE] + > You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. 3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
**-OR-**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index 0b1edff4cd..9fe7dca247 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -37,8 +37,8 @@ current version of Internet Explorer. Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. ->[!Note] ->If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. +> [!NOTE] +> If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. ## Internet Explorer 11 automatic upgrades @@ -52,14 +52,14 @@ If you use Automatic Updates in your company, but want to stop your users from a - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - >[!Note] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). + > [!NOTE] + > The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). - **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. - >[!Note] - >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). + > [!NOTE] + > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). @@ -81,13 +81,13 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There 4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** - >[!Note] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + > [!NOTE] + > If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. 5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - >[!Note] - >The properties for this rule will resemble the following: + > [!NOTE] + > The properties for this rule will resemble the following: 6. Clear the **Update Rollup** check box, and then click **OK**. @@ -101,12 +101,12 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There 11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. -12. Choose **Unapproved** in the **Approval**drop down box. +12. Choose **Unapproved** in the **Approval** drop down box. 13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. - >[!Note] - >There may be multiple updates, depending on the imported language and operating system updates. + > [!NOTE] + > There may be multiple updates, depending on the imported language and operating system updates. **Optional** @@ -126,8 +126,8 @@ If you need to reset your Update Rollups packages to auto-approve, do this: 7. Click **OK** to close the **Automatic Approvals** dialog box. ->[!Note] ->Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. +> [!NOTE] +> Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. ## Additional resources diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md index 5097f83564..6b34fcc195 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -9,6 +9,8 @@ manager: dansimp ms.author: dansimp --- +# Full-sized flowchart detailing how document modes are chosen in IE11 + Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md index e63d79527c..7b0dd491aa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -36,8 +36,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all 2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). - >[!Note] - >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. + > [!NOTE] + > You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. 3. Open File Explorer and then open the **EMIEWebPortal/** folder. @@ -49,8 +49,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all 6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution. - >[!Note] - >Step 3 of this topic provides the steps to create your database. + > [!NOTE] + > Step 3 of this topic provides the steps to create your database. 7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. @@ -109,8 +109,8 @@ Create a new Application Pool and the website, by using the IIS Manager. 9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. - >[!Note] - >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. + > [!NOTE] + > You must also make sure that **Anonymous Authentication** is marked as **Enabled**. ## Step 3 - Create and prep your database Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. @@ -209,8 +209,8 @@ Register the EMIEScheduler tool and service for production site list changes. 1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. - >[!Important] - >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. + > [!IMPORTANT] + > If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. 2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md index c5a68132d8..1f9a047156 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md +++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md @@ -85,8 +85,8 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern - Run the site in each document mode until you find the mode in which the site works. - >[!NOTE] - >You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10. + > [!NOTE] + > You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10. - If you find a mode in which your site works, you will need to add the site domain, sub-domain, or URL to the Enterprise Mode Site List for the document mode in which the site works, or ask the IT administrator to do so. You can add the *x-ua-compatible* meta tag or HTTP header as well. @@ -116,8 +116,8 @@ If IE8 Enterprise Mode doesn't work, IE7 Enterprise Mode will give you the Compa If the site works, inform the IT administrator that the site needs to be added to the IE7 Enterprise Mode section.\ ->[!NOTE] ->Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update. +> [!NOTE] +> Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update. ### Update the site for modern web standards diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md index 29c8de2486..744df8c766 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md @@ -28,8 +28,8 @@ ms.localizationpriority: medium Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. ->[!NOTE] ->We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. +> [!NOTE] +> We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. **To turn on Enterprise Mode using Group Policy** @@ -63,9 +63,4 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi - [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) - [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) - [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) - - - - - diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md index 3a1f3b4596..14fcd048fc 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md @@ -46,14 +46,6 @@ For IE11, the UI has been changed to provide just the controls needed to support ## Where did the search box go? IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider. ->[!NOTE] ->Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md). - - - - - - - - +> [!NOTE] +> Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index 98f659748d..4f1c56a922 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -29,8 +29,8 @@ ms.date: 05/10/2018 The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update. ->[!IMPORTANT] ->The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. +> [!IMPORTANT] +> The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. ## Install the toolkit @@ -69,13 +69,13 @@ If you use Automatic Updates in your company, but want to stop your users from a - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - >[!NOTE] + > [!NOTE] >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11). - **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. ->[!NOTE] ->If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. +> [!NOTE] +> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. ### Prevent automatic installation of Internet Explorer 11 with WSUS @@ -90,13 +90,13 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There 4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** - >[!NOTE] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + > [!NOTE] + > If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. 5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - >[!NOTE] - >The properties for this rule will resemble the following:

+ > [!NOTE] + > The properties for this rule will resemble the following: 6. Clear the **Update Rollup** check box, and then click **OK**. @@ -116,8 +116,8 @@ After the new Internet Explorer 11 package is available for download, you should 6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. ->[!NOTE] ->There may be multiple updates, depending on the imported language and operating system updates. +> [!NOTE] +> There may be multiple updates, depending on the imported language and operating system updates. ### Optional - Reset update rollups packages to auto-approve @@ -135,8 +135,8 @@ After the new Internet Explorer 11 package is available for download, you should 7. Click **OK** to close the **Automatic Approvals** dialog box. ->[!NOTE] ->Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. +> [!NOTE] +> Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md index 8064c74737..7405392094 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md +++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md @@ -36,22 +36,22 @@ You can customize and install IEAK 11 on the following supported operating syste - Windows Server 2008 R2 Service Pack 1 (SP1) ->[!Note] ->IEAK 11 does not support building custom packages for Windows RT. +> [!NOTE] +> IEAK 11 does not support building custom packages for Windows RT. **What can I customize with IEAK 11?** The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. ->[!Note] ->Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. +> [!NOTE] +> Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. **Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. ->[!Note] ->IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). +> [!NOTE] +> IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). **Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md index 7b0db0bbc4..9ae559b4b4 100644 --- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md @@ -98,14 +98,14 @@ Pressing the **F1** button on the **Automatic Version Synchronization** page of ## Certificate installation does not work on IEAK 11 IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe). ->[!NOTE] ->This applies only when using the External licensing mode of IEAK 11. +> [!NOTE] +> This applies only when using the External licensing mode of IEAK 11. ## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11 When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language. ->[!NOTE] ->This applies only when using the Internal licensing mode of IEAK 11. +> [!NOTE] +> This applies only when using the Internal licensing mode of IEAK 11. To work around this issue, run the customization wizard following these steps: 1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11. diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md index 5e8b4e979e..06b86bce15 100644 --- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md +++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md @@ -32,8 +32,8 @@ IEAK 10 and newer includes the ability to install using one of the following ins - Internal - External ->[!NOTE] ->IEAK 11 works in network environments, with or without Microsoft Active Directory service. +> [!NOTE] +> IEAK 11 works in network environments, with or without Microsoft Active Directory service. ### Corporations diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index c93f45cfd9..8547f7cf59 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,6 +1,6 @@ -# [HoloLens overview](index.md) +# [Microsoft HoloLens](index.md) -# Get Started with HoloLens 2 +# Get started with HoloLens 2 ## [HoloLens 2 hardware](hololens2-hardware.md) ## [Get your HoloLens 2 ready to use](hololens2-setup.md) ## [Set up your HoloLens 2](hololens2-start.md) @@ -16,56 +16,56 @@ ## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md) ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md) -# Deploying HoloLens and Mixed Reality Apps in Commercial Environments -## [Deployment planning](hololens-requirements.md) -## [Commercial feature overview](hololens-commercial-features.md) -## [Lincense Requriements](hololens-licenses-requirements.md) -## [Commercial Infrastructure Guidance](hololens-commercial-infrastructure.md) +# Deploy HoloLens and mixed-reality apps in commercial environments +## [Commercial features](hololens-commercial-features.md) +## [Deploy HoloLens in a commercial environment](hololens-requirements.md) +## [Determine what licenses you need](hololens-licenses-requirements.md) +## [Configure your network for HoloLens](hololens-commercial-infrastructure.md) ## [Unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md) -## [Configure HoloLens using a provisioning package](hololens-provisioning.md) +## [Use a provisioning package to configure HoloLens](hololens-provisioning.md) ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) -## [Set up ring based updates for HoloLens](hololens-updates.md) +## [Manage HoloLens updates](hololens-updates.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) # Navigating Windows Holographic ## [Start menu and mixed reality home](holographic-home.md) ## [Use your voice with HoloLens](hololens-cortana.md) -## [Find and save files](holographic-data.md) -## [Create, share, and view photos and video](holographic-photos-and-videos.md) +## [Find, open, and save files](holographic-data.md) +## [Create mixed reality photos and videos](holographic-photos-and-videos.md) # User management and access management -## [Accounts on HoloLens](hololens-identity.md) +## [Manage user identity and sign-in for HoloLens](hololens-identity.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md) -## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md) -## [Set up limited application access](hololens-kiosk.md) +## [Set up HoloLens as a kiosk for specific applications](hololens-kiosk.md) -# Holographic Applications -## [Try 3D Viewer](holographic-3d-viewer-beta.md) +# Holographic applications +## [Use 3D Viewer on HoloLens](holographic-3d-viewer-beta.md) ## [Find, install, and uninstall applications](holographic-store-apps.md) -## [Install and uninstall custom applications](holographic-custom-apps.md) +## [Manage custom apps for HoloLens](holographic-custom-apps.md) # Accessories and connectivity ## [Connect to Bluetooth and USB-C devices](hololens-connect-devices.md) ## [Use the HoloLens (1st gen) clicker](hololens1-clicker.md) ## [Connect to a network](hololens-network.md) -## [Use HoloLens offline](hololens-offline.md) +## [Manage connection endpoints for HoloLens](hololens-offline.md) # Hologram optics and placement in space -## [Tips for viewing clear Holograms](hololens-calibration.md) +## [Improve visual quality and comfort](hololens-calibration.md) ## [Environment considerations for HoloLens](hololens-environment-considerations.md) -## [Spatial mapping on HoloLens](hololens-spaces.md) +## [Map physical spaces with HoloLens](hololens-spaces.md) # Update, troubleshoot, or recover HoloLens ## [Update HoloLens](hololens-update-hololens.md) -## [Restart, reset, or recover](hololens-recovery.md) -## [Troubleshoot HoloLens](hololens-troubleshooting.md) -## [Known issues](hololens-known-issues.md) +## [Restart, reset, or recover HoloLens](hololens-recovery.md) +## [Troubleshoot HoloLens issues](hololens-troubleshooting.md) +## [Known issues for HoloLens](hololens-known-issues.md) ## [Frequently asked questions](hololens-faq.md) ## [Frequently asked security questions](hololens-faq-security.md) -## [Hololens services status](hololens-status.md) -## [SCEP Whitepaper](scep-whitepaper.md) +## [Status of the HoloLens services](hololens-status.md) +## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb) +## [SCEP whitepaper](scep-whitepaper.md) -# [Release Notes](hololens-release-notes.md) +# [HoloLens release notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) -# [Join the Windows Insider program](hololens-insider.md) +# [Insider preview for Microsoft HoloLens](hololens-insider.md) # [Change history for Microsoft HoloLens documentation](change-history-hololens.md) diff --git a/devices/hololens/holographic-custom-apps.md b/devices/hololens/holographic-custom-apps.md index 0a86a7b37a..3cc01691d6 100644 --- a/devices/hololens/holographic-custom-apps.md +++ b/devices/hololens/holographic-custom-apps.md @@ -1,6 +1,6 @@ --- title: Manage custom apps for HoloLens -description: Side load custom apps on HoloLens. Learn more about installing, and uninstalling holographic apps. +description: Side load custom apps on HoloLens. Learn more about installing, and uninstalling holographic apps. ms.assetid: 6bd124c4-731c-4bcc-86c7-23f9b67ff616 ms.date: 07/01/2019 manager: v-miegge @@ -11,12 +11,15 @@ author: mattzmsft ms.author: mazeller ms.topic: article ms.localizationpriority: medium +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# Install and manage custom applications (non-store) +# Manage custom apps for HoloLens HoloLens supports many existing applications from the Microsoft Store, as well as new apps built specifically for HoloLens. This article focuses on custom holographic applications. diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md index 8c56f0dccc..8cc17b758c 100644 --- a/devices/hololens/hololens-FAQ.md +++ b/devices/hololens/hololens-FAQ.md @@ -1,5 +1,5 @@ --- -title: Frequently asked questions about HoloLens and holograms +title: Frequently asked questions about HoloLens devices and holograms description: Do you have a quick question about HoloLens or interacting with holograms? This article provides a quick answer and more resources. keywords: hololens, faq, known issue, help ms.prod: hololens @@ -9,130 +9,134 @@ ms.author: v-tea ms.topic: article audience: ITPro ms.localizationpriority: medium -ms.date: 10/30/2019 +ms.date: 02/27/2020 ms.reviewer: +ms.custom: +- CI 114606 +- CSSTroubleshooting manager: jarrettr appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# HoloLens and holograms: Frequently asked questions +# Frequently asked questions about HoloLens devices and holograms -Here are some answers to questions you might have about using HoloLens, placing holograms, working with spaces, and more. +This article answers some questions that you may have about how to use HoloLens, including how to place holograms, work with spaces, and more. -Any time you're having problems, make sure HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see if that fixes things. And please use the Feedback app to send us info about the issue—you'll find it on the [**Start** menu](holographic-home.md). +Any time that you have problems, make sure that HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see whether that fixes things. And please use the Feedback app to send us information about the issue. You'll find the Feedback app on the [**Start** menu](holographic-home.md). -For tips about wearing your HoloLens, see [HoloLens fit and comfort: FAQ](https://support.microsoft.com/help/13405/hololens-fit-and-comfort-faq). +For tips about hwo to wear your HoloLens, see [HoloLens (1st gen) fit and comfort frequently asked questions](hololens1-fit-comfort-faq.md). -This FAQ addresses the following questions and issues: +This article addresses the following questions and issues: - [My holograms don't look right or are moving around](#my-holograms-dont-look-right-or-are-moving-around) - [I see a message that says "Finding your space"](#i-see-a-message-that-says-finding-your-space) -- [I'm not seeing the holograms I expect to see in my space](#im-not-seeing-the-holograms-i-expect-to-see-in-my-space) -- [I can't place holograms where I want](#i-cant-place-holograms-where-i-want) +- [I'm not seeing the holograms that I expect to see in my space](#im-not-seeing-the-holograms-that-i-expect-to-see-in-my-space) +- [I can't place holograms where I want to](#i-cant-place-holograms-where-i-want-to) - [Holograms disappear or are encased in other holograms or objects](#holograms-disappear-or-are-encased-in-other-holograms-or-objects) - [I can see holograms that are on the other side of a wall](#i-can-see-holograms-that-are-on-the-other-side-of-a-wall) -- [When I place a hologram on a wall, it seems to float](#when-i-place-a-hologram-on-a-wall-it-seems-to-float) +- [When I place a hologram on a wall, the hologram seems to float](#when-i-place-a-hologram-on-a-wall-the-hologram-seems-to-float) - [Apps appear too close to me when I'm trying to move them](#apps-appear-too-close-to-me-when-im-trying-to-move-them) - [I'm getting a low disk space error](#im-getting-a-low-disk-space-error) - [HoloLens doesn't respond to my gestures](#hololens-doesnt-respond-to-my-gestures) - [HoloLens doesn't respond to my voice](#hololens-doesnt-respond-to-my-voice) - [I'm having problems pairing or using a Bluetooth device](#im-having-problems-pairing-or-using-a-bluetooth-device) -- [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker) +- [HoloLens Settings lists devices as available, but the devices don't work](#hololens-settings-lists-devices-as-available-but-the-devices-dont-work) +- [I'm having problems using the HoloLens clicker](#im-having-problems-using-the-hololens-clicker) - [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi) - [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start) -- [HoloLens Management Questions](#hololens-management-questions) -- [HoloLens Security Questions](#hololens-security-questions) +- [I can't sign in to a HoloLens device because it was previously set up for someone else](#i-cant-sign-in-to-a-hololens-device-because-it-was-previously-set-up-for-someone-else) +- [Questions about managing HoloLens devices](#questions-about-managing-hololens-devices) +- [Questions about securing HoloLens devices](#questions-about-securing-hololens-devices) - [How do I delete all spaces?](#how-do-i-delete-all-spaces) - [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator) -- [I can't log in to a HoloLens because it was previously set up for someone else](#i-cant-log-in-to-a-hololens-because-it-was-previously-set-up-for-someone-else) ## My holograms don't look right or are moving around If your holograms don't look right (for example, they're jittery or shaky, or you see black patches on top of them), try one of these fixes: - [Clean your device visor](hololens1-hardware.md#care-and-cleaning) and make sure nothing is blocking the sensors. -- Make sure you're in a well-lit room without a lot of direct sunlight. -- Try walking around and gazing at your surroundings so HoloLens can scan them more completely. +- Make sure that you're in a well-lit room that does not have a lot of direct sunlight. +- Try walking around and gazing at your surroundings so that HoloLens can scan them more completely. - If you've placed a lot of holograms, try removing some. -If you're still having problems, trying running the Calibration app, which calibrates your HoloLens just for you, to help keep your holograms looking their best. Go to **Settings **>** System **>** Utilities**. Under Calibration, select **Open Calibration**. +If you're still having problems, trying running the Calibration app. This app calibrates your HoloLens just for you to help keep your holograms looking their best. To do this, go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**. [Back to list](#list) -## I see a message that says Finding your space +## I see a message that says "Finding your space" -When HoloLens is learning or loading a space, you might see a brief message that says "Finding your space." If this message continues for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space." +When HoloLens is learning or loading a space, you may see a brief message that says "Finding your space." If this message displays for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space." -These messages mean that HoloLens is having trouble mapping your space. When this happens, you'll be able to open apps, but you won't be able to place holograms in your environment. +These messages mean that HoloLens is having trouble mapping your space. When this happens, you can open apps, but you can't place holograms in your environment. -If you see these messages often, try the following: +If you see these messages often, try one or more of the following fixes: -- Make sure you're in a well-lit room without a lot of direct sunlight. -- Make sure your device visor is clean. [Learn how](hololens1-hardware.md#care-and-cleaning). -- Make sure you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings **> **Network & Internet** >** Wi-Fi**. +- Make sure that you're in a well-lit room that does not have a lot of direct sunlight. +- Make sure that your device visor is clean. [Learn how to clean your visor](hololens1-hardware.md#care-and-cleaning). +- Make sure that you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak Wi-Fi signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings** > **Network & Internet** > **Wi-Fi**. - Try moving more slowly. [Back to list](#list) -## I'm not seeing the holograms I expect to see in my space +## I'm not seeing the holograms that I expect to see in my space -If you don't see holograms you placed, or you're seeing some you don't expect, try the following: +If you don't see the holograms that you placed, or if you're seeing some that you don't expect, try one or more of the following fixes: -- Try turning on some lights. HoloLens works best in a well-lit space. -- Remove holograms you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**. +- Turn on some lights. HoloLens works best in a well-lit space. +- Remove holograms that you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**. > [!NOTE] > If the layout or lighting in your space changes significantly, your device might have trouble identifying your space and showing your holograms. [Back to list](#list) -## I can't place holograms where I want +## I can't place holograms where I want to Here are some things to try if you're having trouble placing holograms: -- Stand about 1 to 3 meters from where you're trying to place the hologram. +- Stand between one and three meters from where you're trying to place the hologram. - Don't place holograms on black or reflective surfaces. -- Make sure you're in a well-lit room without a lot of direct sunlight. +- Make sure that you're in a well-lit room that does not have a lot of direct sunlight. - Walk around the rooms so HoloLens can rescan your surroundings. To see what's already been scanned, air tap to reveal the mapping mesh graphic. [Back to list](#list) ## Holograms disappear or are encased in other holograms or objects -If you get too close to a hologram, it will temporarily disappear—just move away from it. Also, if you've placed a lot of holograms close together, some may disappear. Try removing a few. +If you get too close to a hologram, it will temporarily disappear—to restore the hologram, just move away from it. Also, if you've placed several holograms close together, some may disappear. Try removing a few. -Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following: +Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following fixes: -- If the hologram is encased in another hologram, move it to another location: select **Adjust**, then tap and hold to position it. +- If the hologram is encased in another hologram, move the encased hologram to another location. To do this, select **Adjust**, then tap and hold to position it. - If the hologram is encased in a wall, select **Adjust**, then walk toward the wall until the hologram appears. Tap and hold, then pull the hologram forward and out of the wall. -- If you can't move the hologram with gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen it and place it in a new location. +- If you can't move the hologram by using gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen the hologram and place it in a new location. [Back to list](#list) ## I can see holograms that are on the other side of a wall -If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you'll be able to see holograms that are in the next room. Stand 1 to 3 meters from the wall and gaze to scan it. +If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you can see holograms that are in the next room. To scan the wall, stand between one and three meters from the wall and gaze at it. -If HoloLens has problems scanning the wall, it might be because there's a black or reflective object nearby (for example, a black couch or a stainless steel refrigerator). If there is, scan the other side of the wall. +A black or reflective object (for example, a black couch or a stainless steel refrigerator) near the wall may cause problems when HoloLens tries to scan the wall. If there is such an object, scan the other side of the wall. [Back to list](#list) -## When I place a hologram on a wall, it seems to float +## When I place a hologram on a wall, the hologram seems to float -Holograms placed on walls will appear to be an inch or so away from the wall. If they appear farther away, try the following: +A hologram that you place on a wall typically appears to be an inch or so away from the wall. If it appears to be farther away, try one or more of the following fixes: -- Stand 1 to 3 meters from the wall when you place a hologram and face the wall straight on. -- Air tap the wall to reveal the mapping mesh graphic. Make sure the mesh is lined up with the wall. If it isn't, remove the hologram, rescan the wall, and try again. +- When you place a hologram on a wall, stand between one and three meters from the wall and face the wall straight on. +- Air tap the wall to reveal the mapping mesh graphic. Make sure that the mesh aligns with the wall. If it doesn't, remove the hologram, rescan the wall, and then try again. - If the issue persists, run the Calibration app. You'll find it in **Settings** > **System** > **Utilities**. [Back to list](#list) ## Apps appear too close to me when I'm trying to move them -Try walking around and looking at the area where you're placing the app so HoloLens will scan it from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help. +Try walking around and looking at the area where you're placing the app so that HoloLens scans the area from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help. [Back to list](#list) @@ -140,30 +144,36 @@ Try walking around and looking at the area where you're placing the app so HoloL Free up some storage space by doing one or more of the following: -- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md) +- Remove some of the holograms that you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md) - Delete some pictures and videos in the Photos app. -- Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.) +- Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, then select **Uninstall**. (Uninstalling the app also deletes any data that the app stores on the device.) [Back to list](#list) ## HoloLens doesn't respond to my gestures -To make sure HoloLens can see your gestures, keep your hand in the gesture frame, which extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor will change from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md). +To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md). [Back to list](#list) ## HoloLens doesn't respond to my voice -If your HoloLens is not responding to your voice, make sure Speech recognition is on. Go to **Start > Settings > Privacy > Speech** and turn on **Speech recognition**. +HoloLens (1st gen) and HoloLens 2 have built-in speech recognition, and also support Cortana (online speech recognition). -> [!NOTE] -> This setting isn't available on HoloLens (1st Gen) because speech recognition is always on and cannot be disabled +### Built-in voice commands do not work -If Cortana isn't responding to your voice, make sure Cortana is on by enabling **Online speech recognition** in that same menu. +On HoloLens (1st gen), built-in speech recognition is not configurable. It is always turned on. On HoloLens 2, you can choose whether to turn on both speech recognition and Cortana during device setup. -- You can also easily reach this menu on HoloLens 2 by selecting the "Speech settings" button, or saying "Speech settings" while in the start menu after enabling Speech recognition. +If your HoloLens 2 is not responding to your voice, make sure Speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and turn on **Speech recognition**. -- If Cortana is still not responding after enabling Online speech recognition, In the **All apps** list, select and launch **Cortana** > select **Menu** > **Notebook** > **Settings** to make changes. +### Cortana or Dictation doesn't work + +If Cortana or Dictation isn't responding to your voice, make sure online speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and verify the **Online speech recognition** settings. + +If Cortana is still not responding, do one of the following to verify that Cortana itself is turned on: + +- In **All apps**, select **Cortana** > select **Menu** > **Notebook** > **Settings** to make changes. +- On HoloLens 2, select the **Speech settings** button or say "Speech settings." To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). @@ -173,42 +183,46 @@ To learn more about what you can say, see [Use your voice with HoloLens](hololen If you're having problems [pairing a Bluetooth device](hololens-connect-devices.md), try the following: -- Go to **Settings** > **Devices** and make sure Bluetooth is turned on. If it is, try turning if off and on again. -- Make sure your Bluetooth device is fully charged or has fresh batteries. -- If you still can't connect, [restart your HoloLens](hololens-recovery.md). - -If you're having trouble using a Bluetooth device, make sure it's a supported device. Supported devices include: - -- English-language QWERTY Bluetooth keyboards, which can be used anywhere you use the holographic keyboard. -- Bluetooth mice. -- The [HoloLens clicker](hololens1-clicker.md). - -Other Bluetooth HID and GATT devices can be paired, but they might require a companion app from Microsoft Store to work with HoloLens. - -HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported. +- Go to **Settings** > **Devices**, and make sure that Bluetooth is turned on. If it is, turn it off and on again. +- Make sure that your Bluetooth device is fully charged or has fresh batteries. +- If you still can't connect, [restart the HoloLens](hololens-recovery.md). [Back to list](#list) -## I'm having problems with the HoloLens clicker +## HoloLens Settings lists devices as available, but the devices don't work -Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Additional clicker gestures may vary from app to app. +HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported. -If you're having trouble using the clicker, make sure its charged and paired with your HoloLens. If the battery is low, the indicator light will blink amber. To see if its paired, go to **Settings** > **Devices** and see if it shows up there. [Pair the clicker](hololens-connect-devices.md#pair-the-clicker). +If you're having trouble using a Bluetooth device, make sure that it's a supported device. Supported devices include the following: + +- English-language QWERTY Bluetooth keyboards (you can use these anywhere that you use the holographic keyboard). +- Bluetooth mice. +- The [HoloLens clicker](hololens1-clicker.md). + +You can pair other Bluetooth HID and GATT devices together with your HoloLens. However, you may have to install corresponding companion apps from Microsoft Store to actually use the devices. + +[Back to list](#list) + +## I'm having problems using the HoloLens clicker + +Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Individial apps may support additional clicker gestures. + +If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#pair-the-clicker). If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again. -If that doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker). +If resetting the clicker doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker). [Back to list](#list) ## I can't connect to Wi-Fi -Here are some things to try if you can't connect to Wi-Fi on HoloLens: +Here are some things to try if you can't connect your HoloLens to a Wi-Fi network: -- Make sure Wi-Fi is turned on. Preform a Start gesture to open the menu, then select **Settings** > **Network & Internet** > **Wi-Fi** to check. If Wi-Fi is on, try turning it off and on again. +- Make sure that Wi-Fi is turned on. To check, use the Start gesture, then select **Settings** > **Network & Internet** > **Wi-Fi**. If Wi-Fi is on, try turning it off and then on again. - Move closer to the router or access point. - Restart your Wi-Fi router, then [restart HoloLens](hololens-recovery.md). Try connecting again. -- If none of these things work, check to make sure your router is using the latest firmware. You can find this information on the manufacturers website. +- If none of these things work, check to make sure that your router is using the latest firmware. You can find this information on the manufacturer website. [Back to list](#list) @@ -218,35 +232,51 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe [Back to list](#list) +## I can't sign in to a HoloLens device because it was previously set up for someone else -## I can't log in to a HoloLens because it was previously set up for someone else +If your device was previously set up for someone else, either for a client or for a former employee, and you don't have their password to unlock the device, you can do one of the following: -If your device was previously set up for someone else, either a client or former employee and you don't have their password to unlock the device there are two solutions. -- If your device is MDM managed by Intune then you can remotely [Wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device and it'll reflash itself. Make sure to leave **Retain enrollment state and user account** unchecked. -- If you have the device with you then you can put the device into **Flashing Mode** and use Advanced Recovery Companion to [recover](https://docs.microsoft.com/hololens/hololens-recovery) the device. +- For a device that is enrolled in Intune mobile device management (MDM), you can use Intune to remotely [wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device. The device then re-flashes itself. + > [!IMPORTANT] + > When you wipe the device, make sure to leave **Retain enrollment state and user account** unchecked. +- For a non-MDM device, you can [put the device into **Flashing Mode** and use Advanced Recovery Companion](hololens-recovery.md#re-install-the-operating-system) to recover the device. [Back to list](#list) -## HoloLens Management Questions +## Questions about managing HoloLens devices -1. **Can I use SCCM to manage the HoloLens?** - 1. No. An MDM must be used to manage the HoloLens -1. **Can I use Active Directory to manage HoloLens user accounts?** - 1. No, Azure AD must be used to manage user accounts. -1. **Is the HoloLens capable of ADCS auto enrollment?** - 1. No -1. **Can the HoloLens participate in WNA/IWA?** - 1. No -1. **Does the HoloLens support branding?** - 1. No. However, one work around is to create a custom app and enable Kiosk mode. The custom app can have branding which can then launch other apps (such as Remote Assist). Another option is to change all of the users profile pictures in AAD to your company logo. (However, this may not be desirable for all scenarios) -1. **What logging capabilities are available on HL1 and HL2?** - 1. Logging is limited to traces captured in developer/troubleshooting scenarios or telemetry sent to Microsoft servers. +### Can I use System Center Configuration Manager (SCCM) to manage HoloLens devices? + +No. You have to use an MDM system to manage HoloLens devices. + +### Can I use Active Directory Domain Services (AD DS) to manage HoloLens user accounts? + +No. You have to use Azure Active Directory (AAD) to manage user accounts for HoloLens devices. + +### Is HoloLens capable of Automated Data Capture Systems (ADCS) auto-enrollment? + +No. + +### Can HoloLens participate in Integrated Windows Authentication? + +No. + +### Does HoloLens support branding? + +No. However, you can work around this issue by using one of the following approaches: + +- Create a custom app, and then [enable Kiosk mode](hololens-kiosk.md). The custom app can have branding, and can launch other apps (such as Remote Assist). +- Change all of the user profile pictures in AAD to your company logo. However, this may not be desirable for all scenarios. + +### What logging capabilities do HoloLens (1st gen) and HoloLens 2 offer? + +Logging is limited to traces that can be captured in development or troubleshooting scenarios, or telemetry that the devices send to Microsoft servers. [Back to list](#list) -## HoloLens Security Questions +## Questions about securing HoloLens devices -Frequently asked security questions can be found [here](hololens-faq-security.md). +See [frequently asked questions about securing HoloLens devices](hololens-faq-security.md). [Back to list](#list) diff --git a/devices/hololens/hololens-commercial-features.md b/devices/hololens/hololens-commercial-features.md index 309d81e904..f53558ec75 100644 --- a/devices/hololens/hololens-commercial-features.md +++ b/devices/hololens/hololens-commercial-features.md @@ -5,6 +5,9 @@ keywords: HoloLens, commercial, features, mdm, mobile device management, kiosk m author: scooley ms.author: scooley ms.date: 08/26/2019 +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.topic: article audience: ITPro ms.prod: hololens @@ -40,7 +43,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a - **Windows Update for Business.** Windows Update for Business provides controlled operating system updates to devices and support for the long-term servicing channel. - **Data security.** BitLocker data encryption is enabled on HoloLens to provide the same level of security protection as any other Windows device. - **Work access.** Anyone in your organization can remotely connect to the corporate network through virtual private network (VPN) on a HoloLens. HoloLens can also access Wi-Fi networks that require credentials. -- **Microsoft Store for Business.** Your IT department can also set up an enterprise private store, containing only your company’s apps for your specific HoloLens usage. Securely distribute your enterprise software to selected group of enterprise users. +- **Microsoft Store for Business.** Your IT department can also set up an enterprise private store, containing only your company's apps for your specific HoloLens usage. Securely distribute your enterprise software to selected group of enterprise users. ## Feature comparison between editions @@ -48,7 +51,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a |---|:---:|:---:|:---:| |Device Encryption (BitLocker) | |✔️ |✔️ | |Virtual Private Network (VPN) | |✔️ |✔️ | -|[Kiosk mode](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#kiosk-mode) | |✔️ |✔️ | +|[Kiosk mode](hololens-kiosk.md) | |✔️ |✔️ | |**Management and deployment** | | | | |Mobile Device Management (MDM) | |✔️ |✔️ | |Ability to block unenrollment | |✔️ |✔️ | @@ -67,12 +70,12 @@ HoloLens (1st gen) came with two licensing options, the developer license and a ## Enabling commercial features -Your organization's IT admin can set up commercial features such as Microsoft Store for Business, kiosk mode, and enterprise Wi-Fi access. The [Microsoft HoloLens](https://docs.microsoft.com/hololens) documentation provides step-by-step instructions for enrolling devices and installing apps from Microsoft Store for Business. +Your organization's IT admin can set up commercial features such as Microsoft Store for Business, kiosk mode, and enterprise Wi-Fi access. The [Microsoft HoloLens](index.md) documentation provides step-by-step instructions for enrolling devices and installing apps from Microsoft Store for Business. ## See also -- [Microsoft HoloLens](https://docs.microsoft.com/hololens) -- [Kiosk mode](/windows/mixed-reality/using-the-windows-device-portal.md#kiosk-mode) +- [Microsoft HoloLens](index.md) +- [Kiosk mode](hololens-kiosk.md) - [CSPs supported in HoloLens devices](/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) - [Microsoft Store For Business and line of business applications](https://blogs.technet.microsoft.com/sbucci/2016/04/13/windows-store-for-business-and-line-of-business-applications/) - [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps) diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md index b56e555f7d..78dacbb581 100644 --- a/devices/hololens/hololens-faq-security.md +++ b/devices/hololens/hololens-faq-security.md @@ -11,15 +11,18 @@ ms.sitesec: library ms.topic: article audience: ITPro ms.localizationpriority: high +ms.custom: +- CI 111456 +- CSSTroubleshooting manager: bradke appliesto: - HoloLens 1 (1st gen) - HoloLens 2 --- -# Frequently Asked Security Questions +# Frequently asked questions about HoloLens security -## HoloLens 1st Gen Security Questions +## HoloLens (1st gen) Security Questions 1. **What type of wireless is used?** 1. 802.11ac and Bluetooth 4.1 LE @@ -67,9 +70,9 @@ appliesto: 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** 1. No -1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** - 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. - 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. 1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. @@ -87,7 +90,7 @@ appliesto: 1. **Can the device blacklist or white list specific frequencies?** 1. This is not controllable by the user/device 1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** - 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region’s regulatory rules. + 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region's regulatory rules. 1. **What is the duty cycle/lifetime for normal operation?** 1. *Currently unavailable.* 1. **What is transmit and receive behavior when a tool is not in range?** @@ -119,8 +122,8 @@ appliesto: 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** 1. No -1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** - 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. - 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. 1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md index 3cc6cc4cfc..e1fab33818 100644 --- a/devices/hololens/hololens-identity.md +++ b/devices/hololens/hololens-identity.md @@ -1,12 +1,15 @@ --- -title: Managing user identity and login on HoloLens -description: Manage user identity, security, and login on HoloLens. +title: Manage user identity and sign-in for HoloLens +description: Manage user identity, security, and sign-in for HoloLens. keywords: HoloLens, user, account, aad, adfs, microsoft account, msa, credentials, reference ms.assetid: 728cfff2-81ce-4eb8-9aaa-0a3c3304660e author: scooley ms.author: scooley -ms.date: 1/6/2019 +ms.date: 1/6/2020 ms.prod: hololens +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.topic: article ms.sitesec: library ms.topic: article @@ -18,7 +21,7 @@ appliesto: - HoloLens 2 --- -# User identity and signin +# Manage user identity and sign-in for HoloLens > [!NOTE] > This article is a technical reference for IT Pros and tech enthusiasts. If you're looking for HoloLens set up instructions, read "[Setting up your HoloLens (1st gen)](hololens1-start.md)" or "[Setting up your HoloLens 2](hololens2-start.md)". diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 5adbb7b0ca..1f4858772e 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -1,11 +1,14 @@ --- -title: Insider preview for Microsoft HoloLens (HoloLens) -description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens. +title: Insider preview for Microsoft HoloLens +description: It's simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens. ms.prod: hololens ms.sitesec: library author: scooley ms.author: scooley ms.topic: article +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.localizationpriority: medium audience: ITPro ms.date: 1/6/2020 @@ -17,13 +20,13 @@ appliesto: # Insider preview for Microsoft HoloLens -Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. +Welcome to the latest Insider Preview builds for HoloLens! It's simple to get started and provide valuable feedback for our next major operating system update for HoloLens. ## Start receiving Insider builds On a HoloLens 2 device go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. -Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. +Then, select **Active development of Windows**, choose whether you'd like to receive **Fast** or **Slow** builds, and review the program terms. Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. @@ -46,7 +49,7 @@ To opt out of Insider builds: Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way. > [!NOTE] -> Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). +> Be sure to accept the prompt that asks whether you'd like Feedback Hub to access your Documents folder (select **Yes** when prompted). ## Note for developers @@ -68,7 +71,7 @@ Here's a quick summary of what's new: - Performance and stability improvements across the product - More information in settings on HoloLens about the policy pushed to the device -Once you’ve had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers. +Once you've had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers. ### FIDO 2 support Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password. diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index e895069d36..aab93e1b8a 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -1,5 +1,5 @@ --- -title: Set up HoloLens in kiosk mode (HoloLens) +title: Set up HoloLens as a kiosk for specific applications description: Use a kiosk configuration to lock down the apps on HoloLens. ms.prod: hololens ms.sitesec: library @@ -8,15 +8,21 @@ ms.author: dansimp ms.topic: article ms.localizationpriority: medium ms.date: 11/13/2018 +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.reviewer: manager: dansimp +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- -# Set up HoloLens in kiosk mode +# Set up HoloLens as a kiosk for specific applications In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional) -When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. +When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings. diff --git a/devices/hololens/hololens-known-issues.md b/devices/hololens/hololens-known-issues.md index c508f805e5..e3ac50bec3 100644 --- a/devices/hololens/hololens-known-issues.md +++ b/devices/hololens/hololens-known-issues.md @@ -1,11 +1,14 @@ --- -title: HoloLens known issues +title: Known issues for HoloLens description: This is the list of known issues that may affect HoloLens developers. keywords: troubleshoot, known issue, help author: mattzmsft ms.author: mazeller ms.date: 8/30/2019 ms.topic: article +ms.custom: +- CI 111456 +- CSSTroubleshooting HoloLens and holograms: Frequently asked questions manager: jarrettr ms.prod: hololens @@ -13,7 +16,7 @@ appliesto: - HoloLens 1 --- -# HoloLens known issues +# Known issues for HoloLens This is the current list of known issues for HoloLens that affect developers. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates. @@ -70,7 +73,7 @@ Our team is currently working on a fix. In the meantime, you can use the followi 1. Select **Build** > **Build Solution**. 1. Open a Command Prompt Window and cd to the folder that contains the compiled .exe file (for example, C:\MyProjects\HoloLensDeploymentFix\bin\Debug) -1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the device’s Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1" +1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the device's Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1" 1. After the tool has exited without any messages (this should only take a few seconds), you will now be able to deploy and debug from Visual Studio 2017 or newer. Continued use of the tool is not necessary. @@ -84,9 +87,9 @@ We will provide further updates as they become available. You may experience issues when trying to launch the Microsoft Store and apps on HoloLens. We've determined that the issue occurs when background app updates deploy a newer version of framework packages in specific sequences while one or more of their dependent apps are still running. In this case, an automatic app update delivered a new version of the .NET Native Framework (version 10.0.25531 to 10.0.27413) caused the apps that are running to not correctly update for all running apps consuming the prior version of the framework. The flow for framework update is as follows: 1. The new framework package is downloaded from the store and installed -1. All apps using the older framework are ‘updated’ to use the newer version +1. All apps using the older framework are 'updated' to use the newer version -If step 2 is interrupted before completion then any apps for which the newer framework wasn’t registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue. +If step 2 is interrupted before completion then any apps for which the newer framework wasn't registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue. Some users have reported that closing hung apps and launching other apps such as Feedback Hub, 3D Viewer or Photos resolves the issue for them—however, this does not work 100% of the time. @@ -112,10 +115,10 @@ If you would not like to take the update, we have released a new version of the If your device is still unable to load apps, you can sideload a version of the .NET Native Framework and Runtime through the download center by following these steps: 1. Please download [this zip file](https://download.microsoft.com/download/8/5/C/85C23745-794C-419D-B8D7-115FBCCD6DA7/netfx_1.7.zip) from the Microsoft Download Center. Unzipping will produce two files. Microsoft.NET.Native.Runtime.1.7.appx and Microsoft.NET.Native.Framework.1.7.appx -1. Please verify that your device is dev unlocked. If you haven’t done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). +1. Please verify that your device is dev unlocked. If you haven't done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). 1. You then want to get into the Windows Device Portal. Our recommendation is to do this over USB and you would do that by typing http://127.0.0.1:10080 into your browser. -1. After you have the Windows Device Portal up we need you to “side load” the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**. -1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on “Go” under the Deploy section. Then do this for the second APPX file. +1. After you have the Windows Device Portal up we need you to "side load" the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**. +1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on "Go" under the Deploy section. Then do this for the second APPX file. ![Windows Device Portal to Install Side-Loaded app](images/20190322-DevicePortal.png) 1. At this point we believe your applications should start working again and that you can also get to the Store. diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md index c89587c100..ef727bfc77 100644 --- a/devices/hololens/hololens-licenses-requirements.md +++ b/devices/hololens/hololens-licenses-requirements.md @@ -23,7 +23,7 @@ appliesto: If you plan on managing your HoloLens devices, you will need Azure AD and an MDM. Active Director (AD) cannot be used to manage HoloLens devices. If you plan on using an MDM other than Intune, an [Azure Active Directory Licenses](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) is required. -If you plan on using Intune as your MDM, you can acquire an [Enterprise Mobility + Security (EMS) suite (E3 or E5) licenses](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing). **Please note that Azure AD is included in both suites.** +If you plan on using Intune as your MDM, [here](https://docs.microsoft.com/intune/fundamentals/licenses) are a list of suites that includes Intune licenses. **Please note that Azure AD is included in the majority of these suites.** ## Identify the licenses needed for your scenario and products @@ -44,6 +44,8 @@ Make sure you have the required licensing and device. Updated licensing and prod 1. [Teams Freemium/Teams](https://products.office.com/microsoft-teams/free) 1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) +If you plan on implementing **[this cross-tenant scenario](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/cross-tenant-overview#scenario-2-leasing-services-to-other-tenants)**, you may need an Information Barriers license. Please see [this article](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/cross-tenant-licensing-implementation#step-1-determine-if-information-barriers-are-necessary) to determine if an Information Barrier License is required. + ### Guides License Requirements Updated licensing and device requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/guides/requirements). diff --git a/devices/hololens/hololens-network.md b/devices/hololens/hololens-network.md index c7a9e2b3a1..bd9286a91e 100644 --- a/devices/hololens/hololens-network.md +++ b/devices/hololens/hololens-network.md @@ -5,7 +5,6 @@ ms.assetid: 0895606e-96c0-491e-8b1c-52e56b00365d author: mattzmsft ms.author: mazeller keywords: HoloLens, wifi, wireless, internet, ip, ip address -ms.date: 02/27/2020 ms.prod: hololens ms.sitesec: library ms.localizationpriority: high diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md index e3b11960b1..b9ee084421 100644 --- a/devices/hololens/hololens-offline.md +++ b/devices/hololens/hololens-offline.md @@ -5,9 +5,12 @@ keywords: hololens, offline, OOBE audience: ITPro ms.date: 07/01/2019 ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301 -author: v-miegge -ms.author: v-miegge -manager: v-miegge +author: Teresa-Motiv +ms.author: v-tea +ms.custom: +- CI 111456 +- CSSTroubleshooting +manager: jarrettr ms.topic: article ms.prod: hololens ms.sitesec: library @@ -17,9 +20,9 @@ appliesto: - HoloLens 2 --- -# Manage connection endpoints for HoloLens +# Manage connection endpoints for HoloLens -Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuratiion (e.g. proxy or firewall) for those components to be functional. +Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuration (e.g. proxy or firewall) for those components to be functional. ## Near-offline setup diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index 60105c772f..04e3e8c24b 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -1,8 +1,13 @@ --- + title: Configure HoloLens by using a provisioning package (HoloLens) + description: Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. ms.prod: hololens ms.sitesec: library +ms.custom: +- CI 111456 +- CSSTroubleshooting author: dansimp ms.author: dansimp ms.topic: article @@ -13,6 +18,9 @@ ms.localizationpriority: medium ms.date: 03/10/2020 ms.reviewer: Teresa-Motiv manager: dansimp +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- # Configure HoloLens by using a provisioning package diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md index ef751d84d5..60d46d7e1c 100644 --- a/devices/hololens/hololens-recovery.md +++ b/devices/hololens/hololens-recovery.md @@ -1,5 +1,5 @@ --- -title: Reset or recover your HoloLens +title: Restart, reset, or recover HoloLens ms.reviewer: Both basic and advanced instructions for rebooting or resetting your HoloLens. description: How to use Advanced Recovery Companion to flash an image to HoloLens 2. keywords: how-to, reboot, reset, recover, hard reset, soft reset, power cycle, HoloLens, shut down, arc, advanced recovery companion @@ -8,6 +8,9 @@ ms.sitesec: library author: mattzmsft ms.author: mazeller ms.date: 08/30/2019 +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.topic: article ms.localizationpriority: high manager: jarrettr @@ -18,9 +21,9 @@ appliesto: # Restart, reset, or recover HoloLens -If you’re experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery. +If you're experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery. -Here are some things to try if your HoloLens isn’t running well. This article will guide you through the recommended recovery steps in succession. +Here are some things to try if your HoloLens isn't running well. This article will guide you through the recommended recovery steps in succession. This article focuses on the HoloLens device and software, if your holograms don't look right, [this article](hololens-environment-considerations.md) talks about environmental factors that improve hologram quality. @@ -33,9 +36,9 @@ First, try restarting the device. The safest way to restart the HoloLens is by using Cortana. This is generally a great first-step when experiencing an issue with HoloLens: 1. Put on your device -1. Make sure it’s powered on, a user is logged in, and the device is not waiting for a password to unlock it. -1. Say “Hey Cortana, reboot” or "Hey Cortana, restart." -1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say “Yes.” +1. Make sure it's powered on, a user is logged in, and the device is not waiting for a password to unlock it. +1. Say "Hey Cortana, reboot" or "Hey Cortana, restart." +1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say "Yes." 1. The device will now restart. ### Perform a safe restart by using the power button @@ -45,7 +48,7 @@ If you still can't restart your device, you can try to restart it by using the p 1. Press and hold the power button for five seconds. 1. After one second, you will see all five LEDs illuminate, then slowly turn off from right to left. 1. After five seconds, all LEDs will be off, indicating the shutdown command was issued successfully. - 1. Note that it’s important to stop pressing the button immediately after all the LEDs have turned off. + 1. Note that it's important to stop pressing the button immediately after all the LEDs have turned off. 1. Wait one minute for the shutdown to cleanly succeed. Note that the shutdown may still be in progress even if the displays are turned off. 1. Power on the device again by pressing and holding the power button for one second. @@ -66,18 +69,18 @@ If none of the previous methods are able to successfully restart your device, yo 1. Press and hold the power button for at least 10 seconds. - - It’s okay to hold the button for longer than 10 seconds. - - It’s safe to ignore any LED activity. + - It's okay to hold the button for longer than 10 seconds. + - It's safe to ignore any LED activity. 1. Release the button and wait for two or three seconds. 1. Power on the device again by pressing and holding the power button for one second. -If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device. +If you're still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device. ## Reset to factory settings > [!NOTE] > The battery needs at least 40 percent charge to reset. -If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that’s installed on it and returns everything else to factory settings. +If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that's installed on it and returns everything else to factory settings. If you reset your device, all your personal data, apps, and settings will be erased. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth). @@ -109,10 +112,10 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper > [!TIP] > In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion: -1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed. -1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. -1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device. -1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2. +1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed. +1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. +1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device. +1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2. ### HoloLens (1st gen) @@ -120,7 +123,7 @@ If necessary, you can install a completely new operating system on your HoloLens Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time. When you're done, the latest version of the Windows Holographic software approved for your HoloLens will be installed. -To use the tool, you’ll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can’t run this tool on a virtual machine. +To use the tool, you'll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can't run this tool on a virtual machine. To recover your HoloLens @@ -128,4 +131,4 @@ To recover your HoloLens 1. Connect the HoloLens (1st gen) to your computer using the Micro USB cable that came with your HoloLens. 1. Run the Windows Device Recovery Tool and follow the instructions. -If the HoloLens (1st gen) isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. +If the HoloLens (1st gen) isn't automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index f2a5d92512..737b6bcc0e 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -1,5 +1,5 @@ --- -title: What's new in Microsoft HoloLens +title: HoloLens release notes description: Learn about updates in each new HoloLens release. author: scooley ms.author: scooley @@ -9,6 +9,9 @@ ms.sitesec: library ms.topic: article ms.localizationpriority: medium ms.date: 12/02/2019 +ms.custom: +- CI 111456 +- CSSTroubleshooting audience: ITPro appliesto: - HoloLens 1 @@ -16,7 +19,7 @@ appliesto: --- -# HoloLens Release Notes +# HoloLens release notes ## HoloLens 2 @@ -57,12 +60,12 @@ appliesto: | Feature | Details | |---|---| | **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) | -| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | +| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) | | **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. | -| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). | -| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | -| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | -| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. | +| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). | +| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | +| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. | +| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. | | **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. | | **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. | diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index 6c370939da..6cfcb281b0 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -33,7 +33,7 @@ This document also assumes that the HoloLens has been evaluated by security team Before deploying the HoloLens in your environment, it is important to first determine what features, apps, and type of identities are needed. It is also important to ensure that your security team has approved of the use of the HoloLens on the company's network. Please see [Frequently ask security questions](hololens-faq-security.md) for additional security information. -### Type of identity +### Type of Identity Determine the type of identity that will be used to sign into the device. @@ -41,6 +41,8 @@ Determine the type of identity that will be used to sign into the device. 2. **MSA:** This is a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device. 3. **Azure Active Directory (Azure AD) accounts:** This is an account created in Azure AD. This grants your corporation the ability to manage the HoloLens device. This will allow multiple users to log into the HoloLens 1st Gen Commercial Suite/the HoloLens 2 device. +For more detailed information about identity types, please visit our [HoloLens Identity](hololens-identity.md) article. + ### Type of Features Your feature requirements will determine which HoloLens you need. One popular feature that we see deployed in customer environments frequently is Kiosk Mode. A list of HoloLens key features, and the editions of HoloLens that support them, can be found [here](hololens-commercial-features.md). @@ -66,13 +68,15 @@ There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk m There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. -### Apps +### Apps and App Specific Scenarios The majority of the steps found in this document will also apply to the following apps: -1. Remote Assist -2. Guides -3. Customer Apps +| App | App Specific Scenarios | +| --- | --- | +| Remote Assist | [Cross Tenant Communication](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/cross-tenant-overview)| +| Guides | *Coming Soon* | +|Custom Apps | *Coming Soon* | ### Determine your enrollment method diff --git a/devices/hololens/hololens-spaces.md b/devices/hololens/hololens-spaces.md index 26790eacca..485e56773e 100644 --- a/devices/hololens/hololens-spaces.md +++ b/devices/hololens/hololens-spaces.md @@ -1,9 +1,12 @@ --- -title: Mapping physical spaces with HoloLens +title: Map physical spaces with HoloLens description: HoloLens learns what a space looks like over time. Users can facilitate this process by moving the HoloLens in certain ways through the space. ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b author: dorreneb ms.author: dobrown +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.date: 09/16/2019 keywords: hololens, Windows Mixed Reality, design, spatial mapping, HoloLens, surface reconstruction, mesh, head tracking, mapping ms.prod: hololens @@ -15,14 +18,14 @@ appliesto: - HoloLens 2 --- -# Mapping physical spaces with HoloLens +# Map physical spaces with HoloLens HoloLens blends holograms with your physical world. To do that, HoloLens has to learn about the physical world around you and remember where you place holograms within that space. Over time, the HoloLens builds up a *spatial map* of the environment that it has seen. HoloLens updates the map as the environment changes. As long as you are logged in and the device is turned on, HoloLens creates and updates your spatial maps. If you hold or wear the device with the cameras pointed at a space, the HoloLens tries to map the area. While the HoloLens learns a space naturally over time, there are ways in which you can help HoloLens map your space more quickly and efficiently. > [!NOTE] -> If your HoloLens can’t map your space or is out of calibration, HoloLens may enter Limited mode. In Limited mode, you won’t be able to place holograms in your surroundings. +> If your HoloLens can't map your space or is out of calibration, HoloLens may enter Limited mode. In Limited mode, you won't be able to place holograms in your surroundings. This article explains how HoloLens maps spaces, how to improve spatial mapping, and how to manage the spatial data that HoloLens collects. diff --git a/devices/hololens/hololens-status.md b/devices/hololens/hololens-status.md index e6ccdbd207..a1209dd3c8 100644 --- a/devices/hololens/hololens-status.md +++ b/devices/hololens/hololens-status.md @@ -1,18 +1,21 @@ --- -title: HoloLens status +title: Status of the HoloLens services description: Shows the status of HoloLens online services. -author: todmccoy -ms.author: v-todmc +author: Teresa-Motiv +ms.author: v-tea ms.reviewer: luoreill manager: jarrettr audience: Admin +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.topic: article ms.prod: hololens ms.localizationpriority: high ms.sitesec: library --- -# HoloLens status +# Status of the HoloLens services ✔️ **All services are active** diff --git a/devices/hololens/hololens-troubleshooting.md b/devices/hololens/hololens-troubleshooting.md index 7102984f4c..b4d107902a 100644 --- a/devices/hololens/hololens-troubleshooting.md +++ b/devices/hololens/hololens-troubleshooting.md @@ -1,5 +1,5 @@ --- -title: HoloLens troubleshooting +title: Troubleshoot HoloLens issues description: Solutions for common HoloLens issues. author: mattzmsft ms.author: mazeller @@ -11,16 +11,19 @@ audience: ITPro ms.localizationpriority: medium keywords: issues, bug, troubleshoot, fix, help, support, HoloLens manager: jarrettr +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# Troubleshooting HoloLens issues +# Troubleshoot HoloLens issues This article describes how to resolve several common HoloLens issues. -## My HoloLens is unresponsive or won’t start +## My HoloLens is unresponsive or won't start If your HoloLens won't start: @@ -35,59 +38,59 @@ If these steps don't work, you can try [recovering your device](hololens-recover ## Holograms don't look good -If your holograms are unstable, jumpy, or don’t look right, try: +If your holograms are unstable, jumpy, or don't look right, try: - Cleaning your device visor and sensor bar on the front of your HoloLens. - Increasing the light in your room. - Walking around and looking at your surroundings so that HoloLens can scan them more completely. - Calibrating your HoloLens for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**. -## HoloLens doesn’t respond to gestures +## HoloLens doesn't respond to gestures To make sure that HoloLens can see your gestures. Keep your hand in the gesture frame - when HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about using gestures on [HoloLens (1st gen)](hololens1-basic-usage.md#use-hololens-with-your-hands) or [HoloLens 2](hololens2-basic-usage.md#the-hand-tracking-frame). -If your environment is too dark, HoloLens might not see your hand, so make sure that there’s enough light. +If your environment is too dark, HoloLens might not see your hand, so make sure that there's enough light. If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently. -## HoloLens doesn’t respond to my voice commands +## HoloLens doesn't respond to my voice commands -If Cortana isn’t responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). +If Cortana isn't responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). -## I can’t place holograms or see holograms that I previously placed +## I can't place holograms or see holograms that I previously placed -If HoloLens can’t map or load your space, it enters Limited mode and you won’t be able to place holograms or see holograms that you’ve placed. Here are some things to try: +If HoloLens can't map or load your space, it enters Limited mode and you won't be able to place holograms or see holograms that you've placed. Here are some things to try: -- Make sure that there’s enough light in your environment so HoloLens can see and map the space. -- Make sure that you’re connected to a Wi-Fi network. If you’re not connected to Wi-Fi, HoloLens can’t identify and load a known space. +- Make sure that there's enough light in your environment so HoloLens can see and map the space. +- Make sure that you're connected to a Wi-Fi network. If you're not connected to Wi-Fi, HoloLens can't identify and load a known space. - If you need to create a new space, connect to Wi-Fi, then restart your HoloLens. - To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**. -- If the correct space is loaded and you’re still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space. +- If the correct space is loaded and you're still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space. -## My HoloLens can’t tell what space I’m in +## My HoloLens can't tell what space I'm in -If your HoloLens can’t identify and load the space you’re in automatically, check the following factors: +If your HoloLens can't identify and load the space you're in automatically, check the following factors: -- Make sure that you’re connected to Wi-Fi -- Make sure that there’s plenty of light in the room -- Make sure that there haven’t been any major changes to the surroundings. +- Make sure that you're connected to Wi-Fi +- Make sure that there's plenty of light in the room +- Make sure that there haven't been any major changes to the surroundings. You can also load a space manually or manage your spaces by going to **Settings** > **System** > **Spaces**. -## I’m getting a “low disk space” error +## I'm getting a "low disk space" error -You’ll need to free up some storage space by doing one or more of the following: +You'll need to free up some storage space by doing one or more of the following: - Delete some unused spaces. Go to **Settings** > **System** > **Spaces**, select a space that you no longer need, and then select **Remove**. -- Remove some of the holograms that you’ve placed. +- Remove some of the holograms that you've placed. - Delete some pictures and videos from the Photos app. - Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, and then select **Uninstall**. -## My HoloLens can’t create a new space +## My HoloLens can't create a new space -The most likely problem is that you’re running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space. +The most likely problem is that you're running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space. ## The HoloLens emulators isn't working diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index f07302aa07..561eb79861 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -1,5 +1,5 @@ --- -title: Managing updates to HoloLens +title: Manage HoloLens updates description: Administrators can use mobile device management to manage updates to HoloLens devices. ms.prod: hololens ms.sitesec: library @@ -11,12 +11,15 @@ ms.localizationpriority: high ms.date: 11/7/2019 ms.reviewer: jarrettr manager: jarrettr +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# Managing HoloLens updates +# Manage HoloLens updates HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the Internet. diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md deleted file mode 100644 index 064d470afc..0000000000 --- a/devices/hololens/hololens-whats-new.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: What's new in Microsoft HoloLens (HoloLens) -description: Windows Holographic for Business gets new features in Windows 10, version 1809. -ms.prod: hololens -ms.sitesec: library -author: dansimp -ms.author: dansimp -ms.topic: article -ms.localizationpriority: medium -ms.date: 11/13/2018 -ms.reviewer: -manager: dansimp ---- - -# What's new in Microsoft HoloLens - -## Windows 10, version 1809 for Microsoft HoloLens - -> **Applies to:** Hololens (1st gen) - -### For everyone - -| Feature | Details | -|---|---| -| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) | -| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | -| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. | -| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). | -| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | -| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | -| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. | -| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. | -| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. | - -### For administrators - -| Feature | Details | -|---|----| -| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. | -| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | -| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | -| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  | -| Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. | -| Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. | - -### For international customers - -Feature | Details ---- | --- -Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. -Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. - -[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) - -## Windows 10, version 1803 for Microsoft HoloLens - -> **Applies to:** Hololens (1st gen) - -Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: - -- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md). - -- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). - -- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard). - - ![Provisioning HoloLens devices](images/provision-hololens-devices.png) - -- When you create a local account in a provisioning package, the password no longer expires every 42 days. - -- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes. - -- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens. - -- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. - -- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. - -- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts. - -- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting. - -- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly. - -- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report. diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 0bebe66485..47862d7138 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -1,6 +1,6 @@ --- title: Microsoft HoloLens -description: Landing page Microsoft HoloLens. +description: Landing page for Microsoft HoloLens. ms.prod: hololens ms.sitesec: library ms.assetid: 0947f5b3-8f0f-42f0-aa27-6d2cad51d040 @@ -10,8 +10,11 @@ ms.topic: article ms.localizationpriority: medium ms.date: 10/14/2019 audience: ITPro +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: -- HoloLens 1 +- HoloLens (1st gen) - HoloLens 2 --- diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md index 06b7527960..ee0915b54b 100644 --- a/devices/hololens/scep-whitepaper.md +++ b/devices/hololens/scep-whitepaper.md @@ -11,20 +11,23 @@ ms.sitesec: library ms.topic: article audience: ITPro ms.localizationpriority: high +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: - HoloLens 1 (1st gen) - HoloLens 2 --- -# SCEP Whitepaper +# SCEP whitepaper ## High Level ### How the SCEP Challenge PW is secured -We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we’ve configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. +We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we've configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. -We then pass that to the device and then the device generates it’s CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. +We then pass that to the device and then the device generates it's CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. ## Behind the scenes @@ -72,6 +75,6 @@ We then pass that to the device and then the device generates it’s CSR and pas 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup. - 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. + 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors' SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won't be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. 1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md deleted file mode 100644 index f60588a000..0000000000 --- a/devices/surface-hub/index.md +++ /dev/null @@ -1,182 +0,0 @@ ---- -title: Surface Hub -author: greg-lindsay -ms.author: greglin -manager: laurawi -layout: LandingPage -ms.prod: surface-hub -ms.tgt_pltfrm: na -ms.devlang: na -ms.topic: landing-page -description: "Get started with Microsoft Surface Hub." -ms.localizationpriority: High ---- -# Get started with Surface Hub - -Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Use the links below to learn how to plan, deploy, manage, and support your Surface Hub devices. - - - - - ---- - - \ No newline at end of file diff --git a/devices/surface-hub/index.yml b/devices/surface-hub/index.yml new file mode 100644 index 0000000000..7f4e46228a --- /dev/null +++ b/devices/surface-hub/index.yml @@ -0,0 +1,127 @@ +### YamlMime:Hub + +title: Surface Hub documentation # < 60 chars +summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device. # < 160 chars +# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin +brand: windows + +metadata: + title: Surface Hub documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Get started with Microsoft Surface Hub. # Required; article description that is displayed in search results. < 160 chars. + services: product-insights + ms.service: product-insights #Required; service per approved list. service slug assigned to your service by ACOM. + ms.topic: hub-page # Required + ms.prod: surface-hub + ms.technology: windows + audience: ITPro + ms.localizationpriority: medium + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + manager: laurawi + +# highlightedContent section (optional) +# Maximum of 8 items +highlightedContent: +# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + items: + # Card + - title: What is Surface Hub 2S? + itemType: overview + url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Behind-the-design-Surface-Hub-2S/ba-p/464099 + # Card + - title: What's new in Surface Hub 2S? + itemType: whats-new + url: surface-hub-2s-whats-new.md + # Card + - title: Operating system essentials + itemType: learn + url: differences-between-surface-hub-and-windows-10-enterprise.md + # Card + - title: Surface Hub 2S Site Readiness Guide + itemType: learn + url: surface-hub-2s-site-readiness-guide.md + # Card + - title: Install and mount Surface Hub 2S + itemType: how-to-guide + url: surface-hub-2s-install-mount.md + # Card + - title: Customize Surface Hub 2S installation + itemType: how-to-guide + url: surface-hub-2s-custom-install.md + +# productDirectory section (optional) +productDirectory: + title: Deploy, manage, and support your Surface Hub devices # < 60 chars (optional) + summary: Find related links to deploy, manage and support your Surface Hub devices. # < 160 chars (optional) + items: + # Card + - title: Deploy + # imageSrc should be square in ratio with no whitespace + imageSrc: https://docs.microsoft.com/office/media/icons/deploy-blue.svg + links: + - url: surface-hub-2s-adoption-kit.md + text: Surface Hub 2S adoption and training + - url: surface-hub-2s-deploy-checklist.md + text: Surface Hub 2S deployment checklist + - url: surface-hub-2s-account.md + text: Create device account + # Card + - title: Manage + imageSrc: https://docs.microsoft.com/office/media/icons/process-flow-blue.svg + links: + - url: surface-hub-2s-manage-intune.md + text: Manage with Intune + - url: local-management-surface-hub-settings.md + text: Manage local settings + # Card + - title: Secure + imageSrc: https://docs.microsoft.com/office/media/icons/security-blue.svg + links: + - url: surface-hub-2s-secure-with-uefi-semm.md + text: Secure with UEFI and SEMM + - url: surface-hub-wifi-direct.md + text: Wi-Fi security considerations + # Card + - title: Troubleshoot + imageSrc: https://docs.microsoft.com/office/media/icons/connector-blue.svg + links: + - url: https://support.microsoft.com/help/4493926 + text: Service and warranty + - url: surface-hub-2s-recover-reset.md + text: Recover & reset Surface Hub 2S + - url: support-solutions-surface-hub.md + text: Surface Hub support solutions + - url: https://support.office.com/article/Enable-Microsoft-Whiteboard-on-Surface-Hub-b5df4539-f735-42ff-b22a-0f5e21be7627 + text: Enable Microsoft Whiteboard on Surface Hub + +# additionalContent section (optional) +# Card with links style +additionalContent: + # Supports up to 3 sections + sections: + - title: Other content # < 60 chars (optional) + summary: Find related links for videos, community and support. # < 160 chars (optional) + items: + # Card + - title: Get ready for Surface Hub 2S + links: + - text: Ordering Surface Hub 2S + url: https://www.microsoft.com/p/surface-hub-2S/8P62MW6BN9G4?activetab=pivot:overviewtab + - text: Prepare your environment for Surface Hub 2S + url: surface-hub-2s-prepare-environment.md + # Card + - title: Surface Hub 2S Videos + links: + - text: Adoption and training videos + url: surface-hub-2s-adoption-videos.md + - text: Surface Hub 2S with Teams + url: https://www.youtube.com/watch?v=CH2seLS5Wb0 + - text: Surface Hub 2S with Microsoft 365 + url: https://www.youtube.com/watch?v=I4N2lQX4WyI&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ&index=7 + # Card + - title: Community + links: + - text: Join the Surface Hub Technical Community + url: https://techcommunity.microsoft.com/t5/Surface-Hub/bd-p/SurfaceHub + - text: Join the Surface Devices Technical Community + url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md index 1aaeb331ee..c36d53f1f6 100644 --- a/devices/surface-hub/surface-hub-2s-manage-intune.md +++ b/devices/surface-hub/surface-hub-2s-manage-intune.md @@ -50,22 +50,26 @@ To ensure optimal video and audio quality on Surface Hub 2S, add the following Q |**Name**|**Description**|**OMA-URI**|**Type**|**Value**| |:------ |:------------- |:--------- |:------ |:------- | -|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DestinationPortMatchCondition | String | 3478-3479 | -|**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 | -|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DestinationPortMatchCondition | String | 3480 | -|**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 | +|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsAudio/DestinationPortMatchCondition | String | 3478-3479 | +|**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsAudio/DSCPAction | Integer | 46 | +|**Video Port**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsVideo/DestinationPortMatchCondition | String | 3480 | +|**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsVideo/DSCPAction | Integer | 34 | +|**P2P Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PAudio/DestinationPortMatchCondition | String | 50000-50019 | +|**P2P Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PAudio/DSCPAction | Integer | 46 | +|**P2P Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PVideo/DestinationPortMatchCondition | String | 50020-50039 | +|**P2P Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PVideo/DSCPAction | Integer | 34 | ### Skype for Business QoS settings | Name | Description | OMA-URI | Type | Value | | ------------------ | ------------------- | ------------------------------------------------------------------------ | ------- | ------------------------------ | -| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 | -| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 | -| Audio Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | -| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 | -| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 | -| Video Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | +| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/SourcePortMatchCondition | String | 50000-50019 | +| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/DSCPAction | Integer | 46 | +| Audio Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | +| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/SourcePortMatchCondition | String | 50020-50039 | +| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/DSCPAction | Integer | 34 | +| Video Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | > [!NOTE] > Both tables show default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel. diff --git a/devices/surface-hub/surface-hub-2s-whats-new.md b/devices/surface-hub/surface-hub-2s-whats-new.md index 13d7eb06ce..82589b360e 100644 --- a/devices/surface-hub/surface-hub-2s-whats-new.md +++ b/devices/surface-hub/surface-hub-2s-whats-new.md @@ -22,7 +22,7 @@ Surface Hub 2S is an all-in-one collaboration canvas that’s built for teamwork |**Mobile Device Management and UEFI manageability**| Manage settings and policies using a mobile device management (MDM) provider.

Full integration with Surface Enterprise Management Mode (SEMM) lets you manage hardware components and firmware. | [Managing Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md)

[Surface Enterprise Management Mode](https://docs.microsoft.com/surface/surface-enterprise-management-mode) | |**Cloud and on-premises coexistence**| Supports on-premises, hybrid, or online. | [Prepare your environment for Microsoft Surface Hub 2S](surface-hub-2s-prepare-environment.md) | |**Reset and recovery**| Restore from the cloud or USB drive. | [Recover and reset Surface Hub 2S](surface-hub-2s-recover-reset.md) | -|**Microsoft Whiteboard**| Ofice 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) | +|**Microsoft Whiteboard**| Office 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) | |**Microsoft Teams Meeting Room License**| Extends Office 365 licensing options across Skype for Business, Microsoft Teams, and Intune. | [Teams Meeting Room Licensing Update](https://docs.microsoft.com/MicrosoftTeams/room-systems/skype-room-systems-v2-0) | |**On-screen display**| Adjust volume, brightness, and input control directly on the display. | | |**Sensor-activated Connected Standby**| Doppler sensor activates Connected Standby after 1 minute of inactivity.

Manage this setting remotely using Intune or directly on the device from the Settings app. | [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) | diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 50af49ec5c..8e584f17b3 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -24,6 +24,33 @@ Please refer to the “[Surface Hub Important Information](https://support.micro ## Windows 10 Team Creators Update 1703 +
+February 28, 2020—update for Surface Hub 2S + +This update is specific to the Surface Hub 2S and provides the driver and firmware updates outlined below: + +* Surface Integration driver - 13.46.139.0 + * Improves display brightness scenarios. +* Intel(R) Management Engine Interface driver - 1914.12.0.1256 + * Improves system stability. +* Surface SMC Firmware update - 1.161.139.0 + * Improves pen battery performance. +* Surface UEFI update - 694.2938.768.0 + * Improves system stability. +
+ +
+February 11, 2020—update for Team edition based on KB4537765* (OS Build 15063.2284) + +This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: + +* Resolves an issue where the Hub 2S cannot be heard well by other participants during Skype for Business calls. +* Improves reliability for some Arabic, Hebrew, and other RTL language usage scenarios on Surface Hub. + +Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services. +*[KB4537765](https://support.microsoft.com/help/4537765) +
+
January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254) diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 86ad0dd85e..7245176edd 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,6 +1,6 @@ # [Surface](index.yml) -## [Get started](get-started.md) +## [Surface devices documentation](get-started.yml) ## Overview diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md deleted file mode 100644 index c81e994d70..0000000000 --- a/devices/surface/get-started.md +++ /dev/null @@ -1,169 +0,0 @@ ---- -title: Get started with Surface devices -author: greg-lindsay -ms.author: greglin -manager: laurawi -layout: LandingPage -ms.assetid: -ms.audience: itpro -ms.tgt_pltfrm: na -ms.devlang: na -ms.topic: landing-page -description: "Get started with Microsoft Surface devices" -ms.localizationpriority: High ---- -# Get started with Surface devices - -Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface for Business devices in your organization. - - - - ---- - - \ No newline at end of file diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml new file mode 100644 index 0000000000..edb22aac8c --- /dev/null +++ b/devices/surface/get-started.yml @@ -0,0 +1,122 @@ +### YamlMime:Landing + +title: Surface devices documentation # < 60 chars +summary: Harness the power of Surface, Windows, and Office connected together through the cloud. # < 160 chars + +metadata: + title: Surface devices documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Get started with Microsoft Surface devices # Required; article description that is displayed in search results. < 160 chars. + ms.service: product-insights #Required; service per approved list. service slug assigned to your service by ACOM. + ms.topic: landing-page # Required + manager: laurawi + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + audience: itpro + ms.localizationpriority: High + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Surface devices + linkLists: + - linkListType: overview + links: + - text: Surface Pro 7 for Business + url: https://www.microsoft.com/surface/business/surface-pro-7 + - text: Surface Pro X for Business + url: https://www.microsoft.com/surface/business/surface-pro-x + - text: Surface Laptop 3 for Business + url: https://www.microsoft.com/surface/business/surface-laptop-3 + - text: Surface Book 2 for Business + url: https://www.microsoft.com/surface/business/surface-book-2 + - text: Surface Studio 2 for Business + url: https://www.microsoft.com/surface/business/surface-studio-2 + - text: Surface Go + url: https://www.microsoft.com/surface/business/surface-go + - linkListType: video + links: + - text: Microsoft Mechanics Surface videos + url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ + + # Card (optional) + - title: Get started + linkLists: + - linkListType: get-started + links: + - text: Surface and Endpoint Configuration Manager considerations + url: considerations-for-surface-and-system-center-configuration-manager.md + - text: Wake On LAN for Surface devices + url: wake-on-lan-for-surface-devices.md + + # Card + - title: Deploy Surface devices + linkLists: + - linkListType: deploy + links: + - text: Manage and deploy Surface driver and firmware updates + url: manage-surface-driver-and-firmware-updates.md + - text: Autopilot and Surface devices + url: windows-autopilot-and-surface-devices.md + - text: Deploying, managing, and servicing Surface Pro X + url: surface-pro-arm-app-management.md + + # Card + - title: Manage Surface devices + linkLists: + - linkListType: how-to-guide + links: + - text: Optimize Wi-Fi connectivity for Surface devices + url: surface-wireless-connect.md + - text: Best practice power settings for Surface devices + url: maintain-optimal-power-settings-on-Surface-devices.md + - text: Manage battery limit with UEFI + url: battery-limit.md + + # Card + - title: Secure Surface devices + linkLists: + - linkListType: how-to-guide + links: + - text: Intune management of Surface UEFI settings + url: surface-manage-dfci-guide.md + - text: Surface Enterprise Management Mode (SEMM) + url: surface-enterprise-management-mode.md + - text: Surface Data Eraser tool + url: microsoft-surface-data-eraser.md + + # Card + - title: Discover Surface tools + linkLists: + - linkListType: how-to-guide + links: + - text: Surface Dock Firmware Update + url: surface-dock-firmware-update.md + - text: Surface Diagnostic Toolkit for Business + url: surface-diagnostic-toolkit-for-business-intro.md + - text: SEMM and UEFI + url: surface-enterprise-management-mode.md + - text: Surface Brightness Control + url: microsoft-surface-brightness-control.md + - text: Battery Limit setting + url: battery-limit.md + + # Card + - title: Support and community + linkLists: + - linkListType: learn + links: + - text: Top support solutions + url: support-solutions-surface.md + - text: Maximize your Surface battery life + url: https://support.microsoft.com/help/4483194/maximize-surface-battery-life + - text: Troubleshoot Surface Dock and docking stations + url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations + - linkListType: reference + links: + - text: Surface IT Pro blog + url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro + - text: Surface Devices Tech Community + url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md index df0d5c2874..e2913ed910 100644 --- a/devices/surface/manage-surface-driver-and-firmware-updates.md +++ b/devices/surface/manage-surface-driver-and-firmware-updates.md @@ -14,18 +14,17 @@ author: dansimp ms.author: dansimp ms.topic: article ms.audience: itpro -ms.date: 01/24/2020 +ms.date: 03/10/2020 --- # Manage and deploy Surface driver and firmware updates - -How you manage Surface driver and firmware updates varies depending on your environment and organizational requirements. On Surface devices, firmware is exposed to the operating system as a driver and is visible in Device Manager, enabling device firmware and drivers to be automatically updated using Windows Update or Windows Update for Business. Although this simplified approach may be feasible for startups and small or medium-sized businesses, larger organizations typically need IT admins to distributing updates internally. This may involve comprehensive planning, application compatibility testing, piloting and validating updates, before final approval and distribution across the network. +How you manage Surface driver and firmware updates varies depending on your environment and organizational requirements. On Surface devices, firmware is exposed to the operating system as a driver and is visible in Device Manager, enabling device firmware and drivers to be automatically updated using Windows Update or Windows Update for Business. Although this simplified approach may be feasible for startups and small or medium-sized businesses, larger organizations typically need IT admins to distribute updates internally. This may involve comprehensive planning, application compatibility testing, piloting and validating updates, before final approval and distribution across the network. > [!NOTE] > This article is intended for technical support agents and IT professionals and applies to Surface devices only. If you're looking for help to install Surface updates or firmware on a home device, see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505). -While enterprise-grade software distribution solutions continue to evolve, the business rationale for centrally managing updates remains the same: Maintain the security of Surface devices and keep them updated with the latest operating system and feature improvements. This is essential for maintaining the stability of your production environment and enabling users to stay productive. This article provides an overview of recommended tools and processes for larger organizations to accomplish these goals. +While enterprise-grade software distribution solutions continue to evolve, the business rationale for centrally managing updates remains the same: Maintain the security of Surface devices and keep them updated with the latest operating system and feature improvements. This is essential for sustaining a stable production environment and ensuring users aren't blocked from being productive. This article provides an overview of recommended tools and processes for larger organizations to accomplish these goals. ## Central update management in commercial environments @@ -33,7 +32,7 @@ Microsoft has streamlined tools for managing devices – including driver and fi ### Manage updates with Configuration Manager and Intune -Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. +Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed, and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. For detailed steps, see the following resources: @@ -44,38 +43,42 @@ For detailed steps, see the following resources: ### Manage updates with Microsoft Deployment Toolkit -Included in Microsoft Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. MDT includes the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). +Included in Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. These include the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). For detailed steps, see the following resources: -Surface driver and firmware updates are packaged as Windows Installer (MSI) files. To deploy these Windows Installer packages, you can use application deployment utilities such as the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. Such solutions provide the means for administrators to test and review updates before deploying them, and to centralize deployment. For each device, it is important to select the correct MSI file for the device and its operating system. For more information see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md). - -For instructions on how to deploy updates by using Microsoft Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). - [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) - [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit) -- [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://docs.microsoft.com/surface/deploy-windows-10-to-surface-devices-with-mdt) +- [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://docs.microsoft.com/surface/deploy-windows-10-to-surface-devices-with-mdt) + +Surface driver and firmware updates are packaged as Windows Installer (*.msi) files. To deploy these Windows Installer packages, you can use Endpoint Configuration Manager or MDT. For information about selecting the correct .msi file for a device and operating system, refer to the guidance below about downloading .msi files. + +For instructions on how to deploy updates by using Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). + **WindowsPE and Surface firmware and drivers** -Microsoft Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase. +Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase. -### Microsoft Endpoint Configuration Manager +### Endpoint Configuration Manager + +Starting in Endpoint Configuration Manager, you can synchronize and deploy Microsoft Surface firmware and driver updates by using the Configuration Manager client. For additional information, see KB 4098906, [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager). -Starting in Microsoft Endpoint Configuration Manager, you can synchronize and deploy Microsoft Surface firmware and driver updates by using the Configuration Manager client. The process resembles that for deploying regular updates. For additional information, see KB 4098906, [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager). ## Supported devices -Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. Information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. + +Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. ## Managing firmware with DFCI + With Device Firmware Configuration Interface (DFCI) profiles built into Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For more information, see: - - [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). ## Best practices for update deployment processes -To maintain a stable environment and keep users productive, it’s strongly recommended to maintain parity with the most recent version of Windows 10. For best practice recommendations, see [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). +To maintain a stable environment, it's strongly recommended to maintain parity with the most recent version of Windows 10. For best practice recommendations, see [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). ## Downloadable Surface update packages @@ -93,6 +96,7 @@ Specific versions of Windows 10 have separate .msi files, each containing all re ### Downloading .msi files + 1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center. 2. Select the .msi file name that matches the Surface model and version of Windows. The .msi file name includes the minimum supported Windows build number required to install the drivers and firmware. For example, as shown in the following figure, to update a Surface Book 2 with build 18362 of Windows 10, choose **SurfaceBook2_Win10_18362_19.101.13994.msi.** For a Surface Book 2 with build 16299 of Windows 10, choose **SurfaceBook2_Win10_16299_1803509_3.msi**. @@ -102,6 +106,7 @@ Specific versions of Windows 10 have separate .msi files, each containing all re ### Surface .msi naming convention + Since August 2019, .msi files have used the following naming convention: - *Product*_*Windows release*_*Windows build number*_*Version number*_*Revision of version number (typically zero)*. diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index df3918d715..a64fb3cc4f 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -7,7 +7,6 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 06/11/2019 ms.reviewer: cottmca manager: dansimp ms.localizationpriority: medium @@ -34,7 +33,8 @@ Before you run the diagnostic tool, make sure you have the latest Windows update 2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business). The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. -# If you still need help + +## If you still need help If the Surface Diagnostic Toolkit for Business didn’t fix the problem, you can also: diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index dbcb9648b0..f74ee76e83 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -9,7 +9,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 10/31/2019 +ms.date: 03/09/2020 ms.reviewer: manager: dansimp ms.localizationpriority: medium @@ -24,18 +24,15 @@ System Model and System SKU are variables that are stored in the System Manageme | Device | System Model | System SKU | | ---------- | ----------- | -------------- | -| AMD Surface Laptop 3 | Surface 3 | Surface_Laptop_3_1873 | -| Surface Laptop 3 | Surface 3 | Surface_Laptop_3_1867:1868 | -| Surface Laptop 3 | Surface 3 | Surface_3 | Surface 3 WiFI | Surface 3 | Surface_3 | | Surface 3 LTE AT&T | Surface 3 | Surface_3_US1 | | Surface 3 LTE Verizon | Surface 3 | Surface_3_US2 | | Surface 3 LTE North America | Surface 3 | Surface_3_NAG | -| Surface 3 LTE Outside of North America and Y!mobile In Japan | Surface 3 | Surface_3_ROW | +| Surface 3 LTE outside of North America and Y!mobile in Japan | Surface 3 | Surface_3_ROW | | Surface Pro | Surface Pro | Surface_Pro_1796 | | Surface Pro with LTE Advanced | Surface Pro | Surface_Pro_1807 | -| Surface Book 2 13inch | Surface Book 2 | Surface_Book_1832 | -| Surface Book 2 15inch | Surface Book 2 | Surface_Book_1793 | +| Surface Book 2 13" | Surface Book 2 | Surface_Book_1832 | +| Surface Book 2 15" | Surface Book 2 | Surface_Book_1793 | | Surface Go LTE Consumer | Surface Go | Surface_Go_1825_Consumer | | Surface Go LTE Commercial | System Go | Surface_Go_1825_Commercial | | Surface Go Consumer | Surface Go | Surface_Go_1824_Consumer | diff --git a/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md b/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md index fdfc5ef202..3645704cf9 100644 --- a/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md +++ b/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md @@ -52,7 +52,7 @@ The Microsoft Application Virtualization (App-V) 5.0 Administrator’s Guide pro - [Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata.md) - [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md) -# +## Also see - Add or vote on suggestions on the ["Microsoft Application Virtualization" forum on UserVoice.com](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). - For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md b/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md index b5120b6279..07efe04eca 100644 --- a/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md +++ b/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md @@ -48,7 +48,7 @@ The Microsoft Application Virtualization (App-V) 5.1 Administrator’s Guide pro - [Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata51.md) - [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md) -# +## Also see - Add or vote on suggestions on the ["Microsoft Application Virtualization" forum on UserVoice.com](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). - For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/mbam-v2/about-mbam-20-sp1.md b/mdop/mbam-v2/about-mbam-20-sp1.md index ab210f8c1c..cb1d4df6a7 100644 --- a/mdop/mbam-v2/about-mbam-20-sp1.md +++ b/mdop/mbam-v2/about-mbam-20-sp1.md @@ -16,12 +16,10 @@ ms.date: 08/30/2016 # About MBAM 2.0 SP1 - This topic describes the changes in Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1). For a general description of MBAM, see [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md). ## What’s new in MBAM 2.0 SP1 - This version of MBAM provides the following new features and functionality. ### Support for Windows 8.1, Windows Server 2012 R2, and System Center 2012 R2 Configuration Manager @@ -257,8 +255,9 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M // Microsoft BitLocker Administration and Monitoring //=================================================== -# pragma namespace ("\\\\.\\root\\cimv2") -# pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + # pragma namespace ("\\\\.\\root\\cimv2") + # pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")] class Win32_BitLockerEncryptionDetails { @@ -290,8 +289,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M Boolean IsAutoUnlockEnabled; }; -# pragma namespace ("\\\\.\\root\\cimv2") -# pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + # pragma namespace ("\\\\.\\root\\cimv2") + # pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [DYNPROPS] Class Win32Reg_MBAMPolicy { @@ -352,8 +351,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M EncodedComputerName; }; -# pragma namespace ("\\\\.\\root\\cimv2") -# pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) + # pragma namespace ("\\\\.\\root\\cimv2") + # pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) [DYNPROPS] Class Win32Reg_MBAMPolicy_64 { @@ -414,8 +413,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M EncodedComputerName; }; -# pragma namespace ("\\\\.\\root\\cimv2") -# pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + # pragma namespace ("\\\\.\\root\\cimv2") + # pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_OperatingSystemExtended @@ -426,8 +425,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M uint32 SKU; }; -# pragma namespace ("\\\\.\\root\\cimv2") -# pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + # pragma namespace ("\\\\.\\root\\cimv2") + # pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_ComputerSystemExtended @@ -449,35 +448,23 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M MBAM 2.0 SP1 is now available in the following languages: - English (United States) en-US - - French (France) fr-FR - - Italian (Italy) it-IT - - German (Germany) de-DE - - Spanish, International Sort (Spain) es-ES - - Korean (Korea) ko-KR - - Japanese (Japan) ja-JP - - Portuguese (Brazil) pt-BR - - Russian (Russia) ru-RU - - Chinese Traditional zh-TW - - Chinese Simplified zh-CN ## How to Get MDOP Technologies - MBAM 2.0 SP1 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). ## Related topics - [Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 475db540e0..4de4f71bdc 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -76,7 +76,11 @@ manager: dansimp This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. -Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. +> [!NOTE] +> DeviceEnroller.exe will not elevate the user if a pre-configured local admin group already exists on the device. This is a security measure in the executable where it checks for other non-disabled Administrators' membership(s). If at least one already exists, the tool will exit without elevating. + +> [!CAUTION] +> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 2e002f5962..beff0509a7 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.author: dansimp author: dansimp ms.localizationpriority: medium -ms.date: 12/03/18 ms.reviewer: manager: dansimp ms.topic: troubleshooting @@ -34,8 +33,6 @@ When troubleshooting basic Start issues (and for the most part, all other Window - Powershell:[System.Environment]::OSVersion.Version - WinVer from CMD.exe - - ### Check if Start is installed - If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully. @@ -66,7 +63,6 @@ If it is installed but not running, test booting into safe mode or use MSCONFIG - If that file does not exist, the system is a clean install. - Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"` - ### Check if Start is registered or activated - Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet: diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 84bd681996..8b61799ddc 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -79,19 +79,20 @@ ##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) -### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) -#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md) -##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md) -##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md) -##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +### Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT) +#### [Get started with MDT](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md) -#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) -#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md) -#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md) -#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md) -#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md) -#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md) +#### Deploy Windows 10 with MDT +##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +##### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) +##### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md) +##### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md) +##### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md) +##### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md) +##### [Perform an in-place upgrade to Windows 10 with MDT](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) + +#### Customize MDT +##### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md) ##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md) ##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md) ##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md) @@ -272,4 +273,3 @@ ### [Manage device restarts after updates](update/waas-restart.md) ### [Manage additional Windows Update settings](update/waas-wu-settings.md) ### [Determine the source of Windows updates](update/windows-update-sources.md) - diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md deleted file mode 100644 index 2389ae314a..0000000000 --- a/windows/deployment/change-history-for-deploy-windows-10.md +++ /dev/null @@ -1,161 +0,0 @@ ---- -title: Change history for Deploy Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile. -ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro -author: greg-lindsay -ms.topic: article ---- - -# Change history for Deploy Windows 10 -This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). - -## April 2018 - -New or changed topic | Description ---- | --- -[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express. - -## November 2017 - -New or changed topic | Description --- | --- - [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml. - -## RELEASE: Windows 10, version 1709 -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. | -| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.| - -## July 2017 -| New or changed topic | Description | -|----------------------|-------------| -| The table of contents for deployment topics was reorganized. - -## June 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New | - -## April 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. | -| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. | -| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. | -| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. | - - -## RELEASE: Windows 10, version 1703 -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index). - - -## March 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [What's new in Windows 10 deployment](deploy-whats-new.md) | New | -| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. | -| [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. | -| [Convert MBR partition to GPT](mbr-to-gpt.md) | New | - -## February 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. | -| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes | -| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content | -| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started | -| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting | -| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New | -| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content | -| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New | -| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New | -| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New | - - -## January 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New | -| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New | -| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | New | -| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) | -| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) | -| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) | -| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) | -| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) | -| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) | -| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) | -| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) | -| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) | -| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog | -| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | -| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | - - -## October 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New | - -## September 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New | -| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery | -| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows | -| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New | - -## RELEASE: Windows 10, version 1607 - -The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - -- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md) -- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md) -- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md) - -## August 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements | - -## July 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New | - -## June 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New | -| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 | -| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New | - -## May 2016 -| New or changed topic | Description | -|----------------------|-------------| -| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New | - -## December 2015 -| New or changed topic | Description | -|----------------------|-------------| -| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated | -| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated | - -## November 2015 -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New | - -## Related topics -- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment) -- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection) -- [Change history for Device Security](/windows/device-security/change-history-for-device-security) -- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) diff --git a/windows/deployment/deploy-old.md b/windows/deployment/deploy-old.md new file mode 100644 index 0000000000..56697276c6 --- /dev/null +++ b/windows/deployment/deploy-old.md @@ -0,0 +1,48 @@ +--- +title: Deploy Windows 10 (Windows 10) +description: Deploying Windows 10 for IT professionals. +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 + +Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available. + + +|Topic |Description | +|------|------------| +|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | +|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. | +|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. | +|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. | +|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | +|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). | +|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. | +|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | +|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | +|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | +|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| + +## Related topics + +[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) + +  + +  + + + + + diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 0ee0a6d5b3..bc0b6b6602 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -169,11 +169,9 @@ For more information, see the following guides: The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10. -[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) -
[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection) -
[Change history for Device Security](/windows/device-security/change-history-for-device-security) -
[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) - +[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
+[Change history for Device Security](/windows/device-security/change-history-for-device-security)
+[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) ## Related topics diff --git a/windows/deployment/deploy-windows-mdt/TOC.md b/windows/deployment/deploy-windows-mdt/TOC.md new file mode 100644 index 0000000000..7f51b8ca5b --- /dev/null +++ b/windows/deployment/deploy-windows-mdt/TOC.md @@ -0,0 +1,22 @@ +# Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT) +## [Get started with MDT](get-started-with-the-microsoft-deployment-toolkit.md) + +## Deploy Windows 10 with MDT +### [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) +### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +### [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) + +## Customize MDT +### [Configure MDT settings](configure-mdt-settings.md) +### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +### [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +### [Use web services in MDT](use-web-services-in-mdt.md) +### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index f0259285ae..67daeba302 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -21,15 +21,19 @@ ms.topic: article **Applies to** - Windows 10 -In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of the deployment solution. With images reaching 5 GB in size or more, you can't deploy machines in a remote office over the wire. You need to replicate the content, so that the clients can do local deployments. +Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. -We will use four machines for this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0006 is a blank machine to which you will deploy Windows 10. You will configure a second deployment server (MDT02) for a remote site (Stockholm) by replicating the deployment share in the original site (New York). MDT01, MDT02, and PC0006 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). +Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. + +For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more details on the infrastructure setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ![figure 1](../images/mdt-10-fig01.png) -Figure 1. The machines used in this topic. +Computers used in this topic. -## Replicate deployment shares +>HV01 is also used in this topic to host the PC0006 virtual machine. + +## Replicate deployment shares Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. @@ -42,60 +46,88 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes ### Why DFS-R is a better option -DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication target(s) as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. +DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. -## Set up Distributed File System Replication (DFS-R) for replication +## Set up Distributed File System Replication (DFS-R) for replication -Setting up DFS-R for replication is a quick and straightforward process. You prepare the deployment servers and then create a replication group. To complete the setup, you configure some replication settings. +Setting up DFS-R for replication is a quick and straightforward process: Prepare the deployment servers, create a replication group, then configure some replication settings. ### Prepare MDT01 for replication -1. On MDT01, using Server Manager, click **Add roles and features**. -2. On the **Select installation type** page, select **Role-based or feature-based installation**. -3. On the **Select destination server** page, select **MDT01.contoso.com** and click **Next**. -4. On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**. -5. In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**. +On **MDT01**: - ![figure 2](../images/mdt-10-fig02.png) +1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt: - Figure 2. Adding the DFS Replication role to MDT01. +```powershell +Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools +``` -6. On the **Select features** page, accept the default settings, and click **Next**. -7. On the **Confirm installation selections** page, click **Install**. -8. On the **Installation progress** page, click **Close**. +2. Wait for installation to comlete, and then verify that the installation was successful. See the following output: + +```output +PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools + +Success Restart Needed Exit Code Feature Result +------- -------------- --------- -------------- +True No Success {DFS Replication, DFS Management Tools, Fi... +``` ### Prepare MDT02 for replication -1. On MDT02, using Server Manager, click **Add roles and features**. -2. On the **Select installation type** page, select **Role-based or feature-based installation**. -3. On the **Select destination server** page, select **MDT02.contoso.com** and click **Next**. -4. On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**. -5. In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**. -6. On the **Select features** page, accept the default settings, and click **Next**. -7. On the **Confirm installation selections** page, click **Install**. -8. On the **Installation progress** page, click **Close**. +On **MDT02**: + +1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt: + +```powershell +Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools +``` + +2. Wait for installation to comlete, and then verify that the installation was successful. See the following output: + +```output +PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools + +Success Restart Needed Exit Code Feature Result +------- -------------- --------- -------------- +True No Success {DFS Replication, DFS Management Tools, Fi... +``` ### Create the MDTProduction folder on MDT02 -1. On MDT02, using File Explorer, create the **E:\\MDTProduction** folder. -2. Share the **E:\\MDTProduction** folder as **MDTProduction$**. Use the default permissions. +On **MDT02**: - ![figure 3](../images/mdt-10-fig03.png) +1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt: - Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02. + ```powershell + mkdir d:\MDTProduction + New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction" + ``` + +2. You should see the following output: + + ```output + C:\> New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction" + + Name ScopeName Path Description + ---- --------- ---- ----------- + MDTProduction$ * D:\MDTProduction + ``` ### Configure the deployment share When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property. -1. On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this: + +On **MDT01**: + +1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use. ```ini [Settings] Priority=DefaultGateway, Default [DefaultGateway] - 192.168.1.1=NewYork - 192.168.2.1=Stockholm + 10.10.10.1=NewYork + 10.10.20.1=Stockholm [NewYork] DeployRoot=\\MDT01\MDTProduction$ @@ -106,137 +138,133 @@ When you have multiple deployment servers sharing the same content, you need to [Default] UserDomain=CONTOSO UserID=MDT_BA + UserPassword=pass@word1 SkipBDDWelcome=YES ``` - - > [!NOTE] - > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. - > - > To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). + >[!NOTE] + >The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). 2. Save the Bootstrap.ini file. -3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. - - ![figure 4](../images/mdt-10-fig04.png) - - Figure 4. Updating the MDT Production deployment share. - -4. Use the default settings for the Update Deployment Share Wizard. -5. After the update is complete, use the Windows Deployment Services console. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**. +3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes. +4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**. +5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings. ![figure 5](../images/mdt-10-fig05.png) - Figure 5. Replacing the updated boot image in WDS. + Replacing the updated boot image in WDS. -6. Browse and select the **E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings. + >[!TIP] + >If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. + + ## Replicate the content - ## Replicate the content Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication. ### Create the replication group -7. On MDT01, using DFS Management, right-click **Replication**, and select **New Replication Group**. -8. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**. -9. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**. -10. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**. +6. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and click **New Replication Group**. +7. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**. +8. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**. +9. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**. ![figure 6](../images/mdt-10-fig06.png) - Figure 6. Adding the Replication Group Members. + Adding the Replication Group Members. -11. On the **Topology Selection** page, select the **Full mesh** option and click **Next**. -12. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**. -13. On the **Primary Member** page, select **MDT01** and click **Next**. -14. On the **Folders to Replicate** page, click **Add**, type in **E:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**. -15. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**. -16. On the **Edit** page, select the **Enabled** option, type in **E:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**. - - ![figure 7](../images/mdt-10-fig07.png) - - Figure 7. Configure the MDT02 member. - -17. On the **Review Settings and Create Replication Group** page, click **Create**. -18. On the **Confirmation** page, click **Close**. +10. On the **Topology Selection** page, select the **Full mesh** option and click **Next**. +11. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**. +12. On the **Primary Member** page, select **MDT01** and click **Next**. +13. On the **Folders to Replicate** page, click **Add**, enter **D:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**. +14. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**. +15. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**. +16. On the **Review Settings and Create Replication Group** page, click **Create**. +17. On the **Confirmation** page, click **Close**. ### Configure replicated folders -19. On MDT01, using DFS Management, expand **Replication** and then select **MDTProduction**. -20. In the middle pane, right-click the **MDT01** member and select **Properties**. -21. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**: +18. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**. +19. In the middle pane, right-click the **MDT01** member and click **Properties**. +20. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**: 1. In the **Staging** tab, set the quota to **20480 MB**. 2. In the **Advanced** tab, set the quota to **8192 MB**. - In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share: + In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share: ``` powershell - (Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB + (Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB ``` - ![figure 8](../images/mdt-10-fig08.png) - - Figure 8. Configure the Staging settings. - -22. In the middle pane, right-click the **MDT02** member and select **Properties**. -23. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**: +21. In the middle pane, right-click the **MDT02** member and select **Properties**. +22. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**: 1. In the **Staging** tab, set the quota to **20480 MB**. 2. In the **Advanced** tab, set the quota to **8192 MB**. > [!NOTE] > It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. - + +23. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt: + +```cmd +C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary +MemName IsPrimary +MDT01 Yes +MDT02 No +``` + ### Verify replication -1. On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder. -2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**. -3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, select **Health report** and click **Next**. -4. On the **Path and Name** page, accept the default settings and click **Next**. -5. On the **Members to Include** page, accept the default settings and click **Next**. -6. On the **Options** page, accept the default settings and click **Next**. -7. On the **Review Settings and Create Report** page, click **Create**. -8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option. + +On **MDT02**: + +1. Wait until you start to see content appear in the **D:\\MDTProduction** folder. +2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**. +3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and click **Next**. +4. On the **Path and Name** page, accept the default settings and click **Next**. +5. On the **Members to Include** page, accept the default settings and click **Next**. +6. On the **Options** page, accept the default settings and click **Next**. +7. On the **Review Settings and Create Report** page, click **Create**. +8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option. ![figure 9](../images/mdt-10-fig09.png) -Figure 9. The DFS Replication Health Report. +The DFS Replication Health Report. -## Configure Windows Deployment Services (WDS) in a remote site +>If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. + +## Configure Windows Deployment Services (WDS) in a remote site Like you did in the previous topic for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02. -1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**. -2. Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings. +1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**. +2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. -## Deploy the Windows 10 client to the remote site +## Deploy a Windows 10 client to the remote site -Now you should have a solution ready for deploying the Windows 10 client to the remote site, Stockholm, connecting to the MDT Production deployment share replica on MDT02. +Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure. + +>For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the Boostrap.ini file. 1. Create a virtual machine with the following settings: - 1. Name: PC0006 - 2. Location: C:\\VMs - 3. Generation: 2 - 4. Memory: 2048 MB - 5. Hard disk: 60 GB (dynamic disk) -2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server. + 1. Name: PC0006 + 2. Location: C:\\VMs + 3. Generation: 2 + 4. Memory: 2048 MB + 5. Hard disk: 60 GB (dynamic disk) + 6. Install an operating system from a network-based installation server +2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server. 3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - 1. Password: P@ssw0rd - 2. Select a task sequence to execute on this computer: - 1. Windows 10 Enterprise x64 RTM Custom Image - 2. Computer Name: PC0006 - 3. Applications: Select the Install - Adobe Reader XI - x86 application -4. The setup will now start and do the following: + 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + 2. Computer Name: PC0006 + 3. Applications: Select the Install - Adobe Reader +4. Setup will now start and perform the following: 1. Install the Windows 10 Enterprise operating system. - 2. Install the added application. - 3. Update the operating system via your local Windows Server Update Services (WSUS) server. + 2. Install applications. + 3. Update the operating system using your local Windows Server Update Services (WSUS) server. + +![pc0001](../images/pc0006.png) ## Related topics -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) - -[Configure MDT settings](configure-mdt-settings.md) - - +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index 2b89867e2e..0eac636a76 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -1,6 +1,6 @@ --- title: Configure MDT settings (Windows 10) -description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities. Learn how to customize your environment. +description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 ms.reviewer: manager: laurawi @@ -19,11 +19,11 @@ ms.topic: article # Configure MDT settings One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. -For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). +For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). ![figure 1](../images/mdt-09-fig01.png) -Figure 1. The machines used in this topic. +The computers used in this topic. ## In this section @@ -38,14 +38,9 @@ Figure 1. The machines used in this topic. ## Related topics -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md index 9076a17339..45f4bb2bb8 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -1,6 +1,6 @@ --- title: Create a task sequence with Configuration Manager (Windows 10) -description: Create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. +description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 ms.reviewer: manager: laurawi @@ -23,14 +23,14 @@ ms.topic: article - Windows 10 -In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. +In this topic, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). ## Create a task sequence using the MDT Integration Wizard -This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use. +This section walks you through the process of creating a Configuration Manager task sequence for production use. 1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 8e20ab78c8..aada4ef42f 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -19,60 +19,72 @@ ms.topic: article # Create a Windows 10 reference image **Applies to** -- Windows 10 +- Windows 10 Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. -For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. >[!NOTE] ->For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -![figure 1](../images/mdt-08-fig01.png) +>See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide. -Figure 1. The machines used in this topic. +For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01. + - DC01 is a domain controller for the contoso.com domain. + - MDT01 is a contoso.com domain member server. + - HV01 is a Hyper-V server that will be used to build the reference image. + + ![devices](../images/mdt-08-fig01.png) + + Computers used in this topic. ## The reference image -The reference image described in this documentation is designed primarily for deployment to physical machines. However, the reference image is created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following: -- You reduce development time and can use snapshots to test different configurations quickly. -- You rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related. -- It ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. -- It's easy to move between lab, test, and production. +The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following: +- To reduce development time and can use snapshots to test different configurations quickly. +- To rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related. +- To ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. +- The image is easy to move between lab, test, and production. -## Set up the MDT build lab deployment share +## Set up the MDT build lab deployment share -With Windows 10, there is no hard requirement to create reference images; however, to reduce the time needed for deployment, you may want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. +With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. ### Create the MDT build lab deployment share -- On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd. +On **MDT01**: + +- Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic). +- Start the MDT deployment workbench, and pin this to the taskbar for easy access. - Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. - Use the following settings for the New Deployment Share Wizard: -- Deployment share path: E:\\MDTBuildLab -- Share name: MDTBuildLab$ -- Deployment share description: MDT Build Lab -- <default> -- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share. + - Deployment share path: **D:\\MDTBuildLab** + - Share name: **MDTBuildLab$** + - Deployment share description: **MDT Build Lab** +- Accept the default selections on the Options page and click **Next**. +- Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**. +- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share. -![figure 2](../images/mdt-08-fig02.png) + ![figure 2](../images/mdt-08-fig02.png) -Figure 2. The Deployment Workbench with the MDT Build Lab deployment share created. + The Deployment Workbench with the MDT Build Lab deployment share. + +### Enable monitoring + +To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. ### Configure permissions for the deployment share -In order to write the reference image back to the deployment share, you need to assign Modify permissions to the MDT Build Account (MDT\_BA) for the **Captures** subfolder in the **E:\\MDTBuildLab** folder -1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Modify the NTFS permissions for the **E:\\MDTBuildLab\\Captures** folder by running the following command in an elevated Windows PowerShell prompt: +In order to read files in the deployment share and write the reference image back to it, you need to assign NTSF and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder - ``` - icacls E:\MDTBuildLab\Captures /grant '"MDT_BA":(OI)(CI)(M)' +On **MDT01**: + +1. Ensure you are signed in as **contoso\\administrator**. +2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: + + ``` powershell + icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' + grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force ``` -![figure 3](../images/mdt-08-fig03.png) - -Figure 3. Permissions configured for the MDT\_BA user. - -## Add the setup files +## Add setup files This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image. @@ -85,211 +97,205 @@ MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images t ### Add Windows 10 Enterprise x64 (full source) -In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the **E:\\Downloads\\Windows 10 Enterprise x64** folder. +On **MDT01**: -1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**. -3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. -4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: -5. Full set of source files -6. Source directory: E:\\Downloads\\Windows 10 Enterprise x64 -7. Destination directory name: W10EX64RTM -8. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image** +1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD. -![figure 4](../images/figure4-deployment-workbench.png) + ![ISO](../images/iso-data.png) -Figure 4. The imported Windows 10 operating system after renaming it. +2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**. +3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. +4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files + - Source directory: (location of your source files) + - Destination directory name: W10EX64RTM +5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example. -## Add applications + ![Default image](../images/deployment-workbench01.png) -Before you create an MDT task sequence, you need to add all of the applications and other sample scripts to the MDT Build Lab share. +>Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work. -The steps in this section use a strict naming standard for your MDT applications. You add the "Install - " prefix for typical application installations that run a setup installer of some kind, and you use the "Configure - " prefix when an application configures a setting in the operating system. You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures). Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. -By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. In this topic's step-by-step sections, you will add the following applications: +## Add applications -- Install - Microsoft Office 2013 Pro Plus - x86 -- Install - Microsoft Silverlight 5.0 - x64 -- Install - Microsoft Visual C++ 2005 SP1 - x86 -- Install - Microsoft Visual C++ 2005 SP1 - x64 -- Install - Microsoft Visual C++ 2008 SP1 - x86 -- Install - Microsoft Visual C++ 2008 SP1 - x64 -- Install - Microsoft Visual C++ 2010 SP1 - x86 -- Install - Microsoft Visual C++ 2010 SP1 - x64 -- Install - Microsoft Visual C++ 2012 Update 4 - x86 -- Install - Microsoft Visual C++ 2012 Update 4 - x64 +Before you create an MDT task sequence, you need to add any applications and scripts you wish to install to the MDT Build Lab share. -In these examples, we assume that you downloaded the software in this list to the E:\\Downloads folder. The first application is added using the UI, but because MDT supports Windows PowerShell, you add the other applications using Windows PowerShell. +On **MDT01**: + +First, create an MDT folder to store the Microsoft applications that will be installed: + +1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications** +2. Right-click **Applications** and then click **New Folder**. +3. Under **Folder name**, type **Microsoft**. +4. Click **Next** twice, and then click **Finish**. + +The steps in this section use a strict naming standard for your MDT applications. +- Use the "Install - " prefix for typical application installations that run a setup installer of some kind, +- Use the "Configure - " prefix when an application configures a setting in the operating system. +- You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures). + +Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. + +By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. + +In example sections, you will add the following applications: + +- Install - Microsoft Office 365 Pro Plus - x64 +- Install - Microsoft Visual C++ Redistributable 2019 - x86 +- Install - Microsoft Visual C++ Redistributable 2019 - x64 + +>The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261) + +Download links: +- [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117) +- [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe) +- [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe) + +Download all three items in this list to the D:\\Downloads folder on MDT01. + +**Note**: For the purposes of this lab, we will leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). >[!NOTE] ->All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). +>All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. -### Create the install: Microsoft Office Professional Plus 2013 x86 +### Create configuration file: Microsoft Office 365 Professional Plus x64 -You can customize Office 2013. In the volume license versions of Office 2013, there is an Office Customization Tool you can use to customize the Office installation. In these steps we assume you have copied the Office 2013 installation files to the E:\\Downloads\\Office2013 folder. +1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted. +2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Office 365 ProPlus that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. -### Add the Microsoft Office Professional Plus 2013 x86 installation files + For example, you can use the following configuration.xml file, which provides these configuration settings: + - Install the 64-bit version of Office 365 ProPlus in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition. + - Use the Semi-Annual Channel and get updates directly from the Office CDN on the internet. + - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages. -After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this. -You also can customize the Office installation using a Config.xml file. But we recommend that you use the Office Customization Tool as described in the following steps, as it provides a much richer way of controlling Office 2013 settings. -1. Using the Deployment Workbench in the MDT Build Lab deployment share, expand the **Applications / Microsoft** node, and double-click **Install - Microsoft Office 2013 Pro Plus x86**. -2. In the **Office Products** tab, click **Office Customization Tool**, and click **OK** in the **Information** dialog box. + ```xml + + + + + + + + + + ``` - ![figure 5](../images/mdt-08-fig05.png) + By using these settings, any time you build the reference image you’ll be installing the most up-to-date Semi-Annual Channel version of Office 365 ProPlus. - Figure 5. The Install - Microsoft Office 2013 Pro Plus - x86 application properties. + >[!TIP] + >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. + + Also see [Configuration options for the Office Deployment Tool](https://docs.microsoft.com/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](https://docs.microsoft.com/DeployOffice/overview-of-the-office-2016-deployment-tool) for more information. - >[!NOTE] - >If you don't see the Office Products tab, verify that you are using a volume license version of Office. If you are deploying Office 365, you need to download the Admin folder from Microsoft. - -3. In the Office Customization Tool dialog box, select the Create a new Setup customization file for the following product option, select the Microsoft Office Professional Plus 2013 (32-bit) product, and click OK. -4. Use the following settings to configure the Office 2013 setup to be fully unattended: - 1. Install location and organization name - - Organization name: Contoso - 2. Licensing and user interface - 1. Select Use KMS client key - 2. Select I accept the terms in the License Agreement. - 3. Select Display level: None +3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder: - ![figure 6](../images/mdt-08-fig06.png) + ![folder](../images/office-folder.png) - Figure 6. The licensing and user interface screen in the Microsoft Office Customization Tool + Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Office 365 ProPlus using the configuration settings in the configuration.xml file. Do not perform this step yet. - 3. Modify Setup properties - - Add the **SETUP\_REBOOT** property and set the value to **Never**. - 4. Modify user settings - - In the **Microsoft Office 2013** node, expand **Privacy**, select **Trust Center**, and enable the Disable Opt-in Wizard on first run setting. -5. From the **File** menu, select **Save**, and save the configuration as 0\_Office2013ProPlusx86.msp in the **E:\\MDTBuildLab\\Applications\\Install - Microsoft Office 2013 Pro Plus - x86\\Updates** folder. + >[!IMPORTANT] + >After Office 365 ProPlus is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Office 365 ProPlus. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Office 365 ProPlus installed as part of your reference image. - >[!NOTE] - >The reason for naming the file with a 0 (zero) at the beginning is that the Updates folder also handles Microsoft Office updates, and they are installed in alphabetical order. The Office 2013 setup works best if the customization file is installed before any updates. - -6. Close the Office Customization Tool, click Yes in the dialog box, and in the **Install - Microsoft Office 2013 Pro Plus - x86 Properties** window, click **OK**. +Additional information +- Office 365 ProPlus is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Office 365 ProPlus will most likely need to download and install the latest updates that have been released since you created your reference image. + +- **Note**: By using installing Office Deployment Tool as part of the reference image, Office 365 ProPlus is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Office 365 ProPlus right away and won’t have to download any new updates (which is most likely what would happen if Office 365 ProPlus was installed as part of the reference image.) + - When you are creating your reference image, instead of installing Office 365 ProPlus directly from the Office CDN on the internet, you can install Office 365 ProPlus from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Office 365 ProPlus from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Office 365 ProPlus files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Office 365 ProPlus to that location on your internal network. That way your new reference image will have a more up-to-date installation of Office 365 ProPlus. ### Connect to the deployment share using Windows PowerShell If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in and then make the deployment share a PowerShell drive (PSDrive). -1. On MDT01, log on as **CONTOSO\\Administrator**. + +On **MDT01**: + +1. Ensure you are signed in as **contoso\\Administrator**. 2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: ``` powershell Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1" - New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab" + New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "D:\MDTBuildLab" ``` +>[!TIP] +>Use "Get-Command -module MicrosoftDeploymentToolkit" to see a list of available cmdlets -### Create the install: Microsoft Visual C++ 2005 SP1 x86 +### Create the install: Microsoft Office 365 Pro Plus - x64 -In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x86. -1. On MDT01, log on as **CONTOSO\\Administrator**. +In these steps we assume that you have downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. +On **MDT01**: + +1. Ensure you are signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell - $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x86" - $CommandLine = "vcredist_x86.exe /Q" - $ApplicationSourcePath = "E:\Downloads\VC++2005SP1x86" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName - -Verbose + $ApplicationName = "Install - Office365 ProPlus - x64" + $CommandLine = "setup.exe /configure configuration.xml" + $ApplicationSourcePath = "D:\Downloads\Office365" + Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` -### Create the install: Microsoft Visual C++ 2005 SP1 x64 + Upon successful installation the following text is displayed: + ``` + VERBOSE: Performing the operation "import" on target "Application". + VERBOSE: Beginning application import + VERBOSE: Copying application source files from D:\Downloads\Office365 to D:\MDTBuildLab\Applications\Install - + Office365 ProPlus - x64 + VERBOSE: Creating new item named Install - Office365 ProPlus - x64 at DS001:\Applications\Microsoft. + + Name + ---- + Install - Office365 ProPlus - x64 + VERBOSE: Import processing finished. + ``` -In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x64. -1. On MDT01, log on as **CONTOSO\\Administrator**. +### Create the install: Microsoft Visual C++ Redistributable 2019 - x86 + +>[!NOTE] +>We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. + +In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. + +On **MDT01**: + +1. Ensure you are signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell - $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64" - $CommandLine = "vcredist_x64.exe /Q" - $ApplicationSourcePath = "E:\Downloads\VC++2005SP1x64" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName - -Verbose + $ApplicationName = "Install - MSVC 2019 - x86" + $CommandLine = "vc_redist.x86.exe /Q" + $ApplicationSourcePath = "D:\Downloads" + Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` -### Create the install: Microsoft Visual C++ 2008 SP1 x86 + Upon successful installation the following text is displayed: + ``` + VERBOSE: Performing the operation "import" on target "Application". + VERBOSE: Beginning application import + VERBOSE: Copying application source files from D:\Downloads to D:\MDTBuildLab\Applications\Install - MSVC 2019 - x86 + VERBOSE: Creating new item named Install - MSVC 2019 - x86 at DS001:\Applications\Microsoft. + + Name + ---- + Install - MSVC 2019 - x86 + VERBOSE: Import processing finished. + ``` -In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x86. -1. On MDT01, log on as **CONTOSO\\Administrator**. +### Create the install: Microsoft Visual C++ Redistributable 2019 - x64 + +In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. + +On **MDT01**: + +1. Ensure you are signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell - $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x86" - $CommandLine = "vcredist_x86.exe /Q" - $ApplicationSourcePath = "E:\Downloads\VC++2008SP1x86" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName - -Verbose + $ApplicationName = "Install - MSVC 2019 - x64" + $CommandLine = "vc_redist.x64.exe /Q" + $ApplicationSourcePath = "D:\Downloads" + Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` -### Create the install: Microsoft Visual C++ 2008 SP1 x64 - -In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x64. -1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: - - ``` powershell - $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64" - $CommandLine = "vcredist_x64.exe /Q" - $ApplicationSourcePath = "E:\Downloads\VC++2008SP1x64" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName - -Verbose - ``` - -### Create the install: Microsoft Visual C++ 2010 SP1 x86 - -In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x86. -1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: - - ``` powershell - $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x86" - $CommandLine = "vcredist_x86.exe /Q" - $ApplicationSourcePath = "E:\Downloads\VC++2010SP1x86" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName - -Verbose - ``` - -### Create the install: Microsoft Visual C++ 2010 SP1 x64 - -In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x64. -1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: - - ``` powershell - $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64" - $CommandLine = "vcredist_x64.exe /Q" - $ApplicationSourcePath = "E:\Downloads\VC++2010SP1x64" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName - -Verbose - ``` - -### Create the install: Microsoft Visual C++ 2012 Update 4 x86 - -In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux86. -1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: - - ``` powershell - $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x86" - $CommandLine = "vcredist_x86.exe /Q" - $ApplicationSourcePath = "E:\Downloads\VC++2012Ux86" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName - -Verbose - ``` - -### Create the install: Microsoft Visual C++ 2012 Update 4 x64 - -In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux64. -1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: - - ``` powershell - $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64" - $CommandLine = "vcredist_x64.exe /Q" - $ApplicationSourcePath = "E:\Downloads\VC++2012Ux64" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName - -Verbose - ``` - -## Create the reference image task sequence +## Create the reference image task sequence In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying. @@ -302,79 +308,72 @@ Because we use modern virtual platforms for creating our reference images, we do To create a Windows 10 reference image task sequence, the process is as follows: -1. Using the Deployment Workbench in the MDT Build Lab deployment share, right-click **Task Sequences**, and create a new folder named **Windows 10**. -2. Expand the **Task Sequences** node, right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: REFW10X64-001 - 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image - 3. Task sequence comments: Reference Build - 4. Template: Standard Client Task Sequence - 5. Select OS: Windows 10 Enterprise x64 RTM Default Image - 6. Specify Product Key: Do not specify a product key at this time - 7. Full Name: Contoso - 8. Organization: Contoso - 9. Internet Explorer home page: http://www.contoso.com - 10. Admin Password: Do not specify an Administrator Password at this time +On **MDT01**: + +1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + 1. Task sequence ID: REFW10X64-001 + 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image + 3. Task sequence comments: Reference Build + 4. Template: Standard Client Task Sequence + 5. Select OS: Windows 10 Enterprise x64 RTM Default Image + 6. Specify Product Key: Do not specify a product key at this time + 7. Full Name: Contoso + 8. Organization: Contoso + 9. Internet Explorer home page: http://www.contoso.com + 10. Admin Password: Do not specify an Administrator Password at this time ### Edit the Windows 10 task sequence -The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office 2013. +The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office365 ProPlus x64. -1. In the Task Sequences / Windows 10 folder, right-click the Windows 10 Enterprise x64 RTM Default Image task sequence, and select Properties. -2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings: - 1. State Restore. Enable the Windows Update (Pre-Application Installation) action. - **Note**   - Enable an action by going to the Options tab and clearing the Disable this step check box. +On **MDT01**: + +1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**. +2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings: + 1. **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box. - 2. State Restore. Enable the Windows Update (Post-Application Installation) action. - 3. State Restore. Enable the Windows Update (Post-Application Installation) action. State Restore. After the **Tattoo** action, add a new **Group** action with the following setting: - - Name: Custom Tasks (Pre-Windows Update) - 4. State Restore. After Windows Update (Post-Application Installation) action, rename Custom Tasks to Custom Tasks (Post-Windows Update). - **Note**   - The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. - - 5. State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings: - 1. Name: Install - Microsoft NET Framework 3.5.1 - 2. Select the operating system for which roles are to be installed: Windows 10 - 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) + 2. **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action. + 3. **State Restore**: After the **Tattoo** action, add a new **Group** action (click **Add** then click **New Group**) with the following setting: + - Name: **Custom Tasks (Pre-Windows Update)** + 4. **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**. + - **Note**: The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. + 5. **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings: + 1. Name: Install - Microsoft NET Framework 3.5.1 + 2. Select the operating system for which roles are to be installed: Windows 10 + 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) >[!IMPORTANT] >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. - ![figure 7](../images/fig8-cust-tasks.png) + ![task sequence](../images/fig8-cust-tasks.png) - Figure 7. The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action. + The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action. - 6. State Restore - Custom Tasks (Pre-Windows Update). After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action with the following settings: - 1. Name: Install - Microsoft Visual C++ 2005 SP1 - x86 - 2. Install a Single Application: Install - Microsoft Visual C++ 2005 SP1 - x86-x64 - 7. Repeat the previous step (add a new **Install Application**) to add the following applications: - 1. Install - Microsoft Visual C++ 2005 SP1 - x64 - 2. Install - Microsoft Visual C++ 2008 SP1 - x86 - 3. Install - Microsoft Visual C++ 2008 SP1 - x64 - 4. Install - Microsoft Visual C++ 2010 SP1 - x86 - 5. Install - Microsoft Visual C++ 2010 SP1 - x64 - 6. Install - Microsoft Visual C++ 2012 Update 4 - x86 - 7. Install - Microsoft Visual C++ 2012 Update 4 - x64 - 8. Install - Microsoft Office 2013 Pro Plus - x86 - 8. After the Install - Microsoft Office 2013 Pro Plus - x86 action, add a new Restart computer action. -3. Click **OK**. + 6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings: + 1. Name: Microsoft Visual C++ Redistributable 2019 - x86 + 2. Install a Single Application: browse to **Install - MSVC 2019 - x86** + 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Office 365 ProPlus as well. +3. Click **OK**. + + ![apps](../images/mdt-apps.png) ### Optional configuration: Add a suspend action The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. -![figure 8](../images/fig8-suspend.png) + ![figure 8](../images/fig8-suspend.png) -Figure 8. A task sequence with optional Suspend action (LTISuspend.wsf) added. + A task sequence with optional Suspend action (LTISuspend.wsf) added. -![figure 9](../images/fig9-resumetaskseq.png) + ![figure 9](../images/fig9-resumetaskseq.png) -Figure 9. The Windows 10 desktop with the Resume Task Sequence shortcut. + The Windows 10 desktop with the Resume Task Sequence shortcut. ### Edit the Unattend.xml file for Windows 10 Enterprise -When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer 11 behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use Internet Explorer Administration Kit (IEAK). +When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use the Internet Explorer Administration Kit (IEAK). >[!WARNING] >Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. @@ -384,37 +383,54 @@ When using MDT, you don't need to edit the Unattend.xml file very often because Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: -1. Using the Deployment Workbench, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. -2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. -3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry. -4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - - DisableDevTools: true -5. Save the Unattend.xml file, and close Windows SIM. -6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**. +On **MDT01**: -![figure 10](../images/fig10-unattend.png) +1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. +2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. -Figure 10. Windows System Image Manager with the Windows 10 Unattend.xml. + >[!IMPORTANT] + >The current version of MDT (8456) has a known issue generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. As a temporary workaround: + >- Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. + >- Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). + >- Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). + >- After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. -## Configure the MDT deployment share rules +3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry. +4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: + - DisableDevTools: true +5. Save the Unattend.xml file, and close Windows SIM. + - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. +6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**. -Understanding rules is critical to successfully using MDT. Rules are configured using the Rules tab of the deployment share's properties. The Rules tab is essentially a shortcut to edit the CustomSettings.ini file that exists in the E:\\MDTBuildLab\\Control folder. This section discusses how to configure the MDT deployment share rules as part of your Windows 10 Enterprise deployment. + ![figure 10](../images/fig10-unattend.png) + + Windows System Image Manager with the Windows 10 Unattend.xml. + +## Configure the MDT deployment share rules + +Understanding rules is critical to successfully using MDT. Rules are configured using the **Rules** tab of the deployment share's properties. The **Rules** tab is essentially a shortcut to edit the **CustomSettings.ini** file that exists in the **D:\\MDTBuildLab\\Control** folder. This section discusses how to configure the MDT deployment share rules as part of your Windows 10 Enterprise deployment. ### MDT deployment share rules overview -In MDT, there are always two rule files: the CustomSettings.ini file and the Bootstrap.ini file. You can add almost any rule to either; however, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. -For that reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you click OK. By taking the following steps, you will configure the rules for the MDT Build Lab deployment share: -1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Properties**. -2. Select the **Rules** tab and modify using the following information: +In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you click OK. + +To configure the rules for the MDT Build Lab deployment share: + +On **MDT01**: + +1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. +2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you do not have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: + ``` [Settings] Priority=Default + [Default] _SMSTSORGNAME=Contoso UserDataLocation=NONE DoCapture=YES OSInstall=Y - AdminPassword=P@ssw0rd + AdminPassword=pass@word1 TimeZoneName=Pacific Standard Time JoinWorkgroup=WORKGROUP HideShell=YES @@ -439,49 +455,46 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which SkipFinalSummary=YES ``` - ![figure 11](../images/mdt-08-fig14.png) - - Figure 11. The server-side rules for the MDT Build Lab deployment share. + ![figure 11](../images/mdt-rules.png) + The server-side rules for the MDT Build Lab deployment share. + 3. Click **Edit Bootstrap.ini** and modify using the following information: ``` [Settings] Priority=Default + [Default] DeployRoot=\\MDT01\MDTBuildLab$ UserDomain=CONTOSO UserID=MDT_BA - UserPassword=P@ssw0rd + UserPassword=pass@word1 + SkipBDDWelcome=YES ``` - ![figure 12](../images/mdt-08-fig15.png) - - Figure 12. The boot image rules for the MDT Build Lab deployment share. - >[!NOTE] - >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. + >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. -4. In the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. -5. In the **Lite Touch Boot Image Settings** area, configure the following settings: - 1. Image description: MDT Build Lab x86 - 2. ISO file name: MDT Build Lab x86.iso -6. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. -7. In the **Lite Touch Boot Image Settings** area, configure the following settings: - 1. Image description: MDT Build Lab x64 - 2. ISO file name: MDT Build Lab x64.iso -8. Click **OK**. +4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. +5. In the **Lite Touch Boot Image Settings** area, configure the following settings: + 1. Image description: MDT Build Lab x86 + 2. ISO file name: MDT Build Lab x86.iso +6. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. +7. In the **Lite Touch Boot Image Settings** area, configure the following settings: + 1. Image description: MDT Build Lab x64 + 2. ISO file name: MDT Build Lab x64.iso +8. Click **OK**. >[!NOTE] >In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface). - ### Update the deployment share After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created. -1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**. +1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. 2. Use the default options for the Update Deployment Share Wizard. >[!NOTE] @@ -500,7 +513,7 @@ The CustomSettings.ini file is normally stored on the server, in the Deployment ### The Bootstrap.ini file -The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the E:\\MDTBuildLab\\Control folder on MDT01. +The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the D:\\MDTBuildLab\\Control folder on MDT01. ``` [Settings] @@ -509,7 +522,7 @@ Priority=Default DeployRoot=\\MDT01\MDTBuildLab$ UserDomain=CONTOSO UserID=MDT_BA -UserPassword=P@ssw0rd +UserPassword=pass@word1 SkipBDDWelcome=YES ``` @@ -538,7 +551,7 @@ _SMSTSORGNAME=Contoso UserDataLocation=NONE DoCapture=YES OSInstall=Y -AdminPassword=P@ssw0rd +AdminPassword=pass@word1 TimeZoneName=Pacific Standard Time JoinWorkgroup=WORKGROUP HideShell=YES @@ -562,91 +575,105 @@ SkipRoles=YES SkipCapture=NO SkipFinalSummary=YES ``` -- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. -- **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment. -- **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image. -- **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. -- **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed. -- **AdminPassword.** Sets the local Administrator account password. -- **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). +- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. +- **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment. +- **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image. +- **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. +- **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed. +- **AdminPassword.** Sets the local Administrator account password. +- **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). - **Note**   - The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. + **Note**: The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. -- **JoinWorkgroup.** Configures Windows to join a workgroup. -- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. -- **FinishAction.** Instructs MDT what to do when the task sequence is complete. -- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image. -- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. -- **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. -- **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). -- **SkipAdminPassword.** Skips the pane that asks for the Administrator password. -- **SkipProductKey.** Skips the pane that asks for the product key. -- **SkipComputerName.** Skips the Computer Name pane. -- **SkipDomainMemberShip.** Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties. -- **SkipUserData.** Skips the pane for user state migration. -- **SkipLocaleSelection.** Skips the pane for selecting language and keyboard settings. -- **SkipTimeZone.** Skips the pane for setting the time zone. -- **SkipApplications.** Skips the Applications pane. -- **SkipBitLocker.** Skips the BitLocker pane. -- **SkipSummary.** Skips the initial Windows Deployment Wizard summary pane. -- **SkipRoles.** Skips the Install Roles and Features pane. -- **SkipCapture.** Skips the Capture pane. -- **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down. +- **JoinWorkgroup.** Configures Windows to join a workgroup. +- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. +- **FinishAction.** Instructs MDT what to do when the task sequence is complete. +- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image. +- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. +- **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. +- **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). +- **SkipAdminPassword.** Skips the pane that asks for the Administrator password. +- **SkipProductKey.** Skips the pane that asks for the product key. +- **SkipComputerName.** Skips the Computer Name pane. +- **SkipDomainMemberShip.** Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties. +- **SkipUserData.** Skips the pane for user state migration. +- **SkipLocaleSelection.** Skips the pane for selecting language and keyboard settings. +- **SkipTimeZone.** Skips the pane for setting the time zone. +- **SkipApplications.** Skips the Applications pane. +- **SkipBitLocker.** Skips the BitLocker pane. +- **SkipSummary.** Skips the initial Windows Deployment Wizard summary pane. +- **SkipRoles.** Skips the Install Roles and Features pane. +- **SkipCapture.** Skips the Capture pane. +- **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down. -## Build the Windows 10 reference image +## Build the Windows 10 reference image -Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. -This steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then execute the reference image task sequence image to create and capture the Windows 10 reference image. +As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information. -1. Copy the E:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on the Hyper-V host. +Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. - **Note**   - Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image. +The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. + +1. Copy D:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on your Hyper-V host (HV01). + + **Note**: Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image. + +On **HV01**: -2. Create a virtual machine with the following settings: - 1. Name: REFW10X64-001 - 2. Location: C:\\VMs - 3. Memory: 1024 MB - 4. Network: External (The network that is connected to the same infrastructure as MDT01 is) - 5. Hard disk: 60 GB (dynamic disk) - 6. Image file: C:\\ISO\\MDT Build Lab x86.iso -3. Take a snapshot of the REFW10X64-001 virtual machine, and name it **Clean with MDT Build Lab x86 ISO**. +2. Create a new virtual machine with the following settings: + 1. Name: REFW10X64-001 + 2. Store the virtual machine in a different location: C:\VM + 3. Generation 1 + 4. Memory: 1024 MB + 5. Network: Must be able to connect to \\MDT01\MDTBuildLab$ + 7. Hard disk: 60 GB (dynamic disk) + 8. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso +1. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**. - **Note**   - Taking a snapshot is useful if you need to restart the process and want to make sure you can start clean. + **Note**: Checkpoints are useful if you need to restart the process and want to make sure you can start clean. -4. Start the REFW10X64-001 virtual machine. After booting into Windows PE, complete the Windows Deployment Wizard using the following settings: - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image - 2. Specify whether to capture an image: Capture an image of this reference computer - - Location: \\\\MDT01\\MDTBuildLab$\\Captures - 3. File name: REFW10X64-001.wim +4. Start the REFW10X64-001 virtual machine and connect to it. - ![figure 13](../images/fig13-captureimage.png) + **Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. - Figure 13. The Windows Deployment Wizard for the Windows 10 reference image. + After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: + 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image + 2. Specify whether to capture an image: Capture an image of this reference computer + - Location: \\\\MDT01\\MDTBuildLab$\\Captures + 3. File name: REFW10X64-001.wim -5. The setup now starts and does the following: - 1. Installs the Windows 10 Enterprise operating system. - 2. Installs the added applications, roles, and features. - 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. - 4. Stages Windows PE on the local disk. - 5. Runs System Preparation (Sysprep) and reboots into Windows PE. - 6. Captures the installation to a Windows Imaging (WIM) file. - 7. Turns off the virtual machine. + ![capture image](../images/captureimage.png) -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the E:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. + The Windows Deployment Wizard for the Windows 10 reference image. + +5. The setup now starts and does the following: + 1. Installs the Windows 10 Enterprise operating system. + 2. Installs the added applications, roles, and features. + 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. + 4. Stages Windows PE on the local disk. + 5. Runs System Preparation (Sysprep) and reboots into Windows PE. + 6. Captures the installation to a Windows Imaging (WIM) file. + 7. Turns off the virtual machine. + +After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. + + ![image](../images/image-captured.png) + +## Troubleshooting + +If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence. + + ![monitoring](../images/mdt-monitoring.png) + +If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](https://docs.microsoft.com/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. + +After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ## Related topics -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) - +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 238fd0d31e..7e06abfeb3 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -21,115 +21,144 @@ ms.topic: article **Applies to** - Windows 10 -This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment. +This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). -For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. +We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. -![figure 1](../images/mdt-07-fig01.png) +For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005. -Figure 1. The machines used in this topic. +- DC01 is a domain controller +- MDT01 is a domain member server +- HV01 is a Hyper-V server +- PC0005 is a blank device to which we will deploy Windows 10 + +MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. + + ![devices](../images/mdt-07-fig01.png) >[!NOTE] ->For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - +>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). -## Step 1: Configure Active Directory permissions +## Step 1: Configure Active Directory permissions + +These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. + +On **DC01**: + +1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01. This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit. +2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt: + + ```powershell + New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true + ``` + +3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt: -These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. -1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**. -2. Select the **Service Accounts** organizational unit (OU) and create the MDT\_JD account using the following settings: - 1. Name: MDT\_JD - 2. User logon name: MDT\_JD - 3. Password: P@ssw0rd - 4. User must change password at next logon: Clear - 5. User cannot change password: Select - 6. Password never expires: Select -3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press **Enter** after each command: ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force Set-Location C:\Setup\Scripts .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` -4. The Set-OUPermissions.ps1 script allows the MDT\_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted: - 1. Scope: This object and all descendant objects - 1. Create Computer objects - 2. Delete Computer objects - 2. Scope: Descendant Computer objects - 1. Read All Properties - 2. Write All Properties - 3. Read Permissions - 4. Modify Permissions - 5. Change Password - 6. Reset Password - 7. Validated write to DNS host name - 8. Validated write to service principal name -## Step 2: Set up the MDT production deployment share +The following is a list of the permissions being granted: + a. Scope: This object and all descendant objects + b. Create Computer objects + c. Delete Computer objects + d. Scope: Descendant Computer objects + e. Read All Properties + f. Write All Properties + g. Read Permissions + h. Modify Permissions + i. Change Password + j. Reset Password + k. Validated write to DNS host name + l. Validated write to service principal name -When you are ready to deploy Windows 10 in a production environment, you will first create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. For guidance on creating a custom Windows 10 image, see -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md). +## Step 2: Set up the MDT production deployment share + +Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. ### Create the MDT production deployment share +On **MDT01**: + The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: -1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd. -2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. -3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction** and click **Next**. + +1. Ensure you are signed on as: contoso\administrator. +2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. +3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. 6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. -## Step 3: Add a custom image +### Configure permissions for the production deployment share + +To read files in the deployment share, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTProduction** folder + +On **MDT01**: + +1. Ensure you are signed in as **contoso\\administrator**. +2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: + + ``` powershell + icacls "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' + grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force + ``` + +## Step 3: Add a custom image The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. ### Add the Windows 10 Enterprise x64 RTM custom image -In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image in the E:\\MDTBuildLab\\Captures folder on MDT01. +In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. + 1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. 2. Right-click the **Windows 10** folder and select **Import Operating System**. 3. On the **OS Type** page, select **Custom image file** and click **Next**. -4. On the **Image** page, in the **Source file** text box, browse to **E:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**. -5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **E:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**. +4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**. +5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**. 6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**. -7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to match the following: **Windows 10 Enterprise x64 RTM Custom Image**. +7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. >[!NOTE] >The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. -![figure 2](../images/fig2-importedos.png) +![imported OS](../images/fig2-importedos.png) -Figure 2. The imported operating system after renaming it. +## Step 4: Add an application -## Step 4: Add an application +When you configure your MDT Build Lab deployment share, you can also add applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example. -When you configure your MDT Build Lab deployment share, you will also add any applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example. +### Create the install: Adobe Reader DC -### Create the install: Adobe Reader XI x86 +On **MDT01**: -In this example, we assume that you have downloaded the Adobe Reader XI installation file (AdbeRdr11000\_eu\_ES.msi) to E:\\Setup\\Adobe Reader on MDT01. -1. Using the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. -2. Right-click the **Applications** node, and create a new folder named **Adobe**. -3. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. -4. On the **Application Type** page, select the **Application with source files** option and click **Next**. -5. On the **Details** page, in the **Application** name text box, type **Install - Adobe Reader XI - x86** and click **Next**. -6. On the **Source** page, in the **Source Directory** text box, browse to **E:\\Setup\\Adobe Reader XI** and click **Next**. -7. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader XI - x86** and click **Next**. -8. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AdbeRdr11000\_eu\_ES.msi /q**, click **Next** twice, and then click **Finish**. +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC1902120058_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. +4. Right-click the **Applications** node, and create a new folder named **Adobe**. +5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. +6. On the **Application Type** page, select the **Application with source files** option and click **Next**. +7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**. +8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**. +9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**. +10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**. -![figure 3](../images/mdt-07-fig03.png) +![acroread](../images/acroread.png) -Figure 3. The Adobe Reader application added to the Deployment Workbench. +The Adobe Reader application added to the Deployment Workbench. -## Step 5: Prepare the drivers repository +## Step 5: Prepare the drivers repository In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: - Lenovo ThinkPad T420 -- Dell Latitude E6440 +- Dell Latitude 7390 - HP EliteBook 8560w - Microsoft Surface Pro + For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers. >[!NOTE] @@ -139,20 +168,22 @@ For boot images, you need to have storage and network drivers; for the operating The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. -1. On MDT01, using File Explorer, create the **E:\\Drivers** folder. -2. In the **E:\\Drivers** folder, create the following folder structure: +On **MDT01**: + +1. Using File Explorer, create the **D:\\drivers** folder. +2. In the **D:\\drivers** folder, create the following folder structure: 1. WinPE x86 2. WinPE x64 3. Windows 10 x64 3. In the new Windows 10 x64 folder, create the following folder structure: - Dell - - Latitude E6440 - - HP + - Latitude E7450 + - Hewlett-Packard - HP EliteBook 8560w - Lenovo - - ThinkPad T420 (4178) + - ThinkStation P500 (30A6003TUS) - Microsoft Corporation - - Surface Pro 3 + - Surface Laptop >[!NOTE] >Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. @@ -166,16 +197,16 @@ When you import drivers to the MDT driver repository, MDT creates a single insta 2. WinPE x64 3. Windows 10 x64 3. In the **Windows 10 x64** folder, create the following folder structure: - - Dell Inc. - - Latitude E6440 + - Dell + - Latitude E7450 - Hewlett-Packard - HP EliteBook 8560w - Lenovo - - 4178 + - 30A6003TUS - Microsoft Corporation - - Surface Pro 3 + - Surface Laptop -The preceding folder names are selected because they match the actual make and model values that MDT reads from the machines during deployment. You can find out the model values for your machines via the following command in Windows PowerShell: +The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell: ``` powershell Get-WmiObject -Class:Win32_ComputerSystem @@ -188,87 +219,104 @@ wmic csproduct get name If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536). -![figure 4](../images/fig4-oob-drivers.png) +![drivers](../images/fig4-oob-drivers.png) -Figure 4. The Out-of-Box Drivers structure in Deployment Workbench. +The Out-of-Box Drivers structure in the Deployment Workbench. ### Create the selection profiles for boot image drivers By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles. The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice. -1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. + +On **MDT01**: + +1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. 2. In the New Selection Profile Wizard, create a selection profile with the following settings: 1. Selection Profile name: WinPE x86 2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers. -3. Again, right-click the **Selection Profiles** node, and select **New Selection Profile**. + 3. Click **Next**, **Next** and **Finish**. +3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. 4. In the New Selection Profile Wizard, create a selection profile with the following settings: 1. Selection Profile name: WinPE x64 2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers. + 3. Click **Next**, **Next** and **Finish**. ![figure 5](../images/fig5-selectprofile.png) -Figure 5. Creating the WinPE x64 selection profile. +Creating the WinPE x64 selection profile. ### Extract and import drivers for the x64 boot image Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image. -In these steps, we assume you have downloaded PROWinx64.exe from Intel.com and saved it to a temporary folder. -1. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. -2. Using File Explorer, create the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder. -3. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder. -4. Using Deployment Workbench, expand the **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**. Use the following setting for the Import Drivers Wizard: - - Driver source directory: **E:\\Drivers\\WinPE x64\\Intel PRO1000** +On **MDT01**: + +1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). +2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. + a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. +3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. +4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. +5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. ### Download, extract, and import drivers -### For the ThinkPad T420 +### For the Lenovo ThinkStation P500 -For the Lenovo T420 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo T420 model has the 4178B9G model name, meaning the Machine Type is 4178. +For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. -To get the updates, you download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can download the drivers from the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). +![ThinkStation](../images/thinkstation.png) -In these steps, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever v5.0 to the E:\\Drivers\\Lenovo\\ThinkPad T420 (4178) folder. +To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). -1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Lenovo** node. -2. Right-click the **4178** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard: - - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkPad T420 (4178)** +In this example, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. -### For the Latitude E6440 +On **MDT01**: -For the Dell Latitude E6440 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544). +1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node. +2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** -In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E6440 model to the E:\\Drivers\\Dell\\Latitude E6440 folder. +The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. -1. On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Dell** node. -2. Right-click the **Latitude E6440** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard: - - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Dell\\Latitude E6440** +### For the Latitude E7450 + +For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544). + +In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell\\Latitude E7450** folder. + +On **MDT01**: + +1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell** node. +2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell\\Latitude E7450** ### For the HP EliteBook 8560w For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545). -In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w folder. +In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. -1. On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Hewlett-Packard** node. -2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard: - - Driver source directory: **E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w** +On **MDT01**: -### For the Microsoft Surface Pro 3 +1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. +2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** -For the Microsoft Surface Pro model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Pro 3 drivers to the E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3 folder. +### For the Microsoft Surface Laptop -1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Microsoft** node. -2. Right-click the **Surface Pro 3** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard: - - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3** +For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. -## Step 6: Create the deployment task sequence +On **MDT01**: -This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the tasks sequence to enable patching via a Windows Server Update Services (WSUS) server. +1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node. +2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** + +## Step 6: Create the deployment task sequence + +This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. ### Create a task sequence for Windows 10 Enterprise -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. +On **MDT01**: + +1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**. 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: 1. Task sequence ID: W10-X64-001 2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image @@ -278,13 +326,14 @@ This section will show you how to create the task sequence used to deploy your p 6. Specify Product Key: Do not specify a product key at this time 7. Full Name: Contoso 8. Organization: Contoso - 9. Internet Explorer home page: about:blank + 9. Internet Explorer home page: https://www.contoso.com 10. Admin Password: Do not specify an Administrator Password at this time - ### Edit the Windows 10 task sequence -3. Right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**. -4. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: - 1. Preinstall. After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: +### Edit the Windows 10 task sequence + +1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**. +2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: + 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: 1. Name: Set DriverGroup001 2. Task Sequence Variable: DriverGroup001 3. Value: Windows 10 x64\\%Make%\\%Model% @@ -297,89 +346,93 @@ This section will show you how to create the task sequence used to deploy your p 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. -5. Click **OK**. +3. Click **OK**. -![figure 6](../images/fig6-taskseq.png) +![drivergroup](../images/fig6-taskseq.png) -Figure 6. The task sequence for production deployment. +The task sequence for production deployment. -## Step 7: Configure the MDT production deployment share +## Step 7: Configure the MDT production deployment share In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work. ### Configure the rules -1. On MDT01, using File Explorer, copy the following files from the **D:\\Setup\\Sample Files\\MDT Production\\Control** folder to **E:\\MDTProduction\\Control**. Overwrite the existing files. - 1. Bootstrap.ini - 2. CustomSettings.ini -2. Right-click the **MDT Production** deployment share and select **Properties**. -3. Select the **Rules** tab and modify using the following information: +On **MDT01**: - ``` - [Settings] - Priority=Default - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - AdminPassword=P@ssw0rd - JoinDomain=contoso.com - DomainAdmin=CONTOSO\MDT_JD - DomainAdminPassword=P@ssw0rd - MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com - SLShare=\\MDT01\Logs$ - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - WSUSServer=mdt01.contoso.com:8530 - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=NO - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - ``` -4. Click **Edit Bootstrap.ini** and modify using the following information: +1. Right-click the **MDT Production** deployment share and select **Properties**. +2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment): - ``` - [Settings] - Priority=Default - [Default] - DeployRoot=\\MDT01\MDTProduction$ - UserDomain=CONTOSO - UserID=MDT_BA - SkipBDDWelcome=YES - ``` -5. In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. -6. In the **General** sub tab, configure the following settings: + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + AdminPassword=pass@word1 + JoinDomain=contoso.com + DomainAdmin=CONTOSO\MDT_JD + DomainAdminPassword=pass@word1 + MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com + SLShare=\\MDT01\Logs$ + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + WSUSServer=mdt01.contoso.com:8530 + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=NO + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + ``` + +3. Click **Edit Bootstrap.ini** and modify using the following information: + +``` +[Settings] +Priority=Default + +[Default] +DeployRoot=\\MDT01\MDTProduction$ +UserDomain=CONTOSO +UserID=MDT_BA +UserPassword=pass@word1 +SkipBDDWelcome=YES +``` + +4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. +5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings: - In the **Lite Touch Boot Image Settings** area: 1. Image description: MDT Production x86 2. ISO file name: MDT Production x86.iso > [!NOTE] > - > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. + >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. -7. In the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. -8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. -9. In the **General** sub tab, configure the following settings: +6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. +7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. +8. On the **General** sub tab, configure the following settings: - In the **Lite Touch Boot Image Settings** area: 1. Image description: MDT Production x64 2. ISO file name: MDT Production x64.iso -10. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. -11. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box. -12. Click **OK**. +9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. +10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box. +11. Click **OK**. >[!NOTE] >It will take a while for the Deployment Workbench to create the monitoring database and web service. @@ -387,39 +440,46 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh ![figure 8](../images/mdt-07-fig08.png) -Figure 7. The Windows PE tab for the x64 boot image. +The Windows PE tab for the x64 boot image. ### The rules explained -The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup and that you do not automate the logon. +The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. + +> +>You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials. ### The Bootstrap.ini file -This is the MDT Production Bootstrap.ini without the user credentials (except domain information): +This is the MDT Production Bootstrap.ini: ``` [Settings] Priority=Default + [Default] DeployRoot=\\MDT01\MDTProduction$ UserDomain=CONTOSO UserID=MDT_BA +UserPassword=pass@word1 SkipBDDWelcome=YES ``` + ### The CustomSettings.ini file This is the CustomSettings.ini file with the new join domain information: ``` [Settings] Priority=Default + [Default] _SMSTSORGNAME=Contoso OSInstall=Y UserDataLocation=AUTO TimeZoneName=Pacific Standard Time -AdminPassword=P@ssw0rd +AdminPassword=pass@word1 JoinDomain=contoso.com DomainAdmin=CONTOSO\MDT_JD -DomainAdminPassword=P@ssw0rd +DomainAdminPassword=pass@word1 MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com SLShare=\\MDT01\Logs$ ScanStateArgs=/ue:*\* /ui:CONTOSO\* @@ -444,7 +504,8 @@ SkipCapture=YES SkipFinalSummary=NO EventService=http://MDT01:9800 ``` -The additional properties to use in the MDT Production rules file are as follows: + +Some properties to use in the MDT Production rules file are as follows: - **JoinDomain.** The domain to join. - **DomainAdmin.** The account to use when joining the machine to the domain. - **DomainAdminDomain.** The domain for the join domain account. @@ -456,33 +517,35 @@ The additional properties to use in the MDT Production rules file are as follows ### Optional deployment share configuration -If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you -troubleshoot MDT deployments, as well as troubleshoot Windows itself. +If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself. ### Add DaRT 10 to the boot images -If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT, you need to do the following: -- Install DaRT 10 (part of MDOP 2015 R1). -- Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share. -- Configure the deployment share to add DaRT. - In these steps, we assume that you downloaded MDOP 2015 R1 and copied DaRT 10 to the E:\\Setup\\DaRT 10 folder on MDT01. -- On MDT01, install DaRT 10 (MSDaRT10.msi) using the default settings. -- Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. -- Copy the Toolsx64.cab file to **E:\\MDTProduction\\Tools\\x64**. -- Copy the Toolsx86.cab file to **E:\\MDTProduction\\Tools\\x86**. -- Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. -- In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. -- In the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. +If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following: - ![figure 8](../images/mdt-07-fig09.png) +>DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**. - Figure 8. Selecting the DaRT 10 feature in the deployment share. +On **MDT01**: + +1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\\\x64\\MSDaRT100.msi). +2. Install DaRT 10 (MSDaRT10.msi) using the default settings. + + ![DaRT](../images/dart.png) + +2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. +3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. +4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. +5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox. + + ![DaRT selection](../images/mdt-07-fig09.png) + + Selecting the DaRT 10 feature in the deployment share. 8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. 9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. 10. Click **OK**. -### Update the deployment share +### Update the deployment share Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created. 1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. @@ -490,57 +553,75 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee >[!NOTE] >The update process will take 5 to 10 minutes. - -## Step 8: Deploy the Windows 10 client image + +## Step 8: Deploy the Windows 10 client image These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process. ### Configure Windows Deployment Services -You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. For the following steps, we assume that Windows Deployment Services has already been installed on MDT01. -1. Using the WDS console, right-click **Boot Images** and select **Add Boot Image**. -2. Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings. +You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-windows-deployment-services-wds) article. + +On **MDT01**: + +1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**. +2. Right-click **Boot Images** and select **Add Boot Image**. +3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. ![figure 9](../images/mdt-07-fig10.png) -Figure 9. The boot image added to the WDS console. +The boot image added to the WDS console. ### Deploy the Windows 10 client At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: -1. Create a virtual machine with the following settings: - 1. Name: PC0005 - 2. Location: C:\\VMs - 3. Generation: 2 - 4. Memory: 2048 MB - 5. Hard disk: 60 GB (dynamic disk) -2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The machine will now load the Windows PE boot image from the WDS server. + +On **HV01**: + +1. Create a virtual machine with the following settings: + 1. Name: PC0005 + 2. Store the virtual machine in a different location: C:\VM + 3. Generation: 2 + 4. Memory: 2048 MB + 5. Network: Must be able to connect to \\MDT01\MDTProduction$ + 6. Hard disk: 60 GB (dynamic disk) + 7. Installation Options: Install an operating system from a network-based installation server +2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server. ![figure 10](../images/mdt-07-fig11.png) - Figure 10. The initial PXE boot process of PC0005. + The initial PXE boot process of PC0005. 3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting: - 1. Password: P@ssw0rd - 2. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - 3. Computer Name: PC0005 - 4. Applications: Select the Install - Adobe Reader XI - x86 application. -4. The setup now starts and does the following: + 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + 2. Computer Name: **PC0005** + 3. Applications: Select the **Install - Adobe Reader** checkbox. +4. Setup now begins and does the following: 1. Installs the Windows 10 Enterprise operating system. 2. Installs the added application. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. +![pc0005](../images/pc0005-vm.png) + +### Application installation + +Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed automatically. + + ![pc0005](../images/pc0005-vm-office.png) + ### Use the MDT monitoring feature -Now that you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. +Since you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. -1. On MDT01, using Deployment Workbench, expand the **MDT Production** deployment share folder. +On **MDT01**: + +1. In the Deployment Workbench, expand the **MDT Production** deployment share folder. 2. Select the **Monitoring** node, and wait until you see PC0005. 3. Double-click PC0005, and review the information. ![figure 11](../images/mdt-07-fig13.png) -Figure 11. The Monitoring node, showing the deployment progress of PC0005. +The Monitoring node, showing the deployment progress of PC0005. ### Use information in the Event Viewer @@ -548,11 +629,11 @@ When monitoring is enabled, MDT also writes information to the event viewer on M ![figure 12](../images/mdt-07-fig14.png) -Figure 12. The Event Viewer showing a successful deployment of PC0005. +The Event Viewer showing a successful deployment of PC0005. -## Multicast deployments +## Multicast deployments -Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it. +Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it. If you have a limited number of simultaneous deployments, you probably do not need to enable multicast. ### Requirements @@ -563,25 +644,30 @@ Internet Group Management Protocol (IGMP) snooping is turned on and that the net Setting up MDT for multicast is straightforward. You enable multicast on the deployment share, and MDT takes care of the rest. -1. On MDT01, right-click the **MDT Production** deployment share folder and select **Properties**. -2. In the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and click **OK**. +On **MDT01**: + +1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**. +2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and click **OK**. 3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**. 4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created. ![figure 13](../images/mdt-07-fig15.png) -Figure 13. The newly created multicast namespace. +The newly created multicast namespace. -## Use offline media to deploy Windows 10 +## Use offline media to deploy Windows 10 -In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. +In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. ### Create the offline media selection profile To filter what is being added to the media, you create a selection profile. When creating selection profiles, you quickly realize the benefits of having created a good logical folder structure in the Deployment Workbench. -1. On MDT01, using Deployment Workbench, in the **MDT Production / Advanced Configuration** node, right-click **Selection Profile**, and select **New Selection Profile**. + +On **MDT01**: + +1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**. 2. Use the following settings for the New Selection Profile Wizard: 1. General Settings - Selection profile name: Windows 10 Offline Media @@ -592,48 +678,58 @@ To filter what is being added to the media, you create a selection profile. When 4. Out-Of-Box Drivers / Windows 10 x64 5. Task Sequences / Windows 10 + ![offline media](../images/mdt-offline-media.png) + ### Create the offline media In these steps, you generate offline media from the MDT Production deployment share. To filter what is being added to the media, you use the previously created selection profile. -1. On MDT01, using File Explorer, create the **E:\\MDTOfflineMedia** folder. +1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. - >[!NOTE] - >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. + >[!NOTE] + >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. -2. Using Deployment Workbench, in the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. +2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. 3. Use the following settings for the New Media Wizard: - General Settings - 1. Media path: **E:\\MDTOfflineMedia** - 2. Selection profile: Windows 10 Offline Media + 1. Media path: **D:\\MDTOfflineMedia** + 2. Selection profile: **Windows 10 Offline Media** ### Configure the offline media Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini files. These files are stored in the Control folder of the offline media; they also can be accessed via properties of the offline media in the Deployment Workbench. -1. On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\MDTProduction\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. -2. Using Deployment Workbench, in the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. +On **MDT01**: + +1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. +2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. 3. In the **General** tab, configure the following: 1. Clear the Generate x86 boot image check box. 2. ISO file name: Windows 10 Offline Media.iso -4. Still in the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. -5. In the **General** sub tab, configure the following settings: +4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. +5. On the **General** sub tab, configure the following settings: 1. In the **Lite Touch Boot Image Settings** area: - Image description: MDT Production x64 2. In the **Windows PE Customizations** area, set the Scratch space size to 128. -6. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. +6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. 7. Click **OK**. ### Generate the offline media -You have now configured the offline media deployment share however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. +You have now configured the offline media deployment share, however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. -1. On MDT01, using Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. -2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **E:\\MDTOfflineMedia\\Content** folder. +On **MDT01**: + +1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. +2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes. ### Create a bootable USB stick The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) + +>[!TIP] +>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. This means you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\True\), so this must be changed and the offline media content updated. + Follow these steps to create a bootable USB stick from the offline media content: 1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. @@ -643,24 +739,19 @@ Follow these steps to create a bootable USB stick from the offline media content 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). 6. In the Diskpart utility, type **active**, and then type **exit**. -## Unified Extensible Firmware Interface (UEFI)-based deployments +## Unified Extensible Firmware Interface (UEFI)-based deployments -As referenced in [Windows 10 deployment tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI. +As referenced in [Windows 10 deployment scenarios and tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI. ![figure 14](../images/mdt-07-fig16.png) -Figure 14. The partitions when deploying an UEFI-based machine. +The partitions when deploying an UEFI-based machine. ## Related topics -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) - -[Configure MDT settings](configure-mdt-settings.md) +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md deleted file mode 100644 index bc6f898741..0000000000 --- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10) -description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). -ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, tools, configure, script -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.pagetype: mdt -ms.topic: article ---- - -# Deploy Windows 10 with the Microsoft Deployment Toolkit - -**Applies to** -- Windows 10 - -This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). - -The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. -MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager. - -To download the latest version of MDT, visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -## In this section - -- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) -- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) -- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -- [Configure MDT settings](configure-mdt-settings.md) - -## Proof-of-concept environment - -For the purposes of this guide, and the topics discussed herein, we will use the following servers and client machines: DC01, MDT01, CM01, PC0001, and PC0002. - -![figure 1](../images/mdt-01-fig01.png) - -Figure 1. The servers and machines used for examples in this guide. - -DC01 is a domain controller; the other servers and client machines are members of the domain contoso.com for the fictitious Contoso Corporation. - -![figure 2](../images/mdt-01-fig02.jpg) - -Figure 2. The organizational unit (OU) structure used in this guide. - -### Server details - -- **DC01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as Active Directory Domain Controller, DNS Server, and DHCP Server in the contoso.com domain. - - Server name: DC01 - - IP Address: 192.168.1.200 - - Roles: DNS, DHCP, and Domain Controller -- **MDT01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain. - - Server name: MDT01 - - IP Address: 192.168.1.210 -- **CM01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain. - - Server name: CM01 - - IP Address: 192.168.1.214 - -### Client machine details - -- **PC0001.** A Windows 10 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced as the admin workstation. - - Client name: PC0001 - - IP Address: DHCP -- **PC0002.** A Windows 7 SP1 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced during the migration scenarios. - - Client name: PC0002 - - IP Address: DHCP - -## Sample files - -The information in this guide is designed to help you deploy Windows 10. In order to help you put the information you learn into practice more quickly, we recommend that you download a small set of sample files for the fictitious Contoso Corporation: -- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. -- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. -- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. - -## Related topics - -[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) - -[Windows 10 deployment tools](../windows-deployment-scenarios-and-tools.md) - -[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) - -[Deploy Windows To Go in your organization](../deploy-windows-to-go.md) - -[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) - -[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md) - diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index e7742fa773..00c0a446a3 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -1,54 +1,171 @@ ---- -title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) -description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. -ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, image, feature, install, tools -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Get started with the Microsoft Deployment Toolkit (MDT) - -**Applies to** -- Windows 10 - -This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager. - -In addition to familiarizing you with the features and options available in MDT, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process. - -For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see -[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -![figure 1](../images/mdt-05-fig01.png) - -Figure 1. The machines used in this topic. - -## In this section - -- [Key features in MDT](key-features-in-mdt.md) -- [MDT Lite Touch components](mdt-lite-touch-components.md) -- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - -## Related topics - -[Microsoft Deployment Toolkit downloads and documentation](https://go.microsoft.com/fwlink/p/?LinkId=618117) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) - -[Configure MDT settings](configure-mdt-settings.md) +--- +title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) +description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. +ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deploy, image, feature, install, tools +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Get started with MDT + +**Applies to** +- Windows 10 + +This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). + +## About MDT + +MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. + +In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. + +MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/). + +## Key features in MDT + +MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. + +MDT has many useful features, such as: +- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10. +- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. +- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry. +- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. +- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI. +- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. + + ![figure 2](../images/mdt-05-fig02.png) + + The deployment share mounted as a standard PSDrive allows for administration using PowerShell. + +- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. +- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). +- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. +- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. +- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. +- **Monitoring.** Allows you to see the status of currently running deployments. +- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). +- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. +- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. +- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. + + ![figure 3](../images/mdt-05-fig03.png) + + The offline USMT backup in action. + +- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. +- **Microsoft System Center Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence. +- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image. +- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office. +- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. +- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. +- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). + +## MDT Lite Touch components + +Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. + +When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. + +![figure 4](../images/mdt-05-fig04.png) + +If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. + +## Deployment shares + +A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. + +## Rules + +The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: +- Computer name +- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object +- Whether to enable BitLocker +- Regional settings +You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117). + +![figure 5](../images/mdt-05-fig05.png) + +Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number + +## Boot images + +Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment +share on the server and start the deployment. + +## Operating systems + +Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. + +## Applications + +Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps. + +## Driver repository + +You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image. + +## Packages + +With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. + +## Task sequences + +Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. + +You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows: +- **Gather.** Reads configuration settings from the deployment server. +- **Format and Partition.** Creates the partition(s) and formats them. +- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository. +- **Apply Operating System.** Uses ImageX to apply the image. +- **Windows Update.** Connects to a WSUS server and updates the machine. + +## Task sequence templates + +MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. +- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. + + **Note**: It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. + +- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. +- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. +- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). +- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. +- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. +- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. +- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. +- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. +- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. + +## Selection profiles + +Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: +- Control which drivers and packages are injected into the Lite Touch (and generic) boot images. +- Control which drivers are injected during the task sequence. +- Control what is included in any media that you create. +- Control what is replicated to other deployment shares. +- Filter which task sequences and applications are displayed in the Deployment Wizard. + +## Logging + +MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. + +**Note**   +The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). + +## Monitoring + +On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. + +## See next + +[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md deleted file mode 100644 index f0fe20a593..0000000000 --- a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Key features in MDT (Windows 10) -description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. -ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, feature, tools, upgrade, migrate, provisioning -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Key features in MDT - -**Applies to** -- Windows 10 - -The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. - -MDT has many useful features, the most important of which are: -- **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10. -- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. -- **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry. -- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. -- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI. -- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. - - ![figure 2](../images/mdt-05-fig02.png) - - Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell. - -- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. -- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). -- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. -- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. -- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. -- **Monitoring.** Allows you to see the status of currently running deployments. -- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). -- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. -- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. -- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. - - ![figure 3](../images/mdt-05-fig03.png) - - Figure 3. The offline USMT backup in action. - -- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. -- **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence. -- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image. -- **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013. -- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. -- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -## Related topics - -[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - -[MDT Lite Touch components](mdt-lite-touch-components.md) -  -  diff --git a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md deleted file mode 100644 index 15f4f07658..0000000000 --- a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: MDT Lite Touch components (Windows 10) -description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. -ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: deploy, install, deployment, boot, log, monitor -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# MDT Lite Touch components - -**Applies to** -- Windows 10 - -This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. -When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. - -![figure 4](../images/mdt-05-fig04.png) - -Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. - -## Deployment shares - -A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment. - -## Rules - -The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: -- Computer name -- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object -- Whether to enable BitLocker -- Regional settings -You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -![figure 5](../images/mdt-05-fig05.png) - -Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number - -## Boot images - -Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment -share on the server and start the deployment. - -## Operating systems - -Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. - -## Applications - -Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps. - -## Driver repository - -You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image. - -## Packages - -With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. - -## Task sequences - -Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. - -You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows: -- **Gather.** Reads configuration settings from the deployment server. -- **Format and Partition.** Creates the partition(s) and formats them. -- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository. -- **Apply Operating System.** Uses ImageX to apply the image. -- **Windows Update.** Connects to a WSUS server and updates the machine. - -## Task sequence templates - -MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. -- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. - - **Note**   - It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. - -- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. -- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. -- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). -- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. -- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. -- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. -- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. -- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. -- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. - -## Selection profiles - -Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: -- Control which drivers and packages are injected into the Lite Touch (and generic) boot images. -- Control which drivers are injected during the task sequence. -- Control what is included in any media that you create. -- Control what is replicated to other deployment shares. -- Filter which task sequences and applications are displayed in the Deployment Wizard. - -## Logging - -MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. - -**Note**   -The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). - -## Monitoring - -On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. - -## Related topics - -[Key features in MDT](key-features-in-mdt.md) - -[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index aa2e3ff40e..41701e19c0 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -1,6 +1,6 @@ --- title: Prepare for deployment with MDT (Windows 10) -description: Learn how to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). +description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 ms.reviewer: manager: laurawi @@ -19,51 +19,176 @@ ms.topic: article # Prepare for deployment with MDT **Applies to** -- Windows 10 +- Windows 10 -This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory. +This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory. -For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). +## Infrastructure -## System requirements +The procedures in this guide use the following names and infrastructure. -MDT requires the following components: -- Any of the following operating systems: - - Windows 7 - - Windows 8 - - Windows 8.1 - - Windows 10 - - Windows Server 2008 R2 - - Windows Server 2012 - - Windows Server 2012 R2 -- Windows Assessment and Deployment Kit (ADK) for Windows 10 -- Windows PowerShell -- Microsoft .NET Framework +### Network and servers -## Install Windows ADK for Windows 10 +For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**. +- All servers are running Windows Server 2019. + - You can use an earlier version of Windows Server with minor modifications to some procedures. + - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is requried to perform the procedures in this guide. +- **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation. +- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server. + - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. +- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image. + - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01. -These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder. -1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd. -2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**. -3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings: - 1. Deployment Tools - 2. Windows Preinstallation Environment (Windows PE) - 3. User State Migration Tool (USMT) +### Client computers - >[!IMPORTANT] - >Starting with Windows 10, version 1809, Windows PE is released separately from the ADK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information. +Several client computers are referenced in this guide with hostnames of PC0001 to PC0007. -## Install MDT +- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. + - Client name: PC0001 + - IP Address: DHCP +- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios. + - Client name: PC0002 + - IP Address: DHCP +- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively. -These steps assume that you have downloaded [MDT](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT folder on MDT01. +### Storage requirements -1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd. -2. Install **MDT** (E:\\Downloads\\MDT\\MicrosoftDeploymentToolkit\_x64.msi) with the default settings. +MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust come procedures in this guide to specify the C: drive instead of the D: drive. -## Create the OU structure +### Hyper-V requirements -If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT. -1. On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**. +If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](https://docs.microsoft.com/windows/deployment/windows-10-poc#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V. + +### Network requirements + +All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. + +### Domain credentials + +The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials. + +**Active Directory domain name**: contoso.com
+**Domain administrator username**: administrator
+**Domain administrator password**: pass@word1 + +### Organizational unit structure + +The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs. + +![figure 2](../images/mdt-01-fig02.jpg) + +## Install the Windows ADK + +These steps assume that you have the MDT01 member server running and configured as a domain member server. + +On **MTD01**: + +Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder): +- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) +- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112) +- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334) + +>[!TIP] +>You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). + +1. On **MDT01**, ensure that you are signed in as an administrator in the CONTOSO domain. + - For the purposes of this guide, we are using a Domain Admin account of **administrator** with a password of pass@word1. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials. +2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step. +3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step. +4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file. + - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later. + +## Install and initialize Windows Deployment Services (WDS) + +On **MDT01**: + +1. Open an elevated Windows PowerShell prompt and enter the following command: + + ```powershell + Install-WindowsFeature -Name WDS -IncludeManagementTools + WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall" + WDSUTIL /Set-Server /AnswerClients:All + ``` + +## Optional: Install Windows Server Update Services (WSUS) + +If you wish to use MDT as a WSUS server using the Windows Internal Database (WID), use the following command to install this service. Alternatively, change the WSUS server information in this guide to the WSUS server in your environment. + +To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt: + + ```powershell + Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI + cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS + ``` + +>To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus#configure-automatic-updates-and-update-service-location) on DC01. + +## Install MDT + +>[!NOTE] +>MDT installation requires the following: +>- The Windows ADK for Windows 10 (installed in the previous procedure) +>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) +>- Microsoft .NET Framework + +On **MDT01**: + +1. Visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117) and click **Download MDT**. +2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01. + - **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work. +3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings. + +## Create the OU structure + +Switch to **DC01** and perform the following procedures on **DC01**: + +To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. + +To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension. + +```powershell +$oulist = Import-csv -Path c:\oulist.txt +ForEach($entry in $oulist){ + $ouname = $entry.ouname + $oupath = $entry.oupath + New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf + Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath" +} +``` + +Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt + +```text +OUName,OUPath +Contoso,"DC=CONTOSO,DC=COM" +Accounts,"OU=Contoso,DC=CONTOSO,DC=COM" +Computers,"OU=Contoso,DC=CONTOSO,DC=COM" +Groups,"OU=Contoso,DC=CONTOSO,DC=COM" +Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" +Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" +Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" +Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM" +Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM" +Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM" +``` + +Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script: + +```powershell +Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force +Set-Location C:\Setup\Scripts +.\ou.ps1 +``` + +This will create an OU structure as shown below. + +![OU structure](../images/mdt-05-fig07.png) + +To use the Active Directory Users and Computers console (instead of PowerShell): + +On **DC01**: + +1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**. 2. In the **Contoso** OU, create the following OUs: 1. Accounts 2. Computers @@ -76,55 +201,62 @@ If you do not have an organizational unit (OU) structure in your Active Director 1. Servers 2. Workstations 5. In the **Contoso / Groups** OU, create the following OU: - - Security Groups + 1. Security Groups -![figure 6](../images/mdt-05-fig07.png) +The final result of either method is shown below. The **MDT_BA** account will be created next. -Figure 6. A sample of how the OU structure will look after all the OUs are created. +## Create the MDT service account -## Create the MDT service account +When creating a reference image, you need an account for MDT. The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. -When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. -1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**. -2. Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings: - 1. Name: MDT\_BA - 2. User logon name: MDT\_BA - 3. Password: P@ssw0rd - 4. User must change password at next logon: Clear - 5. User cannot change password: Selected - 6. Password never expires: Selected +To create an MDT build account, open an elevalted Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1": -## Create and share the logs folder +```powershell +New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true +``` +If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above. + +## Create and share the logs folder By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). -1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: +On **MDT01**: - ``` powershell - New-Item -Path E:\Logs -ItemType directory - New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE - icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)' +1. Sign in as **CONTOSO\\administrator**. +2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: + + ```powershell + New-Item -Path D:\Logs -ItemType directory + New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE + icacls D:\Logs /grant '"MDT_BA":(OI)(CI)(M)' ``` -![figure 7](../images/mdt-05-fig08.png) +See the following example: -Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell. +![Logs folder](../images/mdt-05-fig08.png) -## Use CMTrace to read log files (optional) +## Use CMTrace to read log files (optional) -The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read. +The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](https://docs.microsoft.com/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool. +You can use Notepad (example below): ![figure 8](../images/mdt-05-fig09.png) -Figure 8. An MDT log file opened in Notepad. +Alternatively, CMTrace formatting makes the logs much easier to read. See the same log file below, opened in CMTrace: ![figure 9](../images/mdt-05-fig10.png) +After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and pin the tool to your taskbar for easy access. -Figure 9. The same log file, opened in CMTrace, is much easier to read. -## Related topics +## Next steps -[Key features in MDT](key-features-in-mdt.md) +When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). -[MDT Lite Touch components](mdt-lite-touch-components.md) +## Appendix + +**Sample files** + +The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell. +- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. +- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. +- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index 6c0524658f..c0f5f7d8a1 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -1,132 +1,120 @@ ---- -title: Refresh a Windows 7 computer with Windows 10 (Windows 10) -description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. -ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: reinstallation, customize, template, script, restore -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Refresh a Windows 7 computer with Windows 10 - -**Applies to** -- Windows 10 - -This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version. - -For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -![The machines used in this topic](../images/mdt-04-fig01.png "The machines used in this topic") - -Figure 1. The machines used in this topic. - -## The computer refresh process - -Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. -For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will: - -1. Back up data and settings locally, in a backup folder. - -2. Wipe the partition, except for the backup folder. - -3. Apply the new operating system image. - -4. Install other applications. - -5. Restore data and settings. - -During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data. - ->[!NOTE] ->In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario. - -### Multi-user migration - -By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a machine that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up -by configuring command-line switches to ScanState (added as rules in MDT). - -As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\* - ->[!NOTE] ->You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. - -### Support for additional settings - -In addition to the command-line switches that control which profiles to migrate, the XML templates control exactly what data is being migrated. You can control data within and outside the user profiles - -## Create a custom User State Migration Tool (USMT) template - -In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will: - -1. Back up the **C:\\Data** folder (including all files and folders). - -2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine. - The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include: - - * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361) - * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script - * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363) - -### Add the custom XML template - -In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file. -1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder. -2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line: - - ``` syntax - USMTMigFiles003=MigContosoData.xml - ``` -3. Save the CustomSettings.ini file. - -## Refresh a Windows 7 SP1 client - -After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10. - ->[!NOTE] ->MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -### Upgrade (refresh) a Windows 7 SP1 client - -1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings: - - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM - * Computer name: <default> - * Specify where to save a complete computer backup: Do not back up the existing computer - >[!NOTE] - >Skip this optional full WIM backup. The USMT backup will still run. - -2. Select one or more applications to install: Install - Adobe Reader XI - x86 - -3. The setup now starts and does the following: - - * Backs up user settings and data using USMT. - * Installs the Windows 10 Enterprise x64 operating system. - * Installs the added application(s). - * Updates the operating system via your local Windows Server Update Services (WSUS) server. - * Restores user settings and data using USMT. - -![Start the computer refresh from the running Windows 7 client](../images/fig2-taskseq.png "Start the computer refresh from the running Windows 7 client") - -Figure 2. Starting the computer refresh from the running Windows 7 SP1 client. - -## Related topics - -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) - -[Configure MDT settings](configure-mdt-settings.md) +--- +title: Refresh a Windows 7 computer with Windows 10 (Windows 10) +description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. +ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: reinstallation, customize, template, script, restore +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Refresh a Windows 7 computer with Windows 10 + +**Applies to** +- Windows 10 + +This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). + +For the purposes of this topic, we will use three computers: DC01, MDT01, and PC0001. +- DC01 is a domain controller for the contoso.com domain. +- MDT01 is domain member server that hosts your deployment share. +- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1. + +Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). + +![computers](../images/mdt-04-fig01.png "Computers used in this topic") + +The computers used in this topic. + +## The computer refresh process + +A computer refresh is not the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings. + +For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will: + +1. Back up data and settings locally, in a backup folder. +2. Wipe the partition, except for the backup folder. +3. Apply the new operating system image. +4. Install other applications. +5. Restore data and settings. + +During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data. + +>[!NOTE] +>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. + +### Multi-user migration + +By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT). + +For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\* + +>[!NOTE] +>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. + +### Support for additional settings + +In addition to the command-line switches that control which profiles to migrate, [XML templates](https://docs.microsoft.com/windows/deployment/usmt/understanding-migration-xml-files) control exactly what data is being migrated. You can control data within and outside the user profiles. + +### Multicast + +Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You will need to update the deployment share after changing this setting. + +## Refresh a Windows 7 SP1 client + +In these section, we assume that you have already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01: + +- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) + +It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we will refreshing a Windows 7 SP1 PC to Windows 10, version 1909. + +### Upgrade (refresh) a Windows 7 SP1 client + +>[!IMPORTANT] +>Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. + +1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. +2. Complete the deployment guide using the following settings: + + * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + * Computer name: <default> + * Specify where to save a complete computer backup: Do not back up the existing computer + >[!NOTE] + >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. + * Select one or more applications to install: Install - Adobe Reader + + ![Computer refresh](../images/fig2-taskseq.png "Start the computer refresh") + +4. Setup starts and does the following: + + * Backs up user settings and data using USMT. + * Installs the Windows 10 Enterprise x64 operating system. + * Installs any added applications. + * Updates the operating system using your local Windows Server Update Services (WSUS) server. + * Restores user settings and data using USMT. + +5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example: + + ![monitor deployment](../images/monitor-pc0001.png) + +6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated. + +## Related topics + +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index f9d1c1f252..1f16c8febd 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -21,68 +21,75 @@ ms.topic: article **Applies to** - Windows 10 -A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. -For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). +A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. -![The machines used in this topic](../images/mdt-03-fig01.png "The machines used in this topic") +For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002, and PC0007. +- DC01 is a domain controller for the contoso.com domain. +- MDT01 is domain member server that hosts your deployment share. +- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. +- PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain. -Figure 1. The machines used in this topic. +For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). -## Prepare for the computer replace +![The computers used in this topic](../images/mdt-03-fig01.png) -When preparing for the computer replace, you need to create a folder in which to store the backup, and a backup only task sequence that you run on the old computer. +The computers used in this topic. + +>HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer. + +## Prepare for the computer replace + + To prepare for the computer replace, you need to create a folder in which to store the backup and a backup only task sequence to run on the old computer. ### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share -1. On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules. +On **MDT01**: -2. Change the **SkipUserData=YES** option to **NO**, and click **OK**. +1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, click **Properties**, and then click the **Rules** tab. +2. Change the **SkipUserData=YES** option to **NO**, and click **OK**. +3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default setttings. ### Create and share the MigData folder -1. On MDT01, log on as **CONTOSO\\Administrator**. +On **MDT01**: -2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt: +1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt: ``` powershell - New-Item -Path E:\MigData -ItemType directory - New-SmbShare -Name MigData$ -Path E:\MigData - -ChangeAccess EVERYONE - icacls E:\MigData /grant '"MDT_BA":(OI)(CI)(M)' + New-Item -Path D:\MigData -ItemType directory + New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE + icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)' ``` ### Create a backup only (replace) task sequence -3. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**. +2. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**. -4. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: +3. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: * Task sequence ID: REPLACE-001 * Task sequence name: Backup Only Task Sequence * Task sequence comments: Run USMT to backup user data and settings * Template: Standard Client Replace Task Sequence -5. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions. +4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions. ![The Backup Only Task Sequence action list](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list") - Figure 2. The Backup Only Task Sequence action list. + The Backup Only Task Sequence action list. -## Perform the computer replace +## Perform the computer replace During a computer replace, these are the high-level steps that occur: 1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup. +2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored. -2. On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored. +### Run the replace task sequence -### Execute the replace task sequence +On **PC0002**: -1. On PC0002, log on as **CONTOSO\\Administrator**. - -2. Verify that you have write access to the **\\\\MDT01\\MigData$** share. - -3. Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**. - -4. Complete the Windows Deployment Wizard using the following settings: +1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share. +2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**. +3. Complete the Windows Deployment Wizard using the following settings: 1. Select a task sequence to execute on this computer: Backup Only Task Sequence * Specify where to save your data and settings: Specify a location @@ -92,21 +99,24 @@ During a computer replace, these are the high-level steps that occur: >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. 2. Specify where to save a complete computer backup: Do not back up the existing computer - 3. Password: P@ssw0rd - The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine. + The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer. ![The new task sequence](../images/mdt-03-fig03.png "The new task sequence") - Figure 3. The new task sequence running the Capture User State action on PC0002. + The new task sequence running the Capture User State action on PC0002. -5. On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder. +4. On **MDT01**, verify that you have an USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder. ![The USMT backup](../images/mdt-03-fig04.png "The USMT backup") - Figure 4. The USMT backup of PC0002. + The USMT backup of PC0002. -### Deploy the PC0007 virtual machine +### Deploy the replacement computer + +To demonstrate deployment of the replacement computer, HV01 is used to host a virtual machine: PC0007. + +On **HV01**: 1. Create a virtual machine with the following settings: @@ -115,38 +125,40 @@ During a computer replace, these are the high-level steps that occur: * Generation: 2 * Memory: 2048 MB * Hard disk: 60 GB (dynamic disk) + * Install an operating system from a network-based installation server -2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server. +2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site). ![The initial PXE boot process](../images/mdt-03-fig05.png "The initial PXE boot process") - Figure 5. The initial PXE boot process of PC0005. + The initial PXE boot process of PC0007. 3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - * Password: P@ssw0rd * Select a task sequence to execute on this computer: * Windows 10 Enterprise x64 RTM Custom Image * Computer Name: PC0007 - * Applications: Select the Install - Adobe Reader XI - x86 application. + * Move Data and Settings: Do not move user data and settings. + * User Data (Restore) > Specify a location: \\\\MDT01\\MigData$\\PC0002 + * Applications: Adobe > Install - Adobe Reader -4. The setup now starts and does the following: +4. Setup now starts and does the following: + * Partitions and formats the disk. * Installs the Windows 10 Enterprise operating system. - * Installs the added application. + * Installs the application. * Updates the operating system via your local Windows Server Update Services (WSUS) server. * Restores the USMT backup from PC0002. +You can view progress of the process by clicking the Monitoring node in the Deployment Workbrench on MDT01. + +![Monitor progress](../images/mdt-replace.png) + ## Related topics -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 03899e149e..d54f06dc77 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -37,7 +37,10 @@ If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), > [!NOTE] > Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511. -For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). +>[!NOTE] +>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. + +For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). ## Configure Active Directory for BitLocker @@ -50,7 +53,7 @@ In Windows Server version from 2008 R2 and later, you have access to the BitLock ![figure 2](../images/mdt-09-fig02.png) -Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain. +The BitLocker Recovery information on a computer object in the contoso.com domain. ### Add the BitLocker Drive Encryption Administration Utilities @@ -69,7 +72,7 @@ The BitLocker Drive Encryption Administration Utilities are added as features vi ![figure 3](../images/mdt-09-fig03.png) -Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities. +Selecting the BitLocker Drive Encryption Administration Utilities. ### Create the BitLocker Group Policy @@ -103,7 +106,7 @@ In addition to the Group Policy created previously, you need to configure permis ![figure 4](../images/mdt-09-fig04.png) -Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01. +Running the Add-TPMSelfWriteACE.vbs script on DC01. ## Add BIOS configuration tools from Dell, HP, and Lenovo @@ -161,16 +164,10 @@ In the following task sequence, we added five actions: ## Related topics -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - +[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index 6278b32fe5..cb28eea313 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -18,15 +18,26 @@ ms.topic: article # Simulate a Windows 10 deployment in a test environment -This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined machine (client or server). In the following example, you use the PC0001 Windows 10 client. -For the purposes of this topic, you already will have either downloaded and installed the free Microsoft System Center 2012 R2 Configuration Manager Toolkit, or copied Configuration Manager Trace (CMTrace) if you have access to the System Center 2012 R2 Configuration Manager media. We also assume that you have downloaded the [sample Gather.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619361) from the TechNet gallery. +This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined client. -1. On PC0001, log on as **CONTOSO\\Administrator** using the password P@ssw0rd. -2. Using Computer Management, add the **CONTOSO\\MDT\_BA** user account to the local **Administrators** group. -3. Log off, and then log on to PC0001 as **CONTOSO\\MDT\_BA**. -4. Using File Explorer, create a folder named **C:\\MDT**. -5. Copy the downloaded Gather.ps1 script to the **C:\\MDT** folder. -6. From the **\\\\MDT01\\MDTProduction$\\Scripts** folder, copy the following files to **C:\\MDT**: +## Test environment + +- A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts. +- It is assumed that you have performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share: + - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) + - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) + - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) + +## Simulate deployment + +On **PC0001**: + +1. Sign as **contoso\\Administrator**. +2. Download the [sample Gather.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619361) from the TechNet gallery and copy it to a directory named **C:\MDT** on PC0001. +3. Download and install the free [Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool. +4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group. +5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**. +6. Open the **\\\\MDT01\\MDTProduction$\\Scripts** folder and copy the following files to **C:\\MDT**: 1. ZTIDataAccess.vbs 2. ZTIGather.wsf 3. ZTIGather.xml @@ -35,36 +46,32 @@ For the purposes of this topic, you already will have either downloaded and inst 8. In the **C:\\MDT** folder, create a subfolder named **X64**. 9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**. - ![figure 6](../images/mdt-09-fig06.png) + ![files](../images/mdt-09-fig06.png) - Figure 6. The C:\\MDT folder with the files added for the simulation environment. + The C:\\MDT folder with the files added for the simulation environment. -10. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press Enter after each command: +10. Type the following at an elevated Windows PowerShell prompt: ``` powershell + Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force Set-Location C:\MDT .\Gather.ps1 ``` -11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder. + When prompted, press **R** to run the gather script. + +11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder using CMTrace. **Note** Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment. + ![ztigather](../images/mdt-09-fig07.png) -![figure 7](../images/mdt-09-fig07.png) - -Figure 7. The ZTIGather.log file from PC0001, displaying some of its hardware capabilities. + The ZTIGather.log file from PC0001. ## Related topics -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md new file mode 100644 index 0000000000..38604acbf4 --- /dev/null +++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -0,0 +1,114 @@ +--- +title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) +description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. +ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Perform an in-place upgrade to Windows 10 with MDT + +**Applies to** +- Windows 10 + +The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. + +>[!TIP] +>In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. + +In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade. + +Three computers are used in this topic: DC01, MDT01, and PC0002. + +- DC01 is a domain controller for the contoso.com domain +- MDT01 is a domain member server +- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade + + ![computers](../images/mdt-upgrade.png) + + The computers used in this topic. + +>[!NOTE] +>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). + +>If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source). + +## Create the MDT production deployment share + +On **MDT01**: + +1. Ensure you are signed on as: contoso\administrator. +2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. +3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. +4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. +5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. +6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. +7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. + +## Add Windows 10 Enterprise x64 (full source) + +>If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. + +On **MDT01**: + +1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. +2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. +3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. +4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files + - Source directory: (location of your source files) + - Destination directory name: W10EX64RTM +5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. + +## Create a task sequence to upgrade to Windows 10 Enterprise + +On **MDT01**: + +1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-UPG + - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade + - Template: Standard Client Upgrade Task Sequence + - Select OS: Windows 10 Enterprise x64 RTM Default Image + - Specify Product Key: Do not specify a product key at this time + - Organization: Contoso + - Admin Password: Do not specify an Administrator password at this time + +## Perform the Windows 10 upgrade + +To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded). + +On **PC0002**: + +1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** +2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. +3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader +4. On the **Ready** tab, click **Begin** to start the task sequence. + When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +![upgrade1](../images/upgrademdt-fig5-winupgrade.png) + +
+ +![upgrade2](../images/mdt-upgrade-proc.png) + +
+ +![upgrade3](../images/mdt-post-upg.png) + +After the task sequence completes, the computer will be fully upgraded to Windows 10. + +## Related topics + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-sccm/TOC.md b/windows/deployment/deploy-windows-sccm/TOC.md new file mode 100644 index 0000000000..93aadaebcd --- /dev/null +++ b/windows/deployment/deploy-windows-sccm/TOC.md @@ -0,0 +1,15 @@ +# Deploy Windows 10 with Configuration Manager +## [Configuration Manager components](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) +### [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) +### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) +### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) +### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) +### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) +### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) +### [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) +### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) +### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) +### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md) +### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) +### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) +### [Perform an in-place upgrade to Windows 10 using Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index 06c696d2c7..5a2a0146fc 100644 --- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -86,23 +86,14 @@ Operating system deployment with Configuration Manager is part of the normal sof **Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10. -   - ## See also - - [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) - - [Windows deployment tools](../windows-deployment-scenarios-and-tools.md) - - [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - [Deploy Windows To Go in your organization](../deploy-windows-to-go.md) - - [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx) - - [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)   diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md new file mode 100644 index 0000000000..0c75a0f3df --- /dev/null +++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md @@ -0,0 +1,80 @@ +--- +title: Deploy Windows 10 with Configuration Manager (Windows 10) +description: If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. +ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: deployment, custom, boot +ms.prod: w10 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 with Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT). + +For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +![figure 1](../images/mdt-06-fig01.png) + +Figure 1. The machines used in this topic. + +## In this section + + +- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) +- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) +- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) +- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) +- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) +- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) +- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) +- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) +- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) +- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md) +- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) +- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +## Components of Configuration Manager operating system deployment + + +Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. + +- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. +- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. +- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. +- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. +- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. +- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image. +- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). +- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. +- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager. + + **Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10. + +   + +## See also + +- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
+- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
+- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
+- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index adca6df481..8fc3e2cdc1 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -1,49 +1,39 @@ ---- -title: Deploy Windows 10 (Windows 10) -description: Deploying Windows 10 for IT professionals. -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.reviewer: -manager: laurawi -ms.audience: itpro -author: greg-lindsay -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: medium -ms.date: 11/06/2018 -audience: itpro -author: greg-lindsay -ms.topic: article ---- - -# Deploy Windows 10 - -Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available. - - -|Topic |Description | -|------|------------| -|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | -|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. | -|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. | -|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. | -|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | -|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). | -|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. | -|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | -|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | -|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | -|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| - -## Related topics - -[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) - -  - -  - - - - - +--- +title: Deploy Windows 10 (Windows 10) +description: Deploying Windows 10 for IT professionals. +ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.localizationpriority: medium +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Deploy Windows 10 + +Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available. + + +|Topic |Description | +|------|------------| +|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | +|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. | +|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. | +|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. | +|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | +|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). | +|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. | +|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | +|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | +|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | +|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| + +## Related topics + +[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) \ No newline at end of file diff --git a/windows/deployment/images/acroread.png b/windows/deployment/images/acroread.png new file mode 100644 index 0000000000..142e7b6d74 Binary files /dev/null and b/windows/deployment/images/acroread.png differ diff --git a/windows/deployment/images/captureimage.png b/windows/deployment/images/captureimage.png new file mode 100644 index 0000000000..e9ebbf3aad Binary files /dev/null and b/windows/deployment/images/captureimage.png differ diff --git a/windows/deployment/images/dart.png b/windows/deployment/images/dart.png new file mode 100644 index 0000000000..f5c099e9a0 Binary files /dev/null and b/windows/deployment/images/dart.png differ diff --git a/windows/deployment/images/dc01-cm01-pc0001.png b/windows/deployment/images/dc01-cm01-pc0001.png new file mode 100644 index 0000000000..f6adafdf15 Binary files /dev/null and b/windows/deployment/images/dc01-cm01-pc0001.png differ diff --git a/windows/deployment/images/deployment-workbench01.png b/windows/deployment/images/deployment-workbench01.png new file mode 100644 index 0000000000..c68ee25db1 Binary files /dev/null and b/windows/deployment/images/deployment-workbench01.png differ diff --git a/windows/deployment/images/downloads.png b/windows/deployment/images/downloads.png new file mode 100644 index 0000000000..36c45c4a88 Binary files /dev/null and b/windows/deployment/images/downloads.png differ diff --git a/windows/deployment/images/fig10-unattend.png b/windows/deployment/images/fig10-unattend.png index a9d2bc16df..54f0b0f86f 100644 Binary files a/windows/deployment/images/fig10-unattend.png and b/windows/deployment/images/fig10-unattend.png differ diff --git a/windows/deployment/images/fig2-importedos.png b/windows/deployment/images/fig2-importedos.png index ed72d2ef4d..90cf910c24 100644 Binary files a/windows/deployment/images/fig2-importedos.png and b/windows/deployment/images/fig2-importedos.png differ diff --git a/windows/deployment/images/fig2-taskseq.png b/windows/deployment/images/fig2-taskseq.png index 1da70bd6e7..bdd81ddbde 100644 Binary files a/windows/deployment/images/fig2-taskseq.png and b/windows/deployment/images/fig2-taskseq.png differ diff --git a/windows/deployment/images/fig4-oob-drivers.png b/windows/deployment/images/fig4-oob-drivers.png index b1f6924665..14d93fb278 100644 Binary files a/windows/deployment/images/fig4-oob-drivers.png and b/windows/deployment/images/fig4-oob-drivers.png differ diff --git a/windows/deployment/images/fig8-cust-tasks.png b/windows/deployment/images/fig8-cust-tasks.png index 378215ee2b..3ab40d730a 100644 Binary files a/windows/deployment/images/fig8-cust-tasks.png and b/windows/deployment/images/fig8-cust-tasks.png differ diff --git a/windows/deployment/images/image-captured.png b/windows/deployment/images/image-captured.png new file mode 100644 index 0000000000..69c5d5ef15 Binary files /dev/null and b/windows/deployment/images/image-captured.png differ diff --git a/windows/deployment/images/iso-data.png b/windows/deployment/images/iso-data.png new file mode 100644 index 0000000000..f188046b7f Binary files /dev/null and b/windows/deployment/images/iso-data.png differ diff --git a/windows/deployment/images/mdt-03-fig02.png b/windows/deployment/images/mdt-03-fig02.png index d0fd979449..934be09dc1 100644 Binary files a/windows/deployment/images/mdt-03-fig02.png and b/windows/deployment/images/mdt-03-fig02.png differ diff --git a/windows/deployment/images/mdt-03-fig03.png b/windows/deployment/images/mdt-03-fig03.png index ba1de39aa0..a387923d80 100644 Binary files a/windows/deployment/images/mdt-03-fig03.png and b/windows/deployment/images/mdt-03-fig03.png differ diff --git a/windows/deployment/images/mdt-03-fig04.png b/windows/deployment/images/mdt-03-fig04.png index 26600a2036..437531d2f6 100644 Binary files a/windows/deployment/images/mdt-03-fig04.png and b/windows/deployment/images/mdt-03-fig04.png differ diff --git a/windows/deployment/images/mdt-03-fig05.png b/windows/deployment/images/mdt-03-fig05.png index 9c44837022..a7b8d6ca2e 100644 Binary files a/windows/deployment/images/mdt-03-fig05.png and b/windows/deployment/images/mdt-03-fig05.png differ diff --git a/windows/deployment/images/mdt-07-fig01.png b/windows/deployment/images/mdt-07-fig01.png index b2ccfec334..90635678e8 100644 Binary files a/windows/deployment/images/mdt-07-fig01.png and b/windows/deployment/images/mdt-07-fig01.png differ diff --git a/windows/deployment/images/mdt-07-fig08.png b/windows/deployment/images/mdt-07-fig08.png index 66e2969916..2cbfc47271 100644 Binary files a/windows/deployment/images/mdt-07-fig08.png and b/windows/deployment/images/mdt-07-fig08.png differ diff --git a/windows/deployment/images/mdt-07-fig09.png b/windows/deployment/images/mdt-07-fig09.png index ce320427ee..245b59072d 100644 Binary files a/windows/deployment/images/mdt-07-fig09.png and b/windows/deployment/images/mdt-07-fig09.png differ diff --git a/windows/deployment/images/mdt-07-fig10.png b/windows/deployment/images/mdt-07-fig10.png index 7aff3c2d76..2c61e0eb3d 100644 Binary files a/windows/deployment/images/mdt-07-fig10.png and b/windows/deployment/images/mdt-07-fig10.png differ diff --git a/windows/deployment/images/mdt-07-fig11.png b/windows/deployment/images/mdt-07-fig11.png index 905f8bd572..ce70374271 100644 Binary files a/windows/deployment/images/mdt-07-fig11.png and b/windows/deployment/images/mdt-07-fig11.png differ diff --git a/windows/deployment/images/mdt-07-fig13.png b/windows/deployment/images/mdt-07-fig13.png index 849949a2f2..dae9bd23b8 100644 Binary files a/windows/deployment/images/mdt-07-fig13.png and b/windows/deployment/images/mdt-07-fig13.png differ diff --git a/windows/deployment/images/mdt-07-fig14.png b/windows/deployment/images/mdt-07-fig14.png index cfe7843eeb..788e609cf6 100644 Binary files a/windows/deployment/images/mdt-07-fig14.png and b/windows/deployment/images/mdt-07-fig14.png differ diff --git a/windows/deployment/images/mdt-07-fig16.png b/windows/deployment/images/mdt-07-fig16.png index 80e0925a40..995eaa51c7 100644 Binary files a/windows/deployment/images/mdt-07-fig16.png and b/windows/deployment/images/mdt-07-fig16.png differ diff --git a/windows/deployment/images/mdt-08-fig01.png b/windows/deployment/images/mdt-08-fig01.png index 7f795c42d4..7e9e650633 100644 Binary files a/windows/deployment/images/mdt-08-fig01.png and b/windows/deployment/images/mdt-08-fig01.png differ diff --git a/windows/deployment/images/mdt-08-fig02.png b/windows/deployment/images/mdt-08-fig02.png index 50c97d8d0c..7a0a4a1bbb 100644 Binary files a/windows/deployment/images/mdt-08-fig02.png and b/windows/deployment/images/mdt-08-fig02.png differ diff --git a/windows/deployment/images/mdt-08-fig14.png b/windows/deployment/images/mdt-08-fig14.png index 21b358d1f8..4e5626280a 100644 Binary files a/windows/deployment/images/mdt-08-fig14.png and b/windows/deployment/images/mdt-08-fig14.png differ diff --git a/windows/deployment/images/mdt-09-fig07.png b/windows/deployment/images/mdt-09-fig07.png index 431f212f80..a2a9093ff0 100644 Binary files a/windows/deployment/images/mdt-09-fig07.png and b/windows/deployment/images/mdt-09-fig07.png differ diff --git a/windows/deployment/images/mdt-10-fig05.png b/windows/deployment/images/mdt-10-fig05.png index 64c0c4a6ee..8625f2972b 100644 Binary files a/windows/deployment/images/mdt-10-fig05.png and b/windows/deployment/images/mdt-10-fig05.png differ diff --git a/windows/deployment/images/mdt-10-fig09.png b/windows/deployment/images/mdt-10-fig09.png index ccdd05f34e..bb5010a93d 100644 Binary files a/windows/deployment/images/mdt-10-fig09.png and b/windows/deployment/images/mdt-10-fig09.png differ diff --git a/windows/deployment/images/mdt-apps.png b/windows/deployment/images/mdt-apps.png new file mode 100644 index 0000000000..72ee2268f2 Binary files /dev/null and b/windows/deployment/images/mdt-apps.png differ diff --git a/windows/deployment/images/mdt-monitoring.png b/windows/deployment/images/mdt-monitoring.png new file mode 100644 index 0000000000..c49732223a Binary files /dev/null and b/windows/deployment/images/mdt-monitoring.png differ diff --git a/windows/deployment/images/mdt-offline-media.png b/windows/deployment/images/mdt-offline-media.png new file mode 100644 index 0000000000..d81ea4e0d8 Binary files /dev/null and b/windows/deployment/images/mdt-offline-media.png differ diff --git a/windows/deployment/images/mdt-post-upg.png b/windows/deployment/images/mdt-post-upg.png new file mode 100644 index 0000000000..f41d2ff32b Binary files /dev/null and b/windows/deployment/images/mdt-post-upg.png differ diff --git a/windows/deployment/images/mdt-replace.png b/windows/deployment/images/mdt-replace.png new file mode 100644 index 0000000000..d731037d38 Binary files /dev/null and b/windows/deployment/images/mdt-replace.png differ diff --git a/windows/deployment/images/mdt-rules.png b/windows/deployment/images/mdt-rules.png new file mode 100644 index 0000000000..b01c519635 Binary files /dev/null and b/windows/deployment/images/mdt-rules.png differ diff --git a/windows/deployment/images/mdt-upgrade-proc.png b/windows/deployment/images/mdt-upgrade-proc.png new file mode 100644 index 0000000000..07a968aed0 Binary files /dev/null and b/windows/deployment/images/mdt-upgrade-proc.png differ diff --git a/windows/deployment/images/mdt-upgrade.png b/windows/deployment/images/mdt-upgrade.png new file mode 100644 index 0000000000..c794526ad5 Binary files /dev/null and b/windows/deployment/images/mdt-upgrade.png differ diff --git a/windows/deployment/images/mdt.png b/windows/deployment/images/mdt.png new file mode 100644 index 0000000000..76a00ee065 Binary files /dev/null and b/windows/deployment/images/mdt.png differ diff --git a/windows/deployment/images/monitor-pc0001.PNG b/windows/deployment/images/monitor-pc0001.PNG new file mode 100644 index 0000000000..072b9cb58c Binary files /dev/null and b/windows/deployment/images/monitor-pc0001.PNG differ diff --git a/windows/deployment/images/office-folder.png b/windows/deployment/images/office-folder.png new file mode 100644 index 0000000000..722cc4d664 Binary files /dev/null and b/windows/deployment/images/office-folder.png differ diff --git a/windows/deployment/images/pc0001.png b/windows/deployment/images/pc0001.png new file mode 100644 index 0000000000..839cd3de54 Binary files /dev/null and b/windows/deployment/images/pc0001.png differ diff --git a/windows/deployment/images/pc0005-vm-office.png b/windows/deployment/images/pc0005-vm-office.png new file mode 100644 index 0000000000..bb8e96f5af Binary files /dev/null and b/windows/deployment/images/pc0005-vm-office.png differ diff --git a/windows/deployment/images/pc0005-vm.png b/windows/deployment/images/pc0005-vm.png new file mode 100644 index 0000000000..4b2af635c4 Binary files /dev/null and b/windows/deployment/images/pc0005-vm.png differ diff --git a/windows/deployment/images/pc0006.png b/windows/deployment/images/pc0006.png new file mode 100644 index 0000000000..6162982966 Binary files /dev/null and b/windows/deployment/images/pc0006.png differ diff --git a/windows/deployment/images/thinkstation.png b/windows/deployment/images/thinkstation.png new file mode 100644 index 0000000000..7a144ec5b3 Binary files /dev/null and b/windows/deployment/images/thinkstation.png differ diff --git a/windows/deployment/images/upgrademdt-fig1-machines.png b/windows/deployment/images/upgrademdt-fig1-machines.png deleted file mode 100644 index ef553b6595..0000000000 Binary files a/windows/deployment/images/upgrademdt-fig1-machines.png and /dev/null differ diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md deleted file mode 100644 index afb65c8724..0000000000 --- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Change history for Plan for Windows 10 deployment (Windows 10) -description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile. -ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 07/19/2017 -ms.topic: article ---- - -# Change history for Plan for Windows 10 deployment - - -This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). - - -## RELEASE: Windows 10, version 1703 - -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following is a new topic: -- [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md) - -## January 2017 - -| New or changed topic | Description | -|----------------------|-------------| -| [Windows 10 Infrastructure Requirements](windows-10-infrastructure-requirements.md) | Added link for Windows Server 2008 R2 and Windows 7 activation and a link to Windows Server 2016 Volume Activation Tips | - -## September 2016 - -| New or changed topic | Description | -| --- | --- | -| Windows 10 servicing overview | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) | -| Windows Update for Business

Setup and deployment of Windows Update for Business

Integration of Windows Update for Business with management solutions | New content replaced these topics; see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb) | - - -## RELEASE: Windows 10, version 1607 - -The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). - - -## July 2016 - - -| New or changed topic | Description | -|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.| -| [Windows 10 servicing overview](../update/waas-overview.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) page. | - - -## May 2016 - - -| New or changed topic | Description | -|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [Deploy Windows 10 in a school](/education/windows/deploy-windows-10-in-a-school) | New| - -## December 2015 - - -| New or changed topic | Description | -|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New | - - -## November 2015 - - -| New or changed topic | Description | -|--------------------------------------------------------------------------------------------------|-------------| -| [Chromebook migration guide](/education/windows/chromebook-migration-guide) | New | -| [Windows Update for Business](../update/waas-manage-updates-wufb.md) (multiple topics) | New | -| [Windows To Go: feature overview](windows-to-go-overview.md) (multiple topics) | Updated | - - - -## Related topics - - -[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10) - -[Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md) - - - - - - - - - - diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md index 6f28178063..dde951580a 100644 --- a/windows/deployment/planning/index.md +++ b/windows/deployment/planning/index.md @@ -27,9 +27,9 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi ## Related topics - [Windows 10 servicing options for updates and upgrades](../update/index.md) -- [Deploy Windows 10 with MDT 2013 Update 1](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Deploy Windows 10 with MDT](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) - [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) -- [Upgrade to Windows 10 with MDT 2013 Update 1](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - [Upgrade to Windows 10 with Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) - [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)   diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index 7e35245a09..760c0f0182 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -1,6 +1,6 @@ --- -title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices -description: Learn how to deploy feature updates to your mission critical devices +title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices +description: Learn how to deploy feature updates to your mission-critical devices ms.prod: w10 ms.mktglfcycl: manage audience: itpro @@ -8,7 +8,6 @@ itproauthor: jaimeo author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 07/10/2018 ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop @@ -21,7 +20,7 @@ ms.topic: article Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. -For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). +For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service). Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: @@ -32,9 +31,9 @@ You can use Configuration Manager to deploy feature updates to Windows 10 device - **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. - **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. -- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. +- **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. -If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. +If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this useful in deploying software updates. Use the following information: diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index a81d83a38c..06ca9774d4 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -36,7 +36,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. | | [Assign devices to servicing branches for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. | -| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. | +| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. | | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | | [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 612c44e92a..c3c6abb633 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -17,7 +17,7 @@ ms.topic: article # Delivery Optimization in Update Compliance ![DO status](images/UC_workspace_DO_status.png) -The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. +The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. ## Delivery Optimization Status diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 731828c027..2bcc21e872 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -17,6 +17,11 @@ ms.topic: article # Monitor Windows Updates with Update Compliance +> [!IMPORTANT] +> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates: +> +> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates. +> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction @@ -46,8 +51,8 @@ The Update Compliance architecture and data flow follows this process: 4. Diagnostic data is available in the Update Compliance solution. ->[!NOTE] ->This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md). +> [!NOTE] +> This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md). @@ -55,4 +60,4 @@ The Update Compliance architecture and data flow follows this process: ## Related topics [Get started with Update Compliance](update-compliance-get-started.md)
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) \ No newline at end of file +[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md index b38df5c5af..b07741ffeb 100644 --- a/windows/deployment/update/update-compliance-perspectives.md +++ b/windows/deployment/update/update-compliance-perspectives.md @@ -16,6 +16,10 @@ ms.topic: article # Perspectives +> [!IMPORTANT] +> On March 31, 2020, the Perspectives feature of Update Compliance will be removed in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. + + ![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. @@ -33,10 +37,10 @@ The third blade is the **Deployment Status** blade. This defines how many days i | State | Description | | --- | --- | | Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | -| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | -| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | -| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | -| Cancelled | The update was cancelled. | +| In Progress | Devices that report they are "In Progress" are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | +| Deferred | When a device's Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | +| Progress stalled | Devices that report as "Progress stalled" have been stuck at "In progress" for more than 7 days. | +| Cancelled | The update was canceled. | | Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | | Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | | Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | @@ -48,19 +52,19 @@ The final blade is the **Detailed Deployment Status** blade. This blade breaks d | State | Description | | --- | --- | -| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | -| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | +| Update deferred | When a device's Windows Update for Business policy dictates the update is deferred. | +| Update paused | The device's Windows Update for Business policy dictates the update is paused from being offered. | | Update offered | The device has been offered the update, but has not begun downloading it. | | Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | | Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | | Download Started | The update has begun downloading on the device. | | Download Succeeded | The update has successfully completed downloading. | | Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | -| Install Started | Installation of the update has begun. | -| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. +| Install Started | Installation of the update has begun. | +| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. | Reboot Pending | The device has a scheduled reboot to apply the update. | | Reboot Initiated | The scheduled reboot has been initiated. | -| Update Completed/Commit | The update has successfully installed. | +| Update Completed/Commit | The update has successfully installed. | ->[!NOTE] ->Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. +> [!NOTE] +> Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking "Not configured (-1)" devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index fa252c9db1..f6f30a2709 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -30,7 +30,7 @@ Deployment status summarizes detailed status into higher-level states to get a q |Deployment status |Description | |---------|---------| |Failed | The device encountered a failure during the update process. Note that due to latency, devices reporting this status may have since retried the update. | -|Progress stalled | he device started the update process, but no progress has been reported in the last 7 days. | +|Progress stalled | The device started the update process, but no progress has been reported in the last 7 days. | |Deferred | The device is currently deferring the update process due to Windows Update for Business policies. | |In progress | The device has begun the updating process for this update. This status appears if the device is in any stage of the update process including and after download, but before completing the update. If no progress has been reported in the last 7 days, devices will move to **Progress stalled**.** | |Update completed | The device has completed the update process. | @@ -42,7 +42,7 @@ Deployment status summarizes detailed status into higher-level states to get a q Detailed status provides a detailed stage-level representation of where in the update process the device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported detailed status. -|Detaild status |Description | +|Detailed status |Description | |---------|---------| |Scheduled in next X days | The device is currently deferring the update with Windows Update for Business policies but will be offered the update within the next X days. | |Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | @@ -59,7 +59,7 @@ Detailed status provides a detailed stage-level representation of where in the u |Commit | The device, after a restart, is committing changes relevant to the update. | |Finalize succeeded | The device has finished final tasks after a restart to apply the update. | |Update successful | The device has successfully applied the update. | -|Cancelled | The update was cancelled at some point in the update process. | +|Cancelled | The update was canceled at some point in the update process. | |Uninstalled | The update was successfully uninstalled from the device. | |Rollback | The update failed to apply during the update process, causing the device to roll back changes and revert to the previous update. | diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index edc9156531..3fae8e0328 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -16,12 +16,16 @@ ms.topic: article # Windows Defender AV Status + +> [!IMPORTANT] +> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates. + ![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. ->[!NOTE] ->Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). +> [!NOTE] +> Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). ## Windows Defender AV Status sections The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 61a6af8b7c..ac14bcf549 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -6,7 +6,6 @@ description: Delivery Optimization is a new peer-to-peer distribution method in keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy - audience: itpro author: jaimeo ms.localizationpriority: medium @@ -183,7 +182,7 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a ### Monitor with Update Compliance -The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. +Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. ![DO status](images/UC_workspace_DO_status.png) diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md deleted file mode 100644 index da28265e33..0000000000 --- a/windows/deployment/update/waas-manage-updates-configuration-manager.md +++ /dev/null @@ -1,328 +0,0 @@ ---- -title: Deploy Windows 10 updates via Microsoft Endpoint Configuration Manager -description: Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10. -ms.prod: w10 -ms.mktglfcycl: manage -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager - - -**Applies to** - -- Windows 10 - - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. - - -Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers. - -You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation. - ->[!NOTE] ->This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager). - -## Windows 10 servicing dashboard - -The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx). - -For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements: - -- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods. -- **Windows Server Update Service (WSUS)**. Microsoft Endpoint Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed. -- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode. -- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications. - - **To configure Upgrade classification** - - 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list. - - 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**. - - ![Example of UI](images/waas-sccm-fig1.png) - - 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**. - -When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard. - -## Create collections for deployment rings - -Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users. - ->[!NOTE] ->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples. - -**To create collections for deployment rings** - -1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections. - -2. On the Ribbon, in the **Create** group, click **Create Device Collection**. - -3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**. - -4. Click **Browse** to select the limiting collection, and then click **All Systems**. - -5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**. - -6. Name the rule **CBB Detection**, and then click **Edit Query Statement**. - -7. On the **Criteria** tab, click the **New** icon. - - ![Example of UI](images/waas-sccm-fig4.png) - -8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**. - -9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**. - - ![Example of UI](images/waas-sccm-fig5.png) - - >[!NOTE] - >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**. - -10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**. - - ![Example of UI](images/waas-sccm-fig6.png) - -11. Now that the **OSBranch** attribute is correct, verify the operating system version. - -12. On the **Criteria** tab, click the **New** icon again to add criteria. - -13. In the **Criterion Properties** dialog box, click **Select**. - -14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**. - - ![Example of UI](images/waas-sccm-fig7.png) - -15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**. - - ![Example of UI](images/waas-sccm-fig8.png) - -16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard. - -17. Click **Summary**, and then click **Next**. - -18. Close the wizard. - ->[!IMPORTANT] ->Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds. - -After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences. - -1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections. - -2. On the Ribbon, in the **Create** group, click **Create Device Collection**. - -3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**. - -4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**. - -5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**. - -6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**. - -7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**. - -8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**. - -9. Click **Next**, and then click **Close**. - -10. In the **Create Device Collection Wizard** dialog box, click **Summary**. - -11. Click **Next**, and then click **Close**. - - -## Use Windows 10 servicing plans to deploy Windows 10 feature updates - -There are two ways to deploy Windows 10 feature updates with Microsoft Endpoint Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates. - -**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan** - -1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**. - -2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**. - -3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**. - -4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**. - - >[!IMPORTANT] - >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message. - > - >![This is a high-risk deployment](images/waas-sccm-fig9.png) - > - >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx). - -5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**. - - Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB. - - On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**. - -6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank. - -7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline. - -8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**. - - Doing so allows installation and restarts after the 7-day deadline on workstations only. - -9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**. - - In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates. - - ![Example of UI](images/waas-sccm-fig10.png) - -10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**. - - ![Example of UI](images/waas-sccm-fig11.png) - - Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**. - -11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**. - - -You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab. - -![Example of UI](images/waas-sccm-fig12.png) - - -## Use a task sequence to deploy Windows 10 updates - -There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - -- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments. - -Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console: - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages. - -2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**. - -3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**. - - In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607. - -4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**. - -5. On the **Summary** page, click **Next** to create the package. - -6. On the **Completion** page, click **Close**. - -Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points: - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package. - -2. On the Ribbon, in the **Deployment group**, click **Distribute Content**. - -3. In the Distribute Content Wizard, on the **General** page, click **Next**. - -4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**. - -5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**. - -6. On the **Content Destination** page, click **Next**. - -7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point. - -8. On the **Completion** page, click **Close**. - -Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package: - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences. - -2. On the Ribbon, in the **Create** group, click **Create Task Sequence**. - -3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. - -4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**. - -5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**. - -6. Click **Next**. - -7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**. - -8. On the **Install Applications** page, click **Next**. - -9. On the **Summary** page, click **Next** to create the task sequence. - -10. On the **Completion** page, click **Close**. - -With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**. - ->[!IMPORTANT] ->This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully. - -**To deploy your task sequence** - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence. - -2. On the Ribbon, in the **Deployment** group, click **Deploy**. - -3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**. - -4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**. - -5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**. - -6. In the **Assignment Schedule** dialog box, click **Schedule**. - -7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**. - -8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**. - -9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**. - -10. Use the defaults for the remaining settings. - -11. Click **Summary**, and then click **Next** to deploy the task sequence. - -12. Click **Close**. - - -## Steps to manage updates for Windows 10 - -| | | -| --- | --- | -| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager (this topic) | - -## See also - -[Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage device restarts after updates](waas-restart.md) - diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index c7be3666ed..b23dfbb017 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -45,7 +45,6 @@ Here's more news about [Windows as a service](windows-as-a-service.md):
  • Reducing Windows 10 Package Size Downloads for x64 Systems - September 26, 2018
  • Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates - September 21, 2018
  • Helping customers shift to a modern desktop - September 6, 2018
    • -
  • Windows Update for Business & Windows Analytics: a real-world experience - September 5, 2018
  • What's next for Windows 10 and Windows Server quality updates - August 16, 2018
  • Windows 10 monthly updates - August 1, 2018 (video)
  • Windows 10 update servicing cadence - August 1, 2018
    • diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 613250332f..6dca369b35 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -1,8 +1,8 @@ --- title: Windows as a service -ms.prod: windows-10 +ms.prod: w10 ms.topic: landing-page -ms.manager: elizapo +ms.manager: laurawi audience: itpro itproauthor: jaimeo author: jaimeo @@ -73,7 +73,6 @@ Learn more about Windows as a service and its value to your organization. Quick guide to Windows as a service -Windows Analytics overview What's new in Windows 10 deployment @@ -117,7 +116,6 @@ Secure your organization's deployment investment. Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. -[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) [BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md index 11483f0c9b..719b115f4f 100644 --- a/windows/deployment/update/wufb-basics.md +++ b/windows/deployment/update/wufb-basics.md @@ -9,14 +9,13 @@ author: jaimeo ms.localizationprioauthor: jaimeo ms.audience: itpro author: jaimeo -ms.date: 06/20/2018 ms.reviewer: manager: laurawi ms.topic: article --- # Configure the Basic group policy for Windows Update for Business -For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. +For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Monitor Windows Update with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding. |Policy name|Description | |-|-| @@ -28,4 +27,4 @@ For Windows Update for Business configurations to work, devices need to be confi |Policy|Location|Suggested configuration| |-|-|-| |Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
    **Option**: 1-Basic| -|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
    **Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| +|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
    **Commercial ID**: The GUID created for you at the time of onboarding| diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index df08dd3caa..41edd21e70 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -16,15 +16,15 @@ ms.topic: article Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions. -The compliance options have changed with the release of Windows 10, version 1903: +The compliance options have changed for devices on Windows 10, version 1709 and above: -- [Starting with Windows 10, version 1903](#starting-with-windows-10-version-1903) -- [Prior to Windows 10, version 1903](#prior-to-windows-10-version-1903) +- [For Windows 10, version 1709 and above](#for-windows-10-version-1709-and-above) +- [For prior to Windows 10, version 1709](#prior-to-windows-10-version-1709) -## Starting with Windows 10, version 1903 +## For Windows 10, version 1709 and above -With a current version of Windows 10, it's best to use the new policy introduced in Windows 10, version 1903: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings: +With a current version of Windows 10, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and above: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings: - Update/ConfigureDeadlineForFeatureUpdates - Update/ConfigureDeadlineForQualityUpdates @@ -43,7 +43,7 @@ Further, the policy includes the option to opt out of automatic restarts until t |Policy|Description | |-|-| -| (starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | +| (For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | @@ -51,31 +51,34 @@ Further, the policy includes the option to opt out of automatic restarts until t |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days| |-|-|-|-|-| -|(starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | +|(For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | -When **Specify deadlines for automatic updates and restarts** is set (starting in Windows 10, version 1903): +When **Specify deadlines for automatic updates and restarts** is set (For Windows 10, version 1709 and above): -**While restart is pending, before the deadline occurs:** -- For the first few days, the user receives a toast notification -- After this period, the user receives this dialog: + - **While restart is pending, before the deadline occurs:** -![The notification users get for an impending restart prior to deadline](images/wufb-update-deadline-warning.png) -- If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur: + - For the first few days, the user receives a toast notification -![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png) + - After this period, the user receives this dialog: -**If the restart is still pending after the deadline passes:** -- Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching: + ![The notification users get for an impending restart prior to deadline](images/wufb-update-deadline-warning.png) -![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png) -- Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification: + - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur: -![The notification users get for an imminent restart after the deadline](images/wufb-pastdeadline-restartnow.png) + ![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png) + + - **If the restart is still pending after the deadline passes:** + + - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching: + + ![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png) + + - Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification: + + ![The notification users get for an imminent restart after the deadline](images/wufb-pastdeadline-restartnow.png) - - -## Prior to Windows 10, version 1903 +## Prior to Windows 10, version 1709 Two compliance flows are available: @@ -119,9 +122,11 @@ Once the device is in the pending restart state, it will attempt to restart the #### Notification experience for deadline Notification users get for a quality update deadline: + ![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) Notification users get for a feature update deadline: + ![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) ### Deadline with user engagement diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index c5595129d2..2d3ffa0e03 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -28,14 +28,13 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi ## Proof-of-concept environment +For the purposes of this topic, we will use three computers: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a domain member server. PC0001 is a computer running Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Prepare for deployment with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md). -For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). +![computers](../images/dc01-cm01-pc0001.png) -![figure 1](../images/upgrademdt-fig1-machines.png) +The computers used in this topic. -Figure 1. The machines used in this topic. - -## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager +## Upgrade to Windows 10 with Configuration Manager System Center 2012 R2 Configuration Manager SP 1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks. diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md deleted file mode 100644 index ee85dd816a..0000000000 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) -description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. -ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro -author: greg-lindsay -ms.topic: article ---- - -# Perform an in-place upgrade to Windows 10 with MDT - -**Applies to** -- Windows 10 - -The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. - -## Proof-of-concept environment - -For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -![fig 1](../images/upgrademdt-fig1-machines.png) - -Figure 1. The machines used in this topic. - -## Set up the upgrade task sequence - -MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple. - -## Create the MDT production deployment share - -The steps to create the deployment share for production are the same as when you created the deployment share to create the custom reference image: - -1. On MDT01, log on as Administrator in the CONTOSO domain with a password of P@ssw0rd. -2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. -3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**. -4. On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**. -5. On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**. -6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. - -## Add Windows 10 Enterprise x64 (full source) - -In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the E:\\Downloads\\Windows 10 Enterprise x64 folder. - -1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. -2. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. -3. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: - - Full set of source files - - Source directory: E:\\Downloads\\Windows 10 Enterprise x64 - - Destination directory name: W10EX64RTM -4. After you add the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image** - -![figure 2](../images/upgrademdt-fig2-importedos.png) - -Figure 2. The imported Windows 10 operating system after you rename it. - -## Create a task sequence to upgrade to Windows 10 Enterprise - -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-UPG - - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade - - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM Default Image - - Specify Product Key: Do not specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: about:blank - - Admin Password: Do not specify an Administrator Password at this time - -![figure 3](../images/upgrademdt-fig3-tasksequence.png) - -Figure 3. The task sequence to upgrade to Windows 10. - -## Perform the Windows 10 upgrade - -To initiate the in-place upgrade, perform the following steps on PC0003 (currently running Windows 7 SP1). - -1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** -2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. - - ![figure 4](../images/upgrademdt-fig4-selecttask.png) - - Figure 4. Upgrade task sequence. - -3. On the **Credentials** tab, specify the **MDT\_BA** account, P@ssw0rd password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.) -4. On the **Ready** tab, click **Begin** to start the task sequence. - When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -![figure 5](../images/upgrademdt-fig5-winupgrade.png) - -Figure 5. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence. - -After the task sequence completes, the computer will be fully upgraded to Windows 10. - -## Related topics - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) - -[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) - diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index cd3a28b0ca..3479b54e9c 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -55,7 +55,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. -Perform an in-place upgrade to Windows 10 with MDT
    Perform an in-place upgrade to Windows 10 using Configuration Manager +Perform an in-place upgrade to Windows 10 with MDT
    Perform an in-place upgrade to Windows 10 using Configuration Manager @@ -268,7 +268,7 @@ The deployment process for the replace scenario is as follows: ## Related topics -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) - [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) - [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index fc6a392e8f..944908ad16 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, sccm ms.localizationpriority: medium -ms.date: 10/11/2017 ms.reviewer: manager: laurawi ms.audience: itpro @@ -446,7 +445,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi - Summary: click **Next** - Confirmation: click **Finish** -9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. +9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. 10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - Task sequence ID: **REFW10X64-001**
    @@ -1074,10 +1073,3 @@ In the Configuration Manager console, in the Software Library workspace under Op ## Related Topics [System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) - - - - - - - diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 516142c42a..31298d382d 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -1,6 +1,6 @@ --- title: Demonstrate Autopilot deployment -ms.reviewer: +ms.reviewer: manager: laurawi description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade @@ -21,20 +21,23 @@ ms.custom: autopilot **Applies to** -- Windows 10 +- Windows 10 To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10. -In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune. +In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. ->Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. +> [!NOTE] +> Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune. + +> Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. The following video provides an overview of the process:
    - + ->For a list of terms used in this guide, see the [Glossary](#glossary) section. +> For a list of terms used in this guide, see the [Glossary](#glossary) section. ## Prerequisites @@ -83,9 +86,9 @@ A summary of the sections and procedures in the lab is provided below. Follow ea ## Verify support for Hyper-V -If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). +If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). ->If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10). +> If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10). If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed. @@ -103,9 +106,9 @@ This command works on all operating systems that support Hyper-V, but on Windows Install-WindowsFeature -Name Hyper-V -IncludeManagementTools ``` -When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. +When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. ->Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: +> Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: ![hyper-v feature](../images/hyper-v-feature.png) @@ -119,25 +122,25 @@ To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https:// ## Create a demo VM -Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell. +Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell. -To use Windows Powershell we just need to know two things: +To use Windows PowerShell, we just need to know two things: 1. The location of the Windows 10 ISO file. - - In the example, we assume the location is **c:\iso\win10-eval.iso**. + - In the example, we assume the location is **c:\iso\win10-eval.iso**. 2. The name of the network interface that connects to the Internet. - - In the example, we use a Windows PowerShell command to determine this automatically. + - In the example, we use a Windows PowerShell command to determine this automatically. After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10. ### Set ISO file location -You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). -- When asked to select a platform, choose **64 bit**. +You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). +- When asked to select a platform, choose **64 bit**. -After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). +After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). -1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. +1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. 2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**. 3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory. @@ -149,19 +152,19 @@ The Get-NetAdaper cmdlet is used below to automatically find the network adapter (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name ``` -The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name. +The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name. For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**. -### Use Windows PowerShell to create the demo VM +### Use Windows PowerShell to create the demo VM All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands. ->[!IMPORTANT] ->**VM switch**: a VM switch is how Hyper-V connects VMs to a network.

    If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

    If you have never created an external VM switch before, then just run the commands below. +> [!IMPORTANT] +> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.

    If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

    If you have never created an external VM switch before, then just run the commands below. ```powershell -New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name +New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot Start-VM -VMName WindowsAutopilot @@ -222,13 +225,13 @@ Ensure the VM booted from the installation ISO, click **Next** then click **Inst ![Windows setup](images/winsetup5.png) ![Windows setup](images/winsetup6.png) ->After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: +After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: - ![Windows setup](images/winsetup7.png) + ![Windows setup](images/winsetup7.png) Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again. - ![Windows setup](images/winsetup8.png) + ![Windows setup](images/winsetup8.png) To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: @@ -240,7 +243,8 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see ## Capture the hardware ID ->NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool. +> [!NOTE] +> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool. Follow these steps to run the PS script: @@ -292,18 +296,19 @@ Mode LastWriteTime Length Name PS C:\HWID> -Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH. +Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH. -**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. +> [!NOTE] +> Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. ![Serial number and hardware hash](images/hwid.png) -You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). +You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this. ->[!NOTE] ->When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste. +> [!NOTE] +> When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste. ## Reset the VM back to Out-Of-Box-Experience (OOBE) @@ -326,7 +331,7 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a ![MDM and Intune](images/mdm-intune2.png) -If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. +If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. @@ -336,8 +341,8 @@ To convert your Intune trial account to a free Premium trial account, navigate t If you already have company branding configured in Azure Active Directory, you can skip this step. ->[!IMPORTANT] ->Make sure to sign-in with a Global Administrator account. +> [!IMPORTANT] +> Make sure to sign-in with a Global Administrator account. Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. @@ -345,8 +350,8 @@ Navigate to [Company branding in Azure Active Directory](https://portal.azure.co When you are finished, click **Save**. ->[!NOTE] ->Changes to company branding can take up to 30 minutes to apply. +> [!NOTE] +> Changes to company branding can take up to 30 minutes to apply. ## Configure Microsoft Intune auto-enrollment @@ -368,8 +373,8 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B ![Intune device import](images/device-import.png) - >[!NOTE] - >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. + > [!NOTE] + > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. 2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank. @@ -377,7 +382,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B You should receive confirmation that the file is formatted correctly before uploading it, as shown above. -3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. +3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. 4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example. @@ -385,8 +390,8 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B ### Autopilot registration using MSfB ->[!IMPORTANT] ->If you've already registered your VM (or device) using Intune, then skip this step. +> [!IMPORTANT] +> If you've already registered your VM (or device) using Intune, then skip this step. Optional: see the following video for an overview of the process. @@ -408,8 +413,8 @@ Click the **Add devices** link to upload your CSV file. A message will appear in ## Create and assign a Windows Autopilot deployment profile ->[!IMPORTANT] ->Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab: +> [!IMPORTANT] +> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab: Pick one: - [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) @@ -417,12 +422,12 @@ Pick one: ### Create a Windows Autopilot deployment profile using Intune ->[!NOTE] ->Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first: +> [!NOTE] +> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first: ![Devices](images/intune-devices.png) ->The example above lists both a physical device and a VM. Your list should only include only one of these. +> The example above lists both a physical device and a VM. Your list should only include only one of these. To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles** @@ -458,7 +463,7 @@ See the following example: Click on **OK** and then click on **Create**. ->If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile). +> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile). #### Assign the profile @@ -534,8 +539,8 @@ Confirm the profile was successfully assigned to the intended device by checking ![MSfB assign](images/msfb-assign2.png) ->[!IMPORTANT] ->The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. +> [!IMPORTANT] +> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. ## See Windows Autopilot in action @@ -545,14 +550,14 @@ If you shut down your VM after the last reset, it’s time to start it back up a Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. ->[!TIP] ->If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset). +> [!TIP] +> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset). - Ensure your device has an internet connection. - Turn on the device - Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). -![OOBE sign-in page](images/autopilot-oobe.jpg) +![OOBE sign-in page](images/autopilot-oobe.jpg) Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. @@ -570,35 +575,38 @@ To use the device (or VM) for other purposes after completion of this lab, you w You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu. -![Delete device](images/delete-device1.png) +![Delete device](images/delete-device1.png) Click **X** when challenged to complete the operation: -![Delete device](images/delete-device2.png) +![Delete device](images/delete-device2.png) This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. -![Delete device](images/delete-device3.png) +![Delete device](images/delete-device3.png) -The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune. +The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. + +> [!NOTE] +> A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune. To remove the device from the Autopilot program, select the device and click Delete. -![Delete device](images/delete-device4.png) +![Delete device](images/delete-device4.png) A warning message appears reminding you to first remove the device from Intune, which we previously did. -![Delete device](images/delete-device5.png) +![Delete device](images/delete-device5.png) At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: -![Delete device](images/delete-device6.png) +![Delete device](images/delete-device6.png) Once the device no longer appears, you are free to reuse it for other purposes. If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button: -![Delete device](images/delete-device7.png) +![Delete device](images/delete-device7.png) ## Appendix A: Verify support for Hyper-V @@ -618,9 +626,9 @@ Hyper-V Requirements: VM Monitor Mode Extensions: Yes In this example, the computer supports SLAT and Hyper-V. ->If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. +> If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. -You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: +You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [Coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: 
     C:>coreinfo -v
@@ -637,7 +645,8 @@ VMX             *       Supports Intel hardware-assisted virtualization
 EPT             *       Supports Intel extended page tables (SLAT)
    -Note: A 64-bit operating system is required to run Hyper-V. +> [!NOTE] +> A 64-bit operating system is required to run Hyper-V. ## Appendix B: Adding apps to your profile @@ -645,10 +654,10 @@ Note: A 64-bit operating system is required to run Hyper-V. #### Prepare the app for Intune -Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool: +Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool: 1. The source folder for your application -2. The name of the setup executable file +2. The name of the setup executable file 3. The output folder for the new file For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app. @@ -657,7 +666,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: -![Add app](images/app01.png) +![Add app](images/app01.png) After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. @@ -667,50 +676,51 @@ Log into the Azure portal and select **Intune**. Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. -![Add app](images/app02.png) +![Add app](images/app02.png) Under **App Type**, select **Windows app (Win32)**: -![Add app](images/app03.png) +![Add app](images/app03.png) On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: -![Add app](images/app04.png) +![Add app](images/app04.png) On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: -![Add app](images/app05.png) +![Add app](images/app05.png) On the **Program Configuration** blade, supply the install and uninstall commands: Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q -NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file. +> [!NOTE] +> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file. -![Add app](images/app06.png) +![Add app](images/app06.png) -Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). +Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). Click **OK** to save your input and activate the **Requirements** blade. On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: -![Add app](images/app07.png) +![Add app](images/app07.png) Next, configure the **Detection rules**. For our purposes, we will select manual format: -![Add app](images/app08.png) +![Add app](images/app08.png) Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: -![Add app](images/app09.png) +![Add app](images/app09.png) -Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. +Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. **Return codes**: For our purposes, leave the return codes at their default values: -![Add app](images/app10.png) +![Add app](images/app10.png) Click **OK** to exit. @@ -720,31 +730,32 @@ Click the **Add** button to finalize and save your app package. Once the indicator message says the addition has completed. -![Add app](images/app11.png) +![Add app](images/app11.png) You will be able to find your app in your app list: -![Add app](images/app12.png) +![Add app](images/app12.png) #### Assign the app to your Intune profile -**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. - +> [!NOTE] +> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. + In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: -![Add app](images/app13.png) +![Add app](images/app13.png) Select **Add Group** to open the **Add group** pane that is related to the app. For our purposes, select **Required** from the **Assignment type** dropdown menu: ->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. +> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. Select **Included Groups** and assign the groups you previously created that will use this app: -![Add app](images/app14.png) +![Add app](images/app14.png) -![Add app](images/app15.png) +![Add app](images/app15.png) In the **Select groups** pane, click the **Select** button. @@ -754,7 +765,7 @@ In the **Add group** pane, select **OK**. In the app **Assignments** pane, select **Save**. -![Add app](images/app16.png) +![Add app](images/app16.png) At this point, you have completed steps to add a Win32 app to Intune. @@ -768,51 +779,52 @@ Log into the Azure portal and select **Intune**. Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. -![Add app](images/app17.png) +![Add app](images/app17.png) Under **App Type**, select **Office 365 Suite > Windows 10**: -![Add app](images/app18.png) +![Add app](images/app18.png) Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: -![Add app](images/app19.png) +![Add app](images/app19.png) Click **OK**. -In the **App Suite Information** pane, enter a unique suite name, and a suitable description. +In the **App Suite Information** pane, enter a unique suite name, and a suitable description. ->Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. +> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. -![Add app](images/app20.png) +![Add app](images/app20.png) Click **OK**. In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: -![Add app](images/app21.png) +![Add app](images/app21.png) Click **OK** and then click **Add**. #### Assign the app to your Intune profile -**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. - +> [!NOTE] +> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. + In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: -![Add app](images/app22.png) +![Add app](images/app22.png) Select **Add Group** to open the **Add group** pane that is related to the app. For our purposes, select **Required** from the **Assignment type** dropdown menu: ->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. +> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. Select **Included Groups** and assign the groups you previously created that will use this app: -![Add app](images/app23.png) +![Add app](images/app23.png) -![Add app](images/app24.png) +![Add app](images/app24.png) In the **Select groups** pane, click the **Select** button. @@ -822,7 +834,7 @@ In the **Add group** pane, select **OK**. In the app **Assignments** pane, select **Save**. -![Add app](images/app25.png) +![Add app](images/app25.png) At this point, you have completed steps to add Office to Intune. @@ -830,7 +842,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: -![Add app](images/app26.png) +![Add app](images/app26.png) ## Glossary diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 8a7020e6c9..81d649c077 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -251,6 +251,9 @@ See the following examples. 25. Click **OK** to close the Task Sequence Editor. +> [!NOTE] +> On Windows 10 1903 and 1909, the **AutopilotConfigurationFile.json** is deleted by the **Prepare Windows for Capture** step. See [Windows Autopilot - known issues](https://docs.microsoft.com/windows/deployment/windows-autopilot/known-issues) for more information and a workaround. + ### Deploy Content to Distribution Points Next, ensure that all content required for the task sequence is deployed to distribution points. diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index 5be64cc194..40de54fe9a 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -32,9 +32,9 @@ ms.topic: article
  • Run the command w32tm /resync /force to sync the time with the default time server (time.windows.com). -Windows Autopilot for existing devices does not work for Windows 10, version 1903; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen. +Windows Autopilot for existing devices does not work for Windows 10, version 1903 or 1909; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.
     
    -This happens because Windows 10, version 1903 deletes the AutopilotConfigurationFile.json file. +This happens because Windows 10, version 1903 and 1909 deletes the AutopilotConfigurationFile.json file. To fix this issue:
    1. Edit the Configuration Manager task sequence and disable the Prepare Windows for Capture step.
    2. Add a new Run command line step that runs c:\windows\system32\sysprep\sysprep.exe /oobe /reboot.
    More information @@ -71,6 +71,7 @@ This happens because Windows 10, version 1903 deletes the AutopilotConfiguration Error importing Windows Autopilot devices from a .csv fileEnsure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid. Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8. Something went wrong is displayed page during OOBE.The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements. +Using a provisioning package in combination with Windows Autopilot can cause issues, especially if the PPKG contains join, enrollment, or device name information.Using PPKGs in combination with Windows Autopilot is not recommended. ## Related topics diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index f58d814409..a03e5fbb55 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -42,6 +42,46 @@ For troubleshooting, key activities to perform are: - Azure AD join issues. Was the device able to join Azure Active Directory? - MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? +## Troubleshooting Autopilot Device Import + +### Clicking Import after selecting CSV does nothing, '400' error appears in network trace with error body **"Cannot convert the literal '[DEVICEHASH]' to the expected type 'Edm.Binary'"** + +This error points to the device hash being incorrectly formatted. This could be caused by anything that corrupts the collected hash, but one possibility is that the hash itself, even if completely valid, fails to be decoded. + +The device hash is Base64. At the device level, it's encoded as unpadded Base64, but Autopilot expects padded Base64. In most cases, it seems the payload lines up to not require padding, so the process works, but sometimes it doesn't line up cleanly and padding is necessary. This is when you get the error above. Powershell's Base64 decoder also expects padded Base64, so we can use that to validate that the hash is properly padded. + +The "A" characters at the end of the hash are effectively empty data - Each character in Base64 is 6 bits, A in Base64 is 6 bits equal to 0. Deleting or adding "A"s at the end doesn't change the actual payload data. + +To fix this, we'll need to modify the hash, then test the new value, until powershell succeeds in decoding the hash. The result is mostly illegible, this is fine - we're just looking for it to not throw the error "Invalid length for a Base-64 char array or string". + +To test the base64, you can use the following: +```powershell +[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("DEVICE HASH")) +``` + +So, as an example (this is not a device hash, but it's misaligned unpadded Base64 so it's good for testing): +```powershell +[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("Q29udG9zbwAAA")) +``` + +Now for the padding rules. The padding character is "=". The padding character can only be at the end of the hash, and there can only be a maximum of 2 padding characters. Here's the basic logic. + +- Does decoding the hash fail? + - Yes: Are the last two characters "="? + - Yes: Replace both "=" with a single "A" character, then try again + - No: Add another "=" character at the end, then try again + - No: That hash is valid + +Looping the logic above on the previous example hash, we get the following permutations: +- Q29udG9zbwAAA +- Q29udG9zbwAAA= +- Q29udG9zbwAAA== +- Q29udG9zbwAAAA +- Q29udG9zbwAAAA= +- **Q29udG9zbwAAAA==** (This one has valid padding) + +Replace the collected hash with this new padded hash then try to import again. + ## Troubleshooting Autopilot OOBE issues If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that. @@ -88,6 +128,8 @@ On devices running a [supported version](https://docs.microsoft.com/windows/rele The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD. +An Azure AD device is created upon import - it's important that this object not be deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object. + Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed. ## Troubleshooting Intune enrollment issues diff --git a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md index 8fa6e44dc7..3fde86eb4c 100644 --- a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md +++ b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md @@ -18,12 +18,12 @@ ms.reviewer: robots: noindex,nofollow --- +# Microsoft Windows diagnostic data for PowerShell license terms + MICROSOFT SOFTWARE LICENSE TERMS MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL - - These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. 1. INSTALLATION AND USE RIGHTS. diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 228b863e82..3d77adab6e 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -3375,7 +3375,7 @@ This security group has not changed since Windows Server 2008. ### Server Operators -Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Memebers of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. +Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table. diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 013c2a4130..16be1aa6bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -26,7 +26,7 @@ ms.reviewer: - Key trust > [!NOTE] ->There was an issue with key trust on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044). +>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044). ## How many is adequate diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index c0e102cb90..6bc04cd39f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -15,7 +15,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 03/05/2020 --- # Windows Hello biometrics in the enterprise @@ -28,34 +28,36 @@ Windows Hello is the biometric authentication feature that helps strengthen auth >[!NOTE] >When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. -Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. +Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. ## How does Windows Hello work? Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. -The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. +The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. ## Why should I let my employees use Windows Hello? Windows Hello provides many benefits, including: -- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge. +- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge. -- Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords! +- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords! - Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
    For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. ## Where is Windows Hello data stored? -The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor. +The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor. + +Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file. ## Has Microsoft set any device requirements for Windows Hello? -We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: +We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: - **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm. - **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. ### Fingerprint sensor requirements -To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). +To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). **Acceptable performance range for small to large size touch sensors** @@ -70,7 +72,7 @@ To allow fingerprint matching, you must have devices with fingerprint sensors an - Effective, real world FRR with Anti-spoofing or liveness detection: <10% ### Facial recognition sensors -To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). +To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). - False Accept Rate (FAR): <0.001% diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 07be2bbf3d..7d47fb49d1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -50,6 +50,9 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join ## Can I use an external camera when my laptop is closed or docked? No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. +## Why does authentication fail immediately after provisioning Hybrid Key Trust? +In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. + ## What is the password-less strategy? Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**. @@ -166,4 +169,3 @@ Windows Hello for Business can work with any third-party federation servers that ## Does Windows Hello for Business work with Mac and Linux clients? Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index a40f945ba3..0b01799ab2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -35,7 +35,7 @@ ms.reviewer: The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. >[!IMPORTANT] -> The Microsoft PIN Reset service only works with Windows 10, version 1709 to 1809 with **Enterprise Edition**. The feature works with **Pro** edition with Windows 10, version 1903 and newer. +> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer. ### Onboarding the Microsoft PIN reset service to your Intune tenant diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 6ab596d350..c7b2eca8b7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -37,7 +37,10 @@ New installations are considerably more involved than existing implementations b The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. ## Active Directory -This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 or later domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. + +> [!NOTE] +>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal. @@ -93,7 +96,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > * Highly available certificate revocation list (Azure AD Joined devices). ## Azure Active Directory -You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. +You've prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index d2b1de480f..016bf3f7d8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -41,6 +41,9 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. + +> [!NOTE] +>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. @@ -112,7 +115,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. +Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. ### Section Review > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 42d9d4b606..93ca09aa2f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -25,7 +25,10 @@ ms.reviewer: - Key trust -Key trust deployments need an adequate number of 2016 domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. +Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. + +> [!NOTE] +>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 57a2493e4c..7a49cdb675 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -64,14 +64,24 @@ Domain controllers automatically request a domain controller certificate (if pub By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template. Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. + 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. + + > [!NOTE] + > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. + 6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. + 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. + 8. Close the console. ### Superseding the existing Domain Controller certificate @@ -81,14 +91,23 @@ Many domain controllers may have an existing domain controller certificate. The The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. + 4. Click the **Superseded Templates** tab. Click **Add**. + 5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. + 6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. + 7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. + 8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. + 9. Click **OK** and close the **Certificate Templates** console. The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. @@ -98,16 +117,28 @@ The certificate template is configured to supersede all the certificate template Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. + +5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + + > [!NOTE] + > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. + 6. On the **Request Handling** tab, select **Allow private key to be exported**. + 7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + 8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. -9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. + +9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. + 10. Close the console. ### Unpublish Superseded Certificate Templates @@ -117,10 +148,15 @@ The certificate authority only issues certificates based on published certificat The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Expand the parent node from the navigation pane. + 3. Click **Certificate Templates** in the navigation pane. + 4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. + 5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. ### Publish Certificate Templates to the Certificate Authority @@ -128,13 +164,20 @@ Sign-in to the certificate authority or management workstation with _Enterprise The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Expand the parent node from the navigation pane. + 3. Click **Certificate Templates** in the navigation pane. + 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. + 5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. + 6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. + + \* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. 7. Close the console. @@ -143,23 +186,37 @@ Sign-in to the certificate authority or management workstations with an _Enterpr Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + 3. Right-click **Group Policy object** and select **New** + 4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. + 5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. + 6. In the navigation pane, expand **Policies** under **Computer Configuration**. + 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. + 8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. + 9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. + +10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box. + 11. Select the **Update certificates that use certificate templates** check box. + 12. Click **OK**. Close the **Group Policy Management Editor**. ### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** + +1. Start the **Group Policy Management Console** (gpmc.msc). + +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**. + 3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. ### Validating your work diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 30d604bb53..0b032dbbdc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -44,19 +44,12 @@ As an administrator in an enterprise or educational organization, you can create ## Biometric sign-in - Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials. + Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials. - **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. - **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. -Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. - -## From Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure sign-in method. -Fingerprint scan can be enabled on laptop computers using a built-in fingerprint reader or an external USB fingerprint reader, as follows: -1. Go to **Settings** > **Accounts** > **Sign-in-options** > **Windows Hello Fingerprint** > **Add fingerprint** -2. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. -3. Windows Biometric data is located in the `C:\Windows\System32\WinBioDatabase\` folder (fingerprint data is stored with the .DAT file name extension). -4. If you are unable to sign in with previously registered fingerprints, delete the entire content of this folder and register your fingerprints again. +Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md). ## The difference between Windows Hello and Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 17f9e5e49f..24172f6859 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -23,13 +23,13 @@ ms.reviewer: Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. -This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you’ll use that information to select the correct deployment guide for your needs. +This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. ## Using this guide -There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they’ve already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization. +There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization. -This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you’ll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier. +This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier. ### How to Proceed @@ -80,13 +80,13 @@ The on-premises deployment model is for organizations that do not have cloud ide > Reset above lock screen - Windows 10, version 1709, Professional
    > Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 -It’s fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. +It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. #### Trust types -A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. +A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. -The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. @@ -99,14 +99,14 @@ All devices included in the Windows Hello for Business deployment must go throug #### Key registration -The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user’s public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role. +The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user's public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role. #### Multifactor authentication > [!IMPORTANT] > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. -The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. +The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). > [!NOTE] @@ -156,9 +156,9 @@ Some deployment combinations require an Azure account, and some require Azure Ac ## Planning a Deployment -Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization’s infrastructure. +Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization's infrastructure. -Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you’ll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment. +Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you'll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment. ### Deployment Model @@ -170,8 +170,8 @@ If your organization is federated with Azure or uses any online service, such as If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet. > [!NOTE] -> If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results. -> ```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords``` +> If you're unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results. +> ```Get-AdObject "CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords``` > * If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type. > * If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement > * If the value begins with **azureADName:** – write **Hybrid** in box **1a**on your planning worksheet. @@ -209,13 +209,13 @@ If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** ### Directory Synchronization -Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user’s phone number to perform multi-factor authentication during provisioning or writing the user’s public key. +Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multi-factor authentication during provisioning or writing the user's public key. If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**. User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized. If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet. -If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credentials remain on the on-premises network. +If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user's credentials remain on the on-premises network. ### Multifactor Authentication @@ -341,6 +341,6 @@ Modern managed devices do not require an Azure AD premium subscription. By forg If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet. Otherwise, write **No** in box **6c**. -## Congratulations, You’re Done +## Congratulations, You're Done -Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you’ll be able to identify key elements of your Windows Hello for Business deployment. +Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 55521c5955..59d7c625ad 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -44,7 +44,9 @@ #### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md) #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) -### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +### [Next-generation protection]() +#### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +#### [Shadow protection](windows-defender-antivirus/shadow-protection.md) #### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) #### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md) @@ -136,8 +138,8 @@ #### [Custom detections]() -##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md) -##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md) +##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) +##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) @@ -277,7 +279,7 @@ ###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) ###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) ###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -###### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) +###### [Configure antivirus exclusions Windows Server 2016 and 2019](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) ##### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) ##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) @@ -508,7 +510,7 @@ #### [Common Vulnerabilities and Exposures (CVE) to KB map]() ##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md) -#### [Pull detections to your SIEM tools]() + #### [Raw data streaming API]() ##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md) ##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md) diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index ba4901004c..51cb23c22b 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -22,40 +22,42 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. -Central access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS), and they can be monitored just like any other object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than other network objects. However, it is important to monitor these objects for potential changes in security auditing and to verify that policies are being enforced. +This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. -Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx). +Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced. ->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. +Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](https://technet.microsoft.com/library/hh846167.aspx). + +> [!NOTE] +> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. -**To configure settings to monitor changes to central access policy and rule definitions** +**Configure settings to monitor central access policy and rule definition changes** 1. Sign in to your domain controller by using domain administrator credentials. -2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. -3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**. -4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**. -5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. +2. In Server Manager, point to **Tools** and select **Group Policy Management**. +3. In the console tree, right-click the default domain controller Group Policy Object, and then select **Edit**. +4. Double-click **Computer Configuration** and select **Security Settings**. Expand **Advanced Audit Policy Configuration** and **System Audit Policies**, select **DS Access**, and then double-click **Audit directory service changes**. +5. Select the **Configure the following audit events** and **Success** check boxes (and the **Failure** check box, if you want). Then select **OK**. 6. Close the Group Policy Management Editor. 7. Open the Active Directory Administrative Center. 8. Under Dynamic Access Control, right-click **Central Access Policies**, and then select **Properties**. -9. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. -10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes. +9. Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab. +10. Select **Add**, add a security auditing setting for the container, and then close all the security properties dialog boxes. After you configure settings to monitor changes to central access policy and central access rule definitions, verify that the changes are being monitored. -**To verify that changes to central access policy and rule definitions are monitored** +**Verify that central access policy and rule definition changes are monitored** 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Active Directory Administrative Center. -3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then click **Properties**. -4. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. -5. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes. -6. In the **Central Access Policies** container, add a new central access policy (or select one that exists), click **Properties** in the **Tasks** pane, and then change one or more attributes. -7. Click **OK**, and then close the Active Directory Administrative Center. -8. In Server Manager, click **Tools**, and then click **Event Viewer**. -9. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log. +3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then select **Properties**. +4. Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab. +5. Select **Add**, add a security auditing setting for the container, and then close all security properties dialog boxes. +6. In the **Central Access Policies** container, add a new central access policy (or select one that already exists). Select **Properties** in the **Tasks** pane, and then change one or more attributes. +7. Select **OK**, and then close the Active Directory Administrative Center. +8. In Server Manager, select **Tools** and then **Event Viewer**. +9. Expand **Windows Logs**, and then select **Security**. Verify that event 4819 appears in the security log. -### Related resource +### Related topics - [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index c21ba65a4c..bddb29f760 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -1,7 +1,8 @@ --- -title: Planning and deploying advanced security audit policies (Windows 10) -description: Learn which options to consider and tasks to complete, to deploy an effective security audit policy in a network that includes advanced security audit policies. +title: Plan and deploy advanced security audit policies (Windows 10) +description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies. ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442 + ms.reviewer: ms.author: dansimp ms.prod: w10 @@ -17,150 +18,153 @@ ms.topic: conceptual ms.date: 04/19/2017 --- -# Planning and deploying advanced security audit policies +# Plan and deploy advanced security audit policies **Applies to** - Windows 10 -This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit -policies. +This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. -Organizations invest a large portion of their information technology budgets on security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. +Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, the job isn't complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. -To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements. +To be well-defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In many organizations, it must also provide proof that IT operations comply with corporate and regulatory requirements. -Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an organization as vulnerable as not enough monitoring. +No organization has unlimited resources to monitor every resource and activity on a network. If you don't plan well, you'll likely have gaps in your auditing strategy. But if you try to audit every resource and activity, you may gather too much monitoring data, including thousands of benign audit entries that an analyst will have to sift through to identify the narrow set of entries that warrant closer examination. Such volume could delay or prevent auditors from identifying suspicious activity. Too much monitoring can leave an organization as vulnerable as not enough. Here are some features that can help you focus your effort: -- **Advanced audit policy settings**. You can apply and manage detailed audit policy settings through Group Policy. -- **"Reason for access" auditing**. You can specify and identify the permissions that were used to generate a particular object access security event. -- **Global object access auditing**. You can define system access control lists (SACLs) for an entire computer file system or registry. +- **Advanced audit policy settings:** You can apply and manage detailed audit policy settings through Group Policy. +- **"Reason for access" auditing:** You can specify and identify the permissions that were used to generate a particular object access security event. +- **Global object access auditing:** You can define system access control lists (SACLs) for an entire computer file system or registry. To deploy these features and plan an effective security auditing strategy, you need to: -- Identify your most critical resources and the most important activities that need to be tracked. -- Identify the audit settings that can be used to track these activities. +- Identify your most critical resources and the most important activities that you need to track. +- Identify the audit settings that you can use to track these activities. - Assess the advantages and potential costs associated with each. - Test these settings to validate your choices. - Develop plans for deploying and managing your audit policy. ## About this guide -This document will guide you through the steps needed to plan a security auditing policy that uses Windows auditing features. This policy must identify and address vital business needs, including: +This article guides you through the steps to plan a security auditing policy that uses Windows auditing features. The policy must address vital business needs, including: - Network reliability - Regulatory requirements -- Protection of the organization's data and intellectual property +- Protection of data and intellectual property - Users, including employees, contractors, partners, and customers - Client computers and applications - Servers and the applications and services running on those servers -The audit policy also must identify processes for managing audit data after it has been logged, including: +The audit policy also must identify processes for managing audit data after it's been logged, including: -- Collecting, evaluating, and reviewing audit data -- Storing and (if required) disposing of audit data +- Collecting, evaluating, and reviewing data +- Storing and (if necessary) disposing of data By carefully planning, designing, testing, and deploying a solution based on your organization's business requirements, you can provide the standardized functionality, security, and management control that your organization needs. -## Understanding the security audit policy design process +## Understand the security audit policy design process -The process of designing and deploying a Windows security audit policy involves the following tasks, which are described in greater detail throughout this document: +Designing and deploying a Windows security audit policy involves the following tasks, which are described in this document: -- [Identifying your Windows security audit policy deployment goals](#bkmk-1) +- [Identify your Windows security audit policy deployment goals](#bkmk-1) - This section helps define the business objectives that will guide your Windows security audit policy. It also helps you define the resources, users, and computers that will be the focus of your security auditing. + This section helps define the business objectives that will guide your Windows security audit policy. It also helps define the resources, users, and computers that will be the focus of your auditing. -- [Mapping the security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) +- [Map your security audit policy to groups of users, computers, and resources](#bkmk-2) - This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. In addition, if your network includes multiple versions of Windows client and server operating systems, it also explains when to use basic audit policy settings and when to use advanced security audit policy settings. + This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. It also explains when to use basic audit policy settings and when to use advanced security audit policy settings. -- [Mapping your security auditing goals to a security audit policy configuration](#bkmk-3) +- [Map your security auditing goals to a security audit policy configuration](#bkmk-3) - This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings that can be of particular value to address auditing scenarios. + This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings to address auditing scenarios. -- [Planning for security audit monitoring and management](#bkmk-4) +- [Plan for security audit monitoring and management](#bkmk-4) - This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition, this section explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also explains how to address storage requirements, including how much audit data to store and how it must be stored. + This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you audit, your Windows event logs can fill up quickly. This section also explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also covers how to address storage requirements. -- [Deploying the security audit policy](#bkmk-5) +- [Deploy the security audit policy](#bkmk-5) - This section provides recommendations and guidelines for the effective deployment of a Windows security audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you have selected will produce the type of audit data you need. However, only a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU) structure will enable you to confirm that the audit data you generate can be monitored and that it meets your organization's audit needs. + This section provides guidelines for effective deployment of a Windows security audit policy. Deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you've selected will produce the audit data that you need. But only a carefully staged pilot and incremental deployment based on your domain and organizational unit (OU) structure will confirm that the audit data you generate can be monitored and meets your needs. -## Identifying your Windows security audit policy deployment goals +## Identify your Windows security audit policy deployment goals -A security audit policy must support and be a critical and integrated aspect of an organization's overall security design and framework. +A security audit policy must support and be an integrated aspect of an organization's overall security framework. -Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which assets, resources, and users provide the strongest justification for the focus of a security audit. +Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which provide the strongest justification for the focus of a security audit. To create your Windows security audit plan, begin by identifying: -- The overall network environment, including the domains, OUs, and security groups. -- The resources on the network, the users of those resources, and how those resources are being used. -- Regulatory requirements. +- The overall network environment, including the domains, OUs, and security groups +- The resources on the network, the users of those resources, and how those resources are used +- Regulatory requirements ### Network environment -An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) later in this document. +An organization's domain and organizational unit (OU) structure provide a fundamental starting point for thinking about how to apply a security audit policy. They likely provide a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. Your domain and OU structure probably already provide logical groups of users, resources, and activities that justify the resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources](#bkmk-2) later in this document. -In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats. +In addition to your domain model, determine whether your organization maintains a systematic threat model. A good threat model can help identify threats to key components in your infrastructure. Then you can apply audit settings that enhance your ability to identify and counter those threats. ->**Important:**  Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results. - -For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](https://go.microsoft.com/fwlink/p/?LinkId=163432). +> [!IMPORTANT] +> Including auditing in your organization's security plan also helps you budget resources to the areas where auditing can achieve the best results. ### Data and resources -For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of these data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you will be able to manage. +For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of your data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance your existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you can manage. -You can record if these resources have high business impact, medium business impact, or low business impact, the cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different levels of risk to an organization. +You can record if these resources have high, medium, or low business impact; the cost to the organization if these data resources are accessed by unauthorized users; and the risks that such access can pose to the organization. The type of access by users (such as *read*, *modify*, or *copy*) can also pose different levels of risk. -Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information. +Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss of credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information. The following table provides an example of a resource analysis for an organization. | Resource class | Where stored | Organizational unit | Business impact | Security or regulatory requirements | | - | - | - | - | - | -| Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1
    Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy| -| Patient medical records| MedRec-2| Doctors and Nurses: Read/Write on Med/Rec-2
    Lab Assistants: Write only on MedRec-2
    Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards| -| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1
    Public: Read only on Web-Ext-1| Low| Public education and corporate image| +| Payroll data| Corp-Finance-1| Accounting: Read/write on Corp-Finance-1
    Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy| +| Patient medical records| MedRec-2| Doctors and Nurses: Read/write on Med/Rec-2
    Lab Assistants: Write only on MedRec-2
    Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards| +| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/write on Web-Ext-1
    Public: Read only on Web-Ext-1| Low| Public education and corporate image| ### Users -Many organizations find it useful to classify the types of users they have and base permissions on this classification. This same classification can help you identify which user activities should be the subject of security auditing and the amount of audit data they will generate. +Many organizations find it useful to classify the types of users they have and then base permissions on this classification. This classification can help you identify which user activities should be the subject of security auditing and the amount of audit data that they'll generate. -Organizations can create distinctions based on the type of rights and permissions needed by users to perform their jobs. For example, under the classification Administrators, larger organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all users in an organization or as few as a subset of the employees in a given department. +Organizations can create distinctions based on the type of rights and permissions that users need to do their jobs. Under the classification *administrators*, for example, large organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under *users*, permissions and Group Policy settings can apply to all users in an organization or as few as a subset of employees in a given department. -Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you are complying with these requirements. +Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you're complying with these requirements. -To effectively audit user activity, begin by listing the different types of users in your organization and the types of data they need access to—in addition to the data they should not have access to. +To effectively audit user activity, begin by listing the different types of users in your organization, the types of data they need access to, and the data they shouldn't have access to. -Also, if external users can access any of your organization's data, be sure to identify them, including if they belong to a business partner, customer, or general user, the data they have access to, and the permissions they have to access that data. +Also, if external users can access your organization's data, be sure to identify them. Determine whether they're a business partner, customer, or general user; the data they have access to; and the permissions they have to access that data. -The following table illustrates an analysis of users on a network. Although our example contains a single column titled "Possible auditing considerations," you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use. +The following table illustrates an analysis of users on a network. Our example contains only a single column titled "Possible auditing considerations," but you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use. | Groups | Data | Possible auditing considerations | | - | - | - | | Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. | -| Members of the Finance OU| Financial records| Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. | -| External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.| +| Members of the Finance OU| Financial records| Users in Finance have read/write access to critical financial records but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. | +| External partners | Project Z| Employees of partner organizations have read/write access to certain project data and servers relating to Project Z but not to other servers or data on the network.| ### Computers Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on: -- If the computers are servers, desktop computers, or portable computers. -- The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager. +- Whether the computers are servers, desktop computers, or portable computers +- The important applications that the computers run, such as Microsoft Exchange Server, SQL Server, or Forefront Identity Manager - >**Note:**  If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx). + > [!NOTE] + > For more information about auditing: + > - In Exchange Server, see [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). + > - In SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). + > - In SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx). -- The operating system versions. +- The operating system versions - >**Note:**  The operating system version determines which auditing options are available and the volume of audit event data. + > [!NOTE] + > The operating system version determines which auditing options are available and the volume of audit event data. -- The business value of the data. +- The business value of the data -For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network. +For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public internet or even to regular users on the organization's network. The following table illustrates an analysis of computers in an organization. @@ -173,137 +177,150 @@ The following table illustrates an analysis of computers in an organization. ### Regulatory requirements -Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations. +Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance. -For more info, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx). +For more information, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx). -## Mapping the security audit policy to groups of users, computers, and resources in your organization +## Map your security audit policy to groups of users, computers, and resources -By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the -following considerations for using Group Policy to apply security audit policy settings: +By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings: - The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. -- For every policy setting that you select, you need to decide whether it should be enforced across the organization, or whether it should apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers. -- By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite inherited policies. +- Decide whether every policy setting that you select should be enforced across the organization or apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers. +- By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that's linked at a lower level can overwrite inherited policies. - For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing). + For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of additional settings. To do this, you can link a second GPO to that specific lower-level OU. Then, a logon audit setting that's applied at the OU level will override a conflicting logon audit setting that's applied at the domain level, unless you've taken special steps to apply Group Policy loopback processing. -- Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a security group that contains only the users you specify. +- Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to *computer* OUs, not to *user* OUs. But in most cases, you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This functionality enables auditing for a security group that contains only the users you specify. - For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. + For example, you could configure a SACL for a folder called *Payroll Data* on Accounting Server 1. You can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. But, because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder will generate audit events. -- Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and can be applied to those operating systems and later. These advanced audit polices can only be applied by using Group Policy. +- Advanced security audit policy settings were introduced in Windows Server 2008 R2 and Windows 7. These advanced audit policies can only be applied to those operating systems and later versions by using Group Policy. - >**Important:**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting. - If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. +> [!IMPORTANT] +> Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy settings under **Local Policies\Audit Policy** and the advanced settings under **Security Settings\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting. + +If you use **Advanced Audit Policy Configuration** settings or logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This configuration will prevent conflicts between similar settings by forcing basic security auditing to be ignored. -The following are examples of how audit policies can be applied to an organization's OU structure: +The following examples show how you can apply audit policies to an organization's OU structure: -- Apply data activity settings to an OU that contains file servers. If your organization has servers that contain particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more precise audit policy to these servers. -- Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs based on the department they work in, consider configuring and applying more detailed security permissions on critical resources that are accessed by employees who work in more sensitive areas, such as network administrators or the legal department. +- Apply data activity settings to an OU that contains file servers. If your organization has servers that contain sensitive data, consider putting them in a separate OU. Then you can configure and apply a more precise audit policy to these servers. +- Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs by department, consider applying more-detailed security permissions on critical resources that are accessed by employees who work in more-sensitive areas, such as network administrators or the legal department. - Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers. -## Mapping your security auditing goals to a security audit policy configuration +## Map your security auditing goals to a security audit policy configuration -After you identify your security auditing goals, you can begin to map them to a security audit policy configuration. This audit policy configuration must address your most critical security auditing goals, but it also must address your organization's constraints, such as the number of computers that need to be monitored, the number of activities that you want to audit, the number of audit events that your desired audit configuration will generate, and the number of administrators available to analyze and act upon audit data. +After you identify your security auditing goals, you can map them to a security audit policy configuration. This audit policy configuration must address your security auditing goals. But it also must reflect your organization's constraints, such as the numbers of: +- Computers that need to be monitored +- Activities that you want to audit +- Audit events that your audit configuration will generate +- Administrators available to analyze and act upon audit data To create your audit policy configuration, you need to: -1. Explore all of the audit policy settings that can be used to address your needs. -2. Choose the audit settings that will most effectively address the audit requirements identified in the previous section. -3. Confirm that the settings you choose are compatible with the operating systems running on the computers that you want to monitor. -4. Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit settings. -5. Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production environment to ensure that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data. +1. Explore all the audit policy settings that can be used to address your needs. +1. Choose the audit settings that will most effectively address the audit requirements there were identified in the previous section. +1. Confirm that the settings that you choose are compatible with the operating systems running on the computers that you want to monitor. +1. Decide which configuration options (*success*, *failure*, or both *success* and *failure*) you want to use for the audit settings. +1. Deploy the audit settings in a lab or test environment to verify that they meet your desired results for volume, supportability, and comprehensiveness. Then, deploy the audit settings in a pilot production environment to check that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data. -### Exploring audit policy options +### Explore audit policy options -Security audit policy settings in the supported versions of Windows can be viewed and configured in the following locations: +You can view and configure security audit policy settings in the supported versions of Windows in the following locations: -- **Security Settings\\Local Policies\\Audit Policy**. -- **Security Settings\\Local Policies\\Security Options**. -- **Security Settings\\Advanced Audit Policy Configuration**. For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md). +- *Security Settings\\Local Policies\\Audit Policy* +- *Security Settings\\Local Policies\\Security Options* +- *Security Settings\\Advanced Audit Policy Configuration* + +For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md). -### Choosing audit settings to use +### Choose audit settings to use -Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under **Security Settings\\Advanced Audit Policy Configuration** can be used to monitor the following types of activity: +Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under *Security Settings\\Advanced Audit Policy Configuration* can be used to monitor the following types of activity: - Data and resources - Users - Network ->**Important:**  Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network. - +> [!IMPORTANT] +> Settings that are described in the reference might also provide valuable information about activity audited by another setting. For example, the settings that you use to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status and potentially for how well you're managing the activities of users on the network. + ### Data and resource activity -For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be -protected against any breach, the following settings can provide extremely valuable monitoring and forensic data: +Compromise to an organization's data resources can cause tremendous financial losses, lost prestige, and legal liability. If your organization has critical data resources that must be protected, the following settings can provide valuable monitoring and forensic data: -- Object Access\\[Audit File Share](audit-file-share.md). This policy setting allows you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated by this setting will vary depending on the number of client computers that attempt to access the file share. On a file server or domain controller, volume may be high due to SYSVOL access by client computers for policy processing. If you do not need to record routine access by client computers that have permissions on the file share, you may want to log audit events only for failed attempts to access the file share. -- Object Access\\[Audit File System](audit-file-system.md). This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects (such as files and folders) that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and the account that is making the request match the settings in the SACL. +- **Object Access\\[Audit File Share](audit-file-share.md)**: This policy setting enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated with this setting will vary depending on the number of client computers that try to access the file share. On a file server or domain controller, volume may be high because of SYSVOL access by client computers for policy processing. If you don't need to record routine access by client computers on the file share, you may want to log audit events only for failed attempts to access the file share. +- **Object Access\\[Audit File System](audit-file-system.md)**: This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects, such as files and folders, that have configured SACLs, and only if the type of access requested (such as *write*, *read*, or *modify*) and the account that's making the request match the settings in the SACL. - If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that have been configured to be monitored. + If *success* auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If *failure* auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that you configured to be monitored. - >**Note:**  To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md). + > [!NOTE] + > To audit user attempts to access all file system objects on a computer, use the *Global Object Access Auditing* settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md). -- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL. +- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events and only if the attempted handle operation matches the SACL. - Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes. + Event volume can be high, depending on how the SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy setting, the **Audit Handle Manipulation** policy setting can provide useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a *read-only* resource but a user tries to save changes to the file, the audit event will log the event *and* the permissions that were used (or attempted to be used) to save the file changes. + +- **Global Object Access Auditing**: Many organizations use security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system. These settings can't be overridden or circumvented. -- **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented. - >**Important:**  The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category. + > [!IMPORTANT] + > The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category. ### User activity -The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network, and the settings in this section focus on the users, including employees, partners, and customers, who may try to access those resources. +The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers. -In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate activities. The following are a few important settings that you should evaluate to track user activity on your network: +In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate reason to access. You can use security auditing to track a variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following are important settings that you should evaluate to track user activity on your network: -- Account Logon\\[Audit Credential Validation](audit-credential-validation.md). This is an extremely important policy setting because it enables you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will eventually be successful. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. -- Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md). These policy settings can enable you to monitor the applications that a user opens and closes on a computer. -- DS Access\\[Audit Directory Service Access](audit-directory-service-access.md) and DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md). These policy settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although domain administrators should be among an organization's most trusted employees, the use of **Audit Directory Service Access** and **Audit Directory Service Changes** settings allow you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. -- Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md). Another common security scenario occurs when a user attempts to log on with an account that has been locked out. It is important to identify these events and to determine whether the attempt to use an account that has been locked out is malicious. -- Logon/Logoff\\[Audit Logoff](audit-logoff.md) and Logon/Logoff\\[Audit Logon](audit-logon.md). Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated. +- **Account Logon\\[Audit Credential Validation](audit-credential-validation.md)**: This setting enables you to track all successful and unsuccessful logon attempts. A pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid. Or the user or app is trying to use a variety of credentials in succession in hope that one of these attempts will eventually succeed. These events occur on the computer that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. +- **Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md)**: These policy settings enable you to monitor the applications that a user opens and close on a computer. +- **DS Access\\[Audit Directory Service Access](audit-directory-service-access.md)** and **DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md)**: These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these objects. Also, although domain administrators should be among an organization's most trusted employees, the use of the **Audit Directory Service Access** and **Audit Directory Service Changes** settings enable you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. +- **Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md)**: Another common security scenario occurs when a user attempts to log on with an account that's been locked out. It's important to identify these events and to determine whether the attempt to use an account that was locked out is malicious. +- **Logon/Logoff\\[Audit Logoff](audit-logoff.md)** and **Logon/Logoff\\[Audit Logon](audit-logon.md)**: Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated. - >**Note:**  There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated. + > [!NOTE] + > There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off without a proper logoff and shut down, so a logoff event isn't generated. -- Logon/Logoff\\[Audit Special Logon](audit-special-logon.md). A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It is recommended to track these types of logons. For more information about this feature, see [article 947223](https://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base. -- Object Access\\[Audit Certification Services](audit-certification-services.md). This policy setting allows you to track and monitor a wide variety of activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users are performing or attempting to perform these tasks, and that only authorized or desired tasks are being performed. -- Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md). These policy settings are described in the previous section. -- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting and its role in providing "reason for access" audit data is described in the previous section. -- Object Access\\[Audit Registry](audit-registry.md). Monitoring for changes to the registry is one of the most critical means that an administrator has to ensure malicious users do not make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs, and only if the type of access that is requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. +- **Logon/Logoff\\[Audit Special Logon](audit-special-logon.md)**: A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It's recommended to track these types of logons. +- **Object Access\\[Audit Certification Services](audit-certification-services.md)**: This policy setting enables you to monitor activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users do these tasks and only authorized or desirable tasks are done. +- **Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md)**: These policy settings are described in the previous section. +- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting and its role in providing "reason for access" audit data is described in the previous section. +- **Object Access\\[Audit Registry](audit-registry.md)**: Monitoring for changes to the registry is one of the best ways for administrators to ensure that malicious users don't make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs and only if the type of access that's requested, such as *write*, *read*, or *modify*, and the account making the request match the settings in the SACL. - >**Important:**  On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked. + > [!IMPORTANT] + > On critical systems where all attempts to change registry settings should be tracked, you can combine the **Audit Registry** and **Global Object Access Auditing** policy settings to track all attempts to modify registry settings on a computer. -- Object Access\\[Audit SAM](audit-sam.md). The Security Accounts Manager (SAM) is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events. -- Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md). **Privilege Use** policy settings and audit events allow you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made. +- **Object Access\\[Audit SAM](audit-sam.md)**: The Security Accounts Manager (SAM) is a database on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events. +- **Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)**: These policy settings and audit events enable you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made. ### Network activity -The following network activity policy settings allow you to monitor security-related issues that are not necessarily covered in the data or user activity categories, but that can be equally important for network status and protection. +The following network activity policy settings enable you to monitor security-related issues that aren't necessarily covered in the data or user-activity categories but that can be important for network status and protection. -- **Account Management**. The policy settings in this category can be used to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the user activity and data activity sections. -- Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md). Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting allows you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting allows you to monitor the use of Kerberos service tickets. +- **Account Management**: Use the policy settings in this category to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the [User activity](#user-activity) and [Data and resource activity](#data-and-resource-activity) sections. +- **Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)**: Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting enables you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting enables you to monitor the use of Kerberos service tickets. - >**Note:**  **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed. + >[!NOTE] + >**Account Logon** policy settings apply only to specific domain account activities, regardless of which computer is accessed. **Logon/Logoff** policy settings apply to the computer that hosts the resources that are accessed. -- Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md). This policy setting can be used to track a number of different network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections. -- **DS Access**. Policy settings in this category allow you to monitor the AD DS role services, which provide account data, validate logons, maintain network access permissions, and provide other services that are critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. In addition, one of the key tasks performed by AD DS is the replication of data between domain controllers. -- Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md), Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md), and Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md). Many networks support large numbers of external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the Internet by enabling network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly. -- Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md). Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is attempting to circumvent these protections. -- **Policy Change**. These policy settings and events allow you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, any changes or attempts to change these policies can be an important aspect of security management for a network. -- Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md). This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network cannot be detected. -- Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md). This policy setting can be used to monitor a large variety of changes to an organization's IPsec policies. -- Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md). This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. +- **Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md)**: This policy setting can be used to track various network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections. +- **DS Access**: Policy settings in this category enable you to monitor AD DS role services. These services provide account data, validate logons, maintain network access permissions, and provide other functionality that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. One of the key tasks that AD DS performs is replication of data between domain controllers. +- **Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)**, **Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md)**, and **Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)**: Networks often support many external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the internet. It enables network-level peer authentication, data origin authentication, data integrity checks, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly. +- **Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md)**: Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is trying to circumvent these protections. +- **Policy Change**: These policy settings and events enable you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, monitoring any changes or attempted changes to these policies can be an important aspect of security management for a network. +- **Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md)**: This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network can't be detected. +- **Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)**: This policy setting can be used to monitor a variety of changes to an organization's IPsec policies. +- **Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)**: This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it's protected against network attacks. ### Confirm operating system version compatibility -Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and manage these settings. For more info, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md). +Not all versions of Windows support advanced audit policy settings or the use of Group Policy to manage these settings. For more information, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md). -The audit policy settings under **Local Policies\\Audit Policy** overlap with audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the amount of audit data that is less important to your organization. +The audit policy settings under **Local Policies\\Audit Policy** overlap with the audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories enable you to focus your auditing efforts on critical activities while reducing the amount of audit data that's less important to your organization. -For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events. +For example, **Local Policies\\Audit Policy** contains a single setting called **[Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx)**. When this setting is configured, it generates at least 10 types of audit events. In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing: @@ -312,49 +329,50 @@ In comparison, the Account Logon category under **Security Settings\\Advanced Au - Kerberos Service Ticket Operations - Other Account Logon Events -These settings allow you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible. +These settings enable you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible. -### Success, failure, or both +### *Success*, *failure*, or both -Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the answer will be based on the criticality of the event and the implications of the decision on event volume. +Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails or succeeds or both successes *and* failures. This is an important question. The answer depends on the criticality of the event and the implications of the decision for event volume. -For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an event only when an unsuccessful attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. And in this instance, logging successful attempts to access the server would quickly fill the event log with benign events. +For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only when an *unsuccessful* attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. In this case, logging *successful* attempts to access the server would quickly fill the event log with benign events. -On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every user who accessed the resource. +But if the file share has sensitive information, such as trade secrets, you may want to log every access attempt so that you have an audit trail of every user who tries to access the resource. -## Planning for security audit monitoring and management +## Plan for security audit monitoring and management -Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be monitored. The number of client computers on the network can easily range into the tens or even hundreds of thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how an administrator will obtain event data to review. Following are some options for obtaining the event data. +Networks may contain hundreds of servers that run critical services or store critical data, all of which need to be monitored. There may be tens or even hundreds of thousands of computers on the network. These numbers may not be an issue if the ratio of servers or client computers per administrator is low. And even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how the administrator will obtain event data to review. Following are some options for obtaining the event data. -- Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the administrator needs to have physical or remote access to the Event Viewer on each client computer or server, and the remote access and firewall settings on each client computer or server need to be configured to enable this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the size of the audit log so that critical information is not deleted if the log reaches its maximum capacity. -- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012, which can be used to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this can make it more difficult to detect clusters of related events that can occur on a single computer. +- Will you keep event data on a local computer until an administrator logs on to review this data? If so, the administrator needs to have physical or remote access to the Event Viewer on each client computer or server. And the remote access and firewall settings on each client computer or server need to be configured to enable this access. You also need to decide how often the administrator can visit each computer, and adjust the size of the audit log so that critical information isn't deleted if the log reaches capacity. +- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Microsoft Operations Manager 2007 and 2012, that you can use to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this method can make it more difficult to detect clusters of related events that can occur on a single computer. -In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what should happen when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and click **Properties**. You can configure the following properties: +In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what happens when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and select **Properties**. You can configure the following properties: -- **Overwrite events as needed (oldest events first)**. This is the default option, which is an acceptable solution in most situations. -- **Archive the log when full, do not overwrite events**. This option can be used when all log data needs to be saved, but it also suggests that you may not be reviewing audit data frequently enough. -- **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached. +- **Overwrite events as needed (oldest events first)**: This is the default option, which is acceptable in most situations. +- **Archive the log when full, do not overwrite events**: This option can be used when all log data needs to be saved. But the scenario suggests that you may not be reviewing audit data frequently enough. +- **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you don't want to lose any audit data, don't want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached. -You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer +You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following location in the GPMC: **Computer Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include: -- **Maximum Log Size (KB)**. This policy setting specifies the maximum size of the log files. The user interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If this setting is not configured, event logs have a default maximum size of 20 megabytes. +- **Maximum Log Size (KB)**: This policy setting specifies the maximum size of the log files. In the Local Group Policy Editor and Event Viewer, you can enter values as large as 2 TB. If this setting isn't configured, event logs have a default maximum size of 20 megabytes. -- **Log Access**. This policy setting determines which user accounts have access to log files and what usage rights are granted. -- **Retain old events**. This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events. -- **Backup log automatically when full**. This policy setting controls event log behavior when the log file reaches its maximum size and takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it is full. A new file is then started. If you disable or do not configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded and the old events are retained. +- **Log Access**: This policy setting determines which user accounts have access to log files and what usage rights are granted. +- **Retain old events**: This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events aren't written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events. +- **Backup log automatically when full**: This policy setting controls event log behavior when the log file reaches its maximum size. It takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it's full. A new log file is then started. If you disable or don't configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded, and the old events are retained. -In addition, a growing number of organizations are being required to store archived log files for a number of years. You should consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](https://go.microsoft.com/fwlink/p/?LinkId=163435). +Many organizations are now required to store archived log files for a number of years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](https://go.microsoft.com/fwlink/p/?LinkId=163435). -## Deploying the security audit policy +## Deploy the security audit policy -Before deploying the audit policy in a production environment, it is critical that you determine the effects of the policy settings that you have configured. -The first step in assessing your audit policy deployment is to create a test environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the audit settings you have selected are configured correctly and generate the type of results you intend. +Before deploying the audit policy in a production environment, it's critical that you determine the effects of the policy settings that you've configured. -However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot provide you with accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve: +The first step in assessing your audit policy deployment is to create a test environment in a lab. Use it to simulate the various use scenarios that you identified to confirm that the audit settings you selected are configured correctly and generate the type of results you want. -- A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location. -- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**. -- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings. +However, unless you can run fairly realistic simulations of network usage patterns, a lab setup can't provide accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve: -After you have successfully completed one or more limited deployments, you should confirm that the audit data that is collected is manageable with your management tools and administrators. When you have confirmed that the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until the production deployment is complete. +- A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location +- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon** +- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings + +After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until production deployment is complete. diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index c4257e755a..37fbb5cc46 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -74,10 +74,10 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
    To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. -- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) -- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) +- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) +- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) - [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) +- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) - [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 1ec28a4e93..572d4cf705 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -18,11 +18,22 @@ search.appverid: met150 # How Microsoft identifies malware and potentially unwanted applications -Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. When you download, install, and run software, you have access to information and tools to do so safely. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. That information is then compared against criteria described in this article. +Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you are protected against known threats and warned about software that is unknown to us. -You can participate in this process by [submitting software for analysis](submission-guide.md) to ensure undesirable software is covered by our security solutions. +You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md) -Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements. +The next sections provide an overview of the classifications we use for applications and the types of behaviors that lead to that classification. + +>[!NOTE] +> New forms of malware and potentially unwanted applications are being developed and distributed rapidly. The following list may not be comprehensive, and Microsoft reserves the right to adjust, expand, and update these without prior notice or announcement. + +## Unknown – Unrecognized software + +No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates.  With almost 2 billion websites on the internet and software continuously being updated and released, it's impossible to have information about every single site and program. + +You can think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware, as there is generally a delay from the time new malware is released until it is identified. Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Warnings for unknown software are not blocks, and users can choose to download and run the application normally if they wish to. + +Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software. ## Malware @@ -38,7 +49,7 @@ Microsoft classifies most malicious software into one of the following categorie * **Downloader:** A type of malware that downloads other malware onto your device. It must connect to the internet to download files. -* **Dropper:** A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn’t have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself. +* **Dropper:** A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn't have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself. * **Exploit:** A piece of code that uses software vulnerabilities to gain access to your device and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md). @@ -48,7 +59,7 @@ Microsoft classifies most malicious software into one of the following categorie * **Obfuscator:** A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove. -* **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. +* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. * **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md). @@ -84,7 +95,7 @@ Software that exhibits lack of choice might: Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might: -* Display exaggerated claims about your device’s health. +* Display exaggerated claims about your device's health. * Make misleading or inaccurate claims about files, registry entries, or other items on your device. diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index cf1a7b6902..0c3ce01531 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -2,7 +2,7 @@ title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK) ms.reviewer: description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: av-test, av-comparatives, SE labs, MITRE ATT&CK, antivirus test, av testing, security product testing, security industry tests, industry antivirus tests, best antivirus, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows Defender Antivirus, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, next generation protection +keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -50,7 +50,7 @@ The AV-TEST Product Review and Certification Report tests on three categories: p ### AV-Comparatives: Protection rating of 99.9% in the latest test -Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system’s performance. +Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance. - Business Security Test 2019 (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) **Latest** @@ -94,7 +94,7 @@ MITRE tested the ability of products to detect techniques commonly used by the t ## To what extent are tests representative of protection in the real world? -Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. +Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 5b876f90b8..da85274100 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -19,12 +19,13 @@ ms.topic: conceptual # Configuration score **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!NOTE] > Secure score is now part of Threat & Vulnerability Management as Configuration score. -Your Configuration score is visible in the Threat & Vulnerability Management dashboard of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories: +Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories: - Application - Operating system diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index ff9e39088c..dea1185d9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -1,6 +1,6 @@ --- title: Optimize ASR rule deployment and detections -description: Ensure your attack surface reduction (ASR) rules are fully optimized to identify and prevent typical actions taken by malware during the exploitation phase. +description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits. keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,33 +23,31 @@ ms.topic: article * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink). -[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives. +[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives. ![Attack surface management card](images/secconmgmt_asr_card.png)
    *Attack surface management card* -The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to: +The *Attack surface management card* is an entry point to tools in Microsoft 365 security center that you can use to: -* Understand how ASR rules are currently deployed in your organization -* Review ASR detections and identify possible incorrect detections -* Analyze the impact of exclusions and generate the list of file paths to exclude +* Understand how ASR rules are currently deployed in your organization. +* Review ASR detections and identify possible incorrect detections. +* Analyze the impact of exclusions and generate the list of file paths to exclude. -Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center. +Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center. ![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)
    -*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center* +The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center* > [!NOTE] -> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions) +> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions). -For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections) +For more information about ASR rule deployment in Microsoft 365 security center, see [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections). -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) - -## Related topics +**Related topics** * [Ensure your machines are configured properly](configure-machines.md) * [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) -* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) +* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index c25ee5cfa4..9698e75980 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -35,13 +35,16 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M 1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**. -2. Click **Apply**. +2. Click **Apply**. + ![Image of Microsoft Threat Experts settings](images/mte-collaboratewithmte.png) -3. Enter your name and email address so that Microsoft can get back to you on your application. +3. Enter your name and email address so that Microsoft can get back to you on your application. + ![Image of Microsoft Threat Experts application](images/mte-apply.png) -4. Read the privacy statement, then click **Submit** when you're done. You will receive a welcome email once your application is approved. +4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved. + ![Image of Microsoft Threat Experts application confirmation](images/mte-applicationconfirmation.png) 6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**. @@ -74,15 +77,17 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w 2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**. ->![Image of Microsoft Threat Experts Experts on Demand from the menu](images/mte-eod-menu.png) + ![Image of Microsoft Threat Experts Experts on Demand from the menu](images/mte-eod-menu.png) ->A flyout screen opens. The following screen shows when you are on a trial subscription. ->![Image of Microsoft Threat Experts Experts on Demand screen](images/mte-eod.png) + A flyout screen opens. The following screen shows when you are on a trial subscription. -> The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription. ->![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png) + ![Image of Microsoft Threat Experts Experts on Demand screen](images/mte-eod.png) ->The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request. + The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription. + + ![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png) + + The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request. 3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index c5a436c489..5254713db3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -1,7 +1,7 @@ --- title: Create and manage custom detection rules in Microsoft Defender ATP ms.reviewer: -description: Learn how to create and manage custom detections rules based on advanced hunting queries +description: Learn how to create and manage custom detection rules based on advanced hunting queries keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -19,7 +19,7 @@ ms.topic: article --- -# Create and manage custom detections rules +# Create and manage custom detection rules **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -34,7 +34,7 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. #### Required columns in the query results -To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. +To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine. diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf new file mode 100644 index 0000000000..551d7a42e8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx new file mode 100644 index 0000000000..d37e16899b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png new file mode 100644 index 0000000000..05ac6c4637 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index fe9095c926..301ad65ba0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -144,6 +144,13 @@ More details about certain events are provided in the **Additional information** You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine. +#### Event details +Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown. + +To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint. + +![Image of the event details panel](images/event-details.png) + ### Security recommendations **Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 79bae6b394..84d747929e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -1,6 +1,6 @@ --- title: Deploy Microsoft Defender ATP for Linux manually -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -37,11 +37,11 @@ Before you get started, see [Microsoft Defender ATP for Linux](microsoft-defende ## Configure the Linux software repository -Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below. +Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below. -The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*. +The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*. -In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel. +In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. ### RHEL and variants (CentOS and Oracle EL) @@ -53,13 +53,13 @@ In order to preview new features and provide early feedback, it is recommended t > In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. ```bash - sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo + sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo ``` - For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel: + For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insiders-fast* channel: ```bash - sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo + sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo ``` - Install the Microsoft GPG public key: @@ -67,12 +67,18 @@ In order to preview new features and provide early feedback, it is recommended t ```bash curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc ``` - + ```bash sudo rpm --import microsoft.asc ``` -- Download and make usable all the metadata for the currently enabled yum repositories: +- Install `yum-utils` if it is not already installed: + + ```bash + sudo yum install yum-utils + ``` + +- Download and make usable all the metadata for the currently enabled yum repositories: ```bash yum makecache @@ -85,10 +91,10 @@ In order to preview new features and provide early feedback, it is recommended t In the following commands, replace *[distro]* and *[version]* with the information you've identified: ```bash - sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo + sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo ``` - For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel: + For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insiders-fast* channel: ```bash sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo @@ -99,7 +105,7 @@ In order to preview new features and provide early feedback, it is recommended t ```bash curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc ``` - + ```bash rpm --import microsoft.asc ``` @@ -112,6 +118,12 @@ In order to preview new features and provide early feedback, it is recommended t sudo apt-get install curl ``` +- Install `libplist-utils` if it is not already installed: + + ```bash + sudo apt-get install libplist-utils + ``` + - Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`. In the below command, replace *[distro]* and *[version]* with the information you've identified: @@ -120,10 +132,10 @@ In order to preview new features and provide early feedback, it is recommended t curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list ``` - For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insider-fast* channel: + For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insiders-fast* channel: ```bash - curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list + curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list ``` - Install the repository configuration: @@ -141,12 +153,7 @@ In order to preview new features and provide early feedback, it is recommended t - Install the Microsoft GPG public key: ```bash - curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg - ``` - - ```bash - sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/ - + curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add - ``` - Install the https driver if it's not already present: @@ -193,7 +200,7 @@ Download the onboarding package from Microsoft Defender Security Center: 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - + ```bash ls -l total 8 @@ -234,6 +241,9 @@ Download the onboarding package from Microsoft Defender Security Center: 1 ``` + > [!IMPORTANT] + > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`. + 5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine: - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 8eae3591a3..bdba284676 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -42,7 +42,7 @@ Before you get started, please see [the main Microsoft Defender ATP for Linux pa - Curl - Unzip -- All host must be listed in the following format in the `/etc/ansible/hosts` file: +- All hosts must be listed in the following format in the `/etc/ansible/hosts` file: ```bash [servers] @@ -129,11 +129,11 @@ Create subtask or role files that contribute to an actual task. Create the follo - Add the Microsoft Defender ATP repository and key. - Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. + Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. - The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*. + The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*. - In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel. + In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. @@ -233,6 +233,9 @@ Now run the tasks files under `/etc/ansible/playbooks/`. $ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts ``` +> [!IMPORTANT] +> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. + - Validation/configuration: ```bash diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index a27c84b264..177ef802de 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -78,11 +78,11 @@ install_mdatp ### Contents of `install_mdatp/manifests/init.pp` -Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. +Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. -The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*. +The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*. -In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel. +In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. @@ -167,6 +167,9 @@ $ mdatp --health healthy The above command prints `1` if the product is onboarded and functioning as expected. +> [!IMPORTANT] +> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`. + If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: - 1 if the device is not yet onboarded. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md index 256186213a..537883114e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md @@ -35,7 +35,7 @@ This topic describes the structure of this profile (including a recommended prof The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences. -Typically, you would use a configuration management tool to push a file with the name ```mdatp_maanged.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```. +Typically, you would use a configuration management tool to push a file with the name ```mdatp_managed.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```. The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections. @@ -51,7 +51,7 @@ The *antivirusEngine* section of the configuration profile is used to manage the #### Enable / disable real-time protection -Detemines whether real-time protection (scan files as they are accessed) is enabled or not. +Determines whether real-time protection (scan files as they are accessed) is enabled or not. ||| |:---|:---| @@ -61,7 +61,7 @@ Detemines whether real-time protection (scan files as they are accessed) is enab #### Enable / disable passive mode -Detemines whether the antivirus engine runs in passive mode or not. In passive mode: +Determines whether the antivirus engine runs in passive mode or not. In passive mode: - Real-time protection is turned off. - On-demand scanning is turned on. - Automatic threat remediation is turned off. @@ -351,6 +351,16 @@ The following configuration profile contains entries for all settings described } ``` +## Configuration profile validation + +The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device: + +```bash +$ python -m json.tool mdatp_managed.json +``` + +If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`. + ## Configuration profile deployment Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 04f3d87059..94bb66756c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -45,7 +45,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 3. Set the deployment method to **Mobile Device Management / Microsoft Intune**. >[!NOTE] - >JamF falls under **Mobile Device Management**. + >Jamf falls under **Mobile Device Management**. 4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. 5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 84b0a77870..76875534f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -356,6 +356,10 @@ Specifies the value of tag | **Data type** | String | | **Possible values** | any string | +> [!IMPORTANT] +> - Only one value per tag type can be set. +> - Type of tags are unique, and should not be repeated in the same configuration profile. + ## Recommended configuration profile To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. @@ -730,13 +734,24 @@ The following configuration profile contains entries for all settings described ``` +## Configuration profile validation + +The configuration profile must be a valid *.plist* file. This can be checked by executing: + +```bash +$ plutil -lint com.microsoft.wdav.plist +com.microsoft.wdav.plist: OK +``` + +If the configuration profile is well-formed, the above command outputs `OK` and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`. + ## Configuration profile deployment Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune. ### JAMF deployment -From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the .plist produced earlier. +From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the *.plist* produced earlier. >[!CAUTION] >You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender ATP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index e35c4b95e5..bda42ad846 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -13,7 +13,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -59,7 +59,7 @@ If you can reproduce a problem, please increase the logging level, run the syste If an error occurs during installation, the installer will only report a general failure. -The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. +The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause. ## Uninstalling @@ -72,6 +72,7 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note ### From the command line - ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'``` +- ```sudo rm -rf '/Library/Application Support/Microsoft/Defender/'``` ## Configuring from the command line @@ -98,29 +99,10 @@ Important tasks, such as controlling product settings and triggering on-demand s |EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` | |EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` | +## Client Microsoft Defender ATP quarantine directory + +`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`. + ## Microsoft Defender ATP portal information -In the Microsoft Defender ATP portal, you'll see two categories of information. - -Antivirus alerts, including: - - - Severity - - Scan type - - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - - File information (name, path, size, and hash) - - Threat information (name, type, and state) - -Device information, including: - - - Machine identifier - - Tenant identifier - - App version - - Hostname - - OS type - - OS version - - Computer model - - Processor architecture - - Whether the device is a virtual machine - - > [!NOTE] - > Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app and select **Help** > **Send feedback** on your device. Optionally, use the **Feedback** button in the Microsoft Defender Security Center. +[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 34df1f32fc..ebad1005b3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -19,6 +19,22 @@ ms.topic: conceptual # What's new in Microsoft Defender Advanced Threat Protection for Mac +> [!NOTE] +> In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. +> +> In the meantime, starting with macOS Catalina update 10.15.4, Apple introduced a user facing *Legacy System Extension* warning to signal applications that rely on kernel extensions. +> +> If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. + +## 100.86.91 + +> [!CAUTION] +> To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of macOS native security updates to OS versions older than [current – 2], MDATP for Mac deployment and updates will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13]. +> +> If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please upgrade to the latest macOS version to eliminate risks of losing protection. + +- Performance improvements & bug fixes + ## 100.83.73 - Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions) @@ -37,9 +53,9 @@ ms.topic: conceptual - Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine - Added a new switch to the command-line utility for testing the connectivity with the backend service -```bash -$ mdatp --connectivity-test -``` + ```bash + $ mdatp --connectivity-test + ``` - Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view) - Performance improvements & bug fixes @@ -60,12 +76,12 @@ $ mdatp --connectivity-test - Added support for macOS Catalina -> [!CAUTION] -> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. -> -> The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP: -> -> - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic. -> - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. + > [!CAUTION] + > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. + > + > The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP: + > + > - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic. + > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. - Performance improvements & bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 705752aeb3..ad38c483b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -20,6 +20,15 @@ ms.topic: conceptual # Microsoft Defender ATP for Linux +> [!IMPORTANT] +> **PUBLIC PREVIEW EDITION** +> +> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability. +> +> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. +> +> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today. + This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4q3yP] @@ -62,7 +71,7 @@ In general you need to take the following steps: - [Manual deployment](linux-install-manually.md) - Third-party management tools: - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md) - - [Deploy using Ansbile configuration management tool](linux-install-with-ansible.md) + - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md) ### System requirements @@ -92,6 +101,9 @@ The following table lists the services and their associated URLs that your netwo | United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
    uk-v20.events.data.microsoft.com | | United States | unitedstates.x.cp.wd.microsoft.com
    us-v20.events.data.microsoft.com | +> [!NOTE] +> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server) + Microsoft Defender ATP can discover a proxy server by using the following discovery methods: - Transparent proxy - Manual static proxy configuration diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index be43f23ee8..fa9b382efb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -114,6 +114,10 @@ Microsoft regularly publishes software updates to improve performance, security, Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md). +## macOS kernel and system extensions + +In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. Visit [What's new in Microsoft Defender Advanced Threat Protection for Mac](mac-whatsnew.md) for relevant details. + ## Resources - For more information about logging, uninstalling, or other topics, see the [Resources](mac-resources.md) page. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index ff425c7895..2b5f9a206d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -24,7 +24,11 @@ ms.topic: conceptual Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. -This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. +This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. + +Watch this video for a quick overview of Microsoft Threat Experts. +

    +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qZ0B] ## Before you begin diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 5c52a93ff5..50bd231776 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -37,6 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Windows 10 Enterprise E5 - Windows 10 Education A5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 +- Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 09dea1ee83..7773ecd54f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -1,15 +1,15 @@ --- title: Threat & Vulnerability Management description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration asessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities +keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities, next generation search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -18,52 +18,60 @@ ms.topic: conceptual --- # Threat & Vulnerability Management + **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. +Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. -Watch this video for a quick overview of Threat & Vulnerability Management. +Watch this video for a quick overview of Threat & Vulnerability Management. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn] -## Next-generation capabilities -Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. +## Next-generation capabilities + +Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base. It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager. -It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. +It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. + - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Linked machine vulnerability and security configuration assessment data in the context of exposure discovery -- Built-in remediation processes through Microsoft Intune and Configuration Manager +- Built-in remediation processes through Microsoft Intune and Configuration Manager ### Real-time discovery - + To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: + - Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. -- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, and software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. +- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. - Application runtime context. Visibility on application usage patterns for better prioritization and decision-making. - Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations. - + ### Intelligence-driven prioritization - + Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: + - Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. - Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. -- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users. - +- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users. + ### Seamless remediation - -Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. -- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. + +Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. + +- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. - Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) @@ -79,4 +87,4 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm - [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) - [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) - [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [BLOG: Microsoft’s Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) +- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 97a1b56853..d2c196a62c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,6 +1,6 @@ --- -title: What's in the dashboard and what it means for my organization's security posture -description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their org's security resilience. +title: Threat & Vulnerability Management dashboard overview +description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh @@ -8,8 +8,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -19,59 +19,72 @@ ms.topic: conceptual # Threat & Vulnerability Management dashboard overview **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: + - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable machine vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: + - View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines -- Correlate EDR insights with endpoint vulnerabilities and process them +- Correlate EDR insights with endpoint vulnerabilities and process them - Select remediation options, triage and track the remediation tasks - Select exception options and track active exceptions > [!NOTE] > Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score. +Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard. + +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv] + ## Threat & Vulnerability Management in Microsoft Defender Security Center -When you open the portal, you’ll see the main areas of the capability: - ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) - - ![Threat & Vulnerability Management menu](images/tvm-menu.png) +When you open the portal, you'll see the main areas of the capability: -- (1) Menu in the navigation pane -- (2) Threat & Vulnerability Management icon +- (1) Menu to open the navigation pane +- (2) Threat & Vulnerability Management navigation pane - (3) Threat & Vulnerability Management dashboard -You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. + ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) + + ![Threat & Vulnerability Management menu](images/tvm-menu.png) + +You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section. + +## Threat & Vulnerability Management navigation pane Area | Description :---|:--- -(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities. -(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**. -**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data. -**Security recommendations** | See the list of security recommendations, their related components, whether software or software versions in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information. -**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information. -**Software inventory** | See the list of software, versions, weaknesses, whether there’s an exploit found on the software, whether the software or software version has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information. -**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information. -(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**. -**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only. -**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. See [Exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) for more information. -**Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information. -**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags. -**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached its end-of-life, or if the vulnerable version requires security updates and needs to be updated to the latest one). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list. -**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page. -**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions. -**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list. +**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data. +[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. +[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. +[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. +[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. -See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal. +## Threat & Vulnerability Management dashboard + +Area | Description +:---|:--- +**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages. +[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. +[**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page. +**Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags. +**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Useful icons also quickly calls your attention to
    • ![Possible active alert](images/tvm_alert_icon.png) possible active alerts
    • ![Threat insight](images/tvm_bug_icon.png) associated public exploits
    • ![Recommendation insight](images/tvm_insight_icon.png) recommendation insights

    Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached end-of-support, or if a vulnerable version requires updating). You can drill down on the security recommendation to see potential risks, list of exposed machines, and insights. You can then request a remediation for the recommendation. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception. +**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page. +**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions. +**Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. + +See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal. ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Exposure score](tvm-exposure-score.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index ad6de378c5..6785da1317 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -1,35 +1,37 @@ --- title: Exposure score -description: The Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) exposure score reflects how vulnerable your organization is to cybersecurity threats. -keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score +description: The Microsoft Defender ATP exposure score reflects how vulnerable your organization is to cybersecurity threats. +keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/30/2019 --- # Exposure score + **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation. +Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation. -The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further. +The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further. -![Exposure score widget](images/tvm_exp_score.png) +![Exposure score card](images/tvm_exp_score.png) ## How it works -Several factors affect your organization exposure score: +Several factors affect your organization exposure score: + - Weakness discovered on the device - Likelihood of a device getting breached - Value of the device to the organization @@ -38,6 +40,7 @@ Several factors affect your organization exposure score: Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details. ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 568f6d7c1d..bd569252f4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -1,15 +1,15 @@ --- -title: Threat & Vulnerability Management supported operating systems +title: Threat & Vulnerability Management supported operating systems and platforms description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for. -keywords: mdatp-tvm supported os, mdatp-tvm, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score +keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, configuration score, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -19,6 +19,7 @@ ms.topic: article # Threat & Vulnerability Management supported operating systems and platforms **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -32,7 +33,7 @@ Operating system | Security assessment support Windows 7 | Operating System (OS) vulnerabilities Windows 8.1 | Not supported Windows 10 1607-1703 | Operating System (OS) vulnerabilities -Windows 10 1709+ |Operating System (OS) vulnerabilities
    Software product vulnerabilities
    Operating System (OS) configuration assessment
    Security controls configuration assessment
    Software product configuration assessment +Windows 10 1709+ |Operating System (OS) vulnerabilities
    Software product vulnerabilities
    Operating System (OS) configuration assessment
    Security controls configuration assessment
    Software product configuration assessment Windows Server 2008R2 | Operating System (OS) vulnerabilities
    Software product vulnerabilities Windows Server 2012R2 | Operating System (OS) vulnerabilities
    Software product vulnerabilities Windows Server 2016 | Operating System (OS) vulnerabilities
    Software product vulnerabilities @@ -43,6 +44,7 @@ Linux | Not supported (planned) Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) list. ## Related topics + - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) @@ -52,4 +54,3 @@ Some of the above prerequisites might be different from the [Minimum requirement - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 2d9187a57f..689a9fe3d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -27,6 +27,9 @@ The following features are generally available (GA) in the latest release of Mic For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). +RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: +`https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+Defender+ATP%22&locale=en-us` + ## November-December 2019 - [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md)
    Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md). diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index 217b812683..300344160d 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -1,6 +1,6 @@ --- -title: Interactive logon Prompt user to change password before expiration (Windows 10) -description: Best practices, security considerations, and more for the security policy setting, Interactive logon Prompt user to change password before expiration. +title: Interactive log-on prompt user to change password before expiration (Windows 10) +description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration. ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9 ms.reviewer: ms.author: dansimp @@ -17,52 +17,52 @@ ms.topic: conceptual ms.date: 04/19/2017 --- -# Interactive logon: Prompt user to change password before expiration +# Interactive log on: Prompt the user to change passwords before expiration **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. +This article describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. ## Reference -The **Interactive logon: Prompt user to change password before expiration** policy setting determines how many days in advance users are warned that their passwords are about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong. +This policy setting determines when users are warned that their passwords are about to expire. This warning gives users time to select a strong password before their current password expires to avoid losing system access. ### Possible values -- A user-defined number of days from 0 through 999. -- Not defined. +- A user-defined number of days from 0 through 999 +- Not defined ### Best practices -1. Configure user passwords to expire periodically. Users will need warning that their passwords are going to expire, or they might inadvertently get locked out of the system. This could lead to confusion for users who access the network locally, or make it impossible for users who access the network through dial-up or virtual private network (VPN) connections to log on. -2. Set **Interactive logon: Prompt user to change password before expiration** to 5 days. When their password expiration date is 5 or fewer days away, users will see a dialog box each time they log on to the domain. -3. Do not set the value to 0, which results in displaying the password expiration warning every time the user logs on. +- Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system. +- Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain. +- Don't set the value to zero, which displays the password expiration warning every time the user logs on. ### Location -Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options +*Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options* ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the default values for this policy. Default values are also listed on the policy’s property page. -| Server type or GPO | Default value | +| Server type or Group Policy Object | Default value | | - | - | | Default Domain Policy| Not defined| | Default Domain Controller Policy | Not defined| -| Stand-Alone Server Default Settings | 5 days| -| DC Effective Default Settings | 5 days | -| Member Server Effective Default Settings| 5 days | -| Client Computer Effective Default Settings | 5 days| +| Stand-Alone Server Default Settings | Five days| +| DC Effective Default Settings | Five days | +| Member Server Effective Default Settings| Five days | +| Client Computer Effective Default Settings | Five days| ## Policy management -This section describes features and tools that are available to help you manage this policy. +This section describes features and tools that you can use to manage this policy. ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -70,24 +70,24 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +Configure this policy setting by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, it can be configured on the local computer through the Local Security Policy snap-in. ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and possible negative consequences of the countermeasure. ### Vulnerability -If user passwords are configured to expire periodically in your organization, users need to be warned when this is about to happen, or they may be locked out of the device inadvertently when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections. +If user passwords are configured to expire periodically in your organization, users need to be warned before expiration. Otherwise, they may get locked out of the devices inadvertently. ### Countermeasure -Configure the **Interactive logon: Prompt user to change password before expiration** setting to 5 days. +Configure the **Interactive logon: Prompt user to change password before expiration** setting to five days. ### Potential impact -Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days. +Users see a dialog-box that prompts them to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days. ## Related topics -- [Security Options](security-options.md) +- [Security options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md index d36aa5c106..457ba6494f 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md @@ -1,6 +1,6 @@ --- title: Microsoft network client Digitally sign communications (always) (Windows 10) -description: Best practices, security considerations and more for the security policy setting, Microsoft network client Digitally sign communications (always). +description: Best practices and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting. ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 ms.reviewer: manager: dansimp @@ -20,46 +20,46 @@ ms.date: 06/28/2018 - Windows 10 - Windows Server -Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. +This article describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports digital signing of SMB packets. -Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data access failure. +Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." Misuse of these policy settings is a common error that can cause data access failure. -Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). +Beginning with SMBv2 clients and servers, signing can be either *required* or *not required*. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). -There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2. +Negotiation occurs between the SMB client and the SMB server to decide whether signing will be used. The following table shows the effective behavior for SMBv3 and SMBv2. -| | Server – Required | Server – Not Required | +| | Server – required | Server – not required | |---------------------------|---------------------|------------------------| -| **Client – Required** | Signed | Signed | -| **Client – Not Required** | Signed 1 | Not Signed2 | +| **Client – required** | Signed | Signed | +| **Client – not required** | Signed 1 | Not signed2 |
    1 Default for domain controller SMB traffic
    2 Default for all other SMB traffic -Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). +Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact). ### Possible values - Enabled - Disabled -### Best practices +### Best practice Enable **Microsoft network client: Digitally sign communications (always)**. ### Location -Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options +*Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options* ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the default values for this policy. Default values are also listed on the policy’s property page. | Server type or GPO | Default value | | - | - | @@ -72,33 +72,33 @@ The following table lists the actual and effective default values for this polic ## Policy management -This section describes features and tools that are available to help you manage this policy. +This section describes features and tools that you can use to manage this policy. ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure. ### Vulnerability -Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data. +Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it to make the server perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that's supported by many versions of the Windows operating system. It's the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't happen. ### Countermeasure Enable **Microsoft network client: Digitally sign communications (always)**. ->[!NOTE] ->An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. +> [!NOTE] +> An alternative countermeasure that could protect all network traffic is to implement digital signatures through IPsec. There are hardware-based accelerators for IPsec encryption and signing that can be used to minimize the performance impact on servers. No such accelerators are available for SMB signing. ### Potential impact -Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater. +Storage speeds affect performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage for signing. If you're using a 1-Gb Ethernet network or slower storage speed with a modern CPU, there's limited degradation in performance. If you're using a faster network (such as 10 Gb), the performance impact of signing may be greater. ## Related topics -- [Security Options](security-options.md) +- [Security options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 01dea39c48..4870151b22 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -1,6 +1,6 @@ --- title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10) -description: Best practices and more for the security policy setting, Network Security Allow PKU2U authentication requests to this computer to use online identities. +description: Best practices for the Network Security Allow PKU2U authentication requests to this computer to use online identities security setting. ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 ms.reviewer: ms.author: dansimp @@ -22,45 +22,41 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. +This article describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. ## Reference -Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system, and it supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. +Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system. It supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. -When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. +When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. -> [!Note] -> The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**. +> [!NOTE] +> Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later. +This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later. ### Possible values -- **Enabled** +- **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. - This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. + > [!NOTE] + > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server. -> [!Note] -> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fails. To resolve this, enable PKU2U on the Server. +- **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. -- **Disabled** - - This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. - -- Not set. Not configuring this policy prevents online IDs from being used to authenticate the user. This is the default on domain-joined devices +- ***Not set***: Not configuring this policy prevents online IDs from being used to authenticate the user. This option is the default on domain-joined devices. ### Best practices -Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or do not configure this policy to exclude online identities from being used to authenticate. +Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate. ### Location -Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options +*Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options* ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the effective default values for this policy. Default values are also listed on the policy’s property page. | Server type or Group Policy Object (GPO) | Default value | | - | - | @@ -73,20 +69,20 @@ The following table lists the actual and effective default values for this polic ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure. ### Vulnerability -Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft Account, so that account can log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this is beneficial for workgroups or home groups, using this feature in a domain-joined environment might circumvent your established security policies. +Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies. ### Countermeasure -Set this policy to Disabled or do not configure this security policy for domain-joined devices. +Set this policy to *Disabled* or don't configure this security policy for domain-joined devices. ### Potential impact -If you do not set or disable this policy, the PKU2U protocol will not be used to authenticate between peer devices, which forces users to follow domain defined access control policies. If you enable this policy, you will allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This will allow users to share resources between devices +If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices. ## Related topics -- [Security Options](security-options.md) +- [Security options](security-options.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md index 228378515b..9b7b2cffbf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md @@ -13,7 +13,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.date: 02/05/2020 -ms.reviewer: +ms.reviewer: shwetaj manager: dansimp audience: ITPro ms.topic: article diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 17897257a2..b42e1c8729 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: ksarens manager: dansimp --- @@ -22,14 +22,12 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. - -This utility can be useful when you want to automate Windows Defender Antivirus use. - -You can find the utility in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_. You must run it from a command prompt. +You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Windows Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt. > [!NOTE] > You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. +> +> If you're running an updated Windows Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`. The utility has the following commands: @@ -44,11 +42,11 @@ MpCmdRun.exe -scan -2 | Command | Description | |:----|:----| | `-?` **or** `-h` | Displays all available options for this tool | -| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. | +| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. | | `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing | | `-GetFiles` | Collects support information | | `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder | -| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set | +| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set | | `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence | | `-RemoveDefinitions [-Engine]` | Restores the previous installed engine | | `-SignatureUpdate [-UNC \| -MMPC]` | Checks for new Security intelligence updates | diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index 6c817499da..97a45e8794 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -1,8 +1,8 @@ --- -title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 +title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 or 2019 ms.reviewer: manager: dansimp -description: Windows Server 2016 includes automatic exclusions, based on server role. You can also add custom exclusions. +description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions. keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -22,48 +22,47 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions. +Windows Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). -These exclusions will not appear in the standard exclusion lists shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). - -You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics: +> [!NOTE] +> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. +In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles: - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -Custom exclusions take precedence over automatic exclusions. +## A few points to keep in mind -> [!TIP] -> Custom and duplicate exclusions do not conflict with automatic exclusions. +- Custom exclusions take precedence over automatic exclusions. -Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. +- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. + +- Custom and duplicate exclusions do not conflict with automatic exclusions. + +- Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. ## Opt out of automatic exclusions -In Windows Server 2016, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in Security intelligence updates. +In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. > [!WARNING] -> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles. +> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. -> [!NOTE] -> This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions. - -> [!TIP] -> Since the predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path *different than the original one*, you would have to manually add the exclusions using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . +Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. -### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 +### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019 -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Exclusions**. -4. Double-click **Turn off Auto Exclusions** and set the option to **Enabled**. Click **OK**. +4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**. -**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:** +### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019 Use the following cmdlets: @@ -71,11 +70,13 @@ Use the following cmdlets: Set-MpPreference -DisableAutoExclusions $true ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +[Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md). -### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 +[Use PowerShell with Windows Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index). -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: +### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019 + +Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI DisableAutoExclusions @@ -85,212 +86,221 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## List of automatic exclusions + The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types. ### Default exclusions for all roles -This section lists the default exclusions for all Windows Server 2016 roles. -- Windows "temp.edb" files: +This section lists the default exclusions for all Windows Server 2016 and 2019 roles. - - *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb +#### Windows "temp.edb" files - - *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log +- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb -- Windows Update files or Automatic Update files: +- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log - - *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb +#### Windows Update files or Automatic Update files - - *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk +- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb - - *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log +- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk - - *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs +- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log - - *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log +- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs -- Windows Security files: +- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log - - *%windir%*\Security\database\\*.chk +#### Windows Security files - - *%windir%*\Security\database\\*.edb +- *%windir%*\Security\database\\*.chk - - *%windir%*\Security\database\\*.jrs +- *%windir%*\Security\database\\*.edb - - *%windir%*\Security\database\\*.log +- *%windir%*\Security\database\\*.jrs - - *%windir%*\Security\database\\*.sdb +- *%windir%*\Security\database\\*.log -- Group Policy files: +- *%windir%*\Security\database\\*.sdb - - *%allusersprofile%*\NTUser.pol +#### Group Policy files - - *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol +- *%allusersprofile%*\NTUser.pol - - *%SystemRoot%*\System32\GroupPolicy\User\registry.pol +- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol -- WINS files: +- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol - - *%systemroot%*\System32\Wins\\*\\\*.chk +#### WINS files - - *%systemroot%*\System32\Wins\\*\\\*.log +- *%systemroot%*\System32\Wins\\*\\\*.chk - - *%systemroot%*\System32\Wins\\*\\\*.mdb +- *%systemroot%*\System32\Wins\\*\\\*.log - - *%systemroot%*\System32\LogFiles\ +- *%systemroot%*\System32\Wins\\*\\\*.mdb - - *%systemroot%*\SysWow64\LogFiles\ +- *%systemroot%*\System32\LogFiles\ -- File Replication Service (FRS) exclusions: +- *%systemroot%*\SysWow64\LogFiles\ - - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` +#### File Replication Service (FRS) exclusions - - *%windir%*\Ntfrs\jet\sys\\*\edb.chk +- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` - - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb + - *%windir%*\Ntfrs\jet\sys\\*\edb.chk - - *%windir%*\Ntfrs\jet\log\\*\\\*.log + - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb - - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory` + - *%windir%*\Ntfrs\jet\log\\*\\\*.log - -*%windir%*\Ntfrs\\*\Edb\*.log +- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory` - - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` + - *%windir%*\Ntfrs\\*\Edb\*.log - - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\ +- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` - - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` + - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\ - - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\ +- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` - - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` + - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\ - > [!NOTE] - > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions). +- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` - - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ + > [!NOTE] + > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions). - - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_* + - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ - - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_* + - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_* - - *%systemdrive%*\System Volume Information\DFSR\\*.XML + - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_* - - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$ + - *%systemdrive%*\System Volume Information\DFSR\\*.XML - - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$ + - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$ - - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$ + - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$ - - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db + - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$ - - *%systemdrive%*\System Volume Information\DFSR\\*.frx + - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db - - *%systemdrive%*\System Volume Information\DFSR\\*.log + - *%systemdrive%*\System Volume Information\DFSR\\*.frx - - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs + - *%systemdrive%*\System Volume Information\DFSR\\*.log - - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb + - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs -- Process exclusions + - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb - - *%systemroot%*\System32\dfsr.exe +#### Process exclusions - - *%systemroot%*\System32\dfsrs.exe +- *%systemroot%*\System32\dfsr.exe -- Hyper-V exclusions: +- *%systemroot%*\System32\dfsrs.exe - - This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role +#### Hyper-V exclusions - - File type exclusions: +This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role - - *.vhd +- File type exclusions: - - *.vhdx + - *.vhd - - *.avhd + - *.vhdx - - *.avhdx + - *.avhd - - *.vsv + - *.avhdx - - *.iso + - *.vsv - - *.rct + - *.iso - - *.vmcx + - *.rct - - *.vmrs + - *.vmcx - - Folder exclusions: + - *.vmrs - - *%ProgramData%*\Microsoft\Windows\Hyper-V +- Folder exclusions: - - *%ProgramFiles%*\Hyper-V + - *%ProgramData%*\Microsoft\Windows\Hyper-V - - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots + - *%ProgramFiles%*\Hyper-V - - *%Public%*\Documents\Hyper-V\Virtual Hard Disks + - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots - - Process exclusions: + - *%Public%*\Documents\Hyper-V\Virtual Hard Disks - - *%systemroot%*\System32\Vmms.exe +- Process exclusions: - - *%systemroot%*\System32\Vmwp.exe + - *%systemroot%*\System32\Vmms.exe -- SYSVOL files: + - *%systemroot%*\System32\Vmwp.exe - - *%systemroot%*\Sysvol\Domain\\*.adm +#### SYSVOL files - - *%systemroot%*\Sysvol\Domain\\*.admx +- *%systemroot%*\Sysvol\Domain\\*.adm - - *%systemroot%*\Sysvol\Domain\\*.adml +- *%systemroot%*\Sysvol\Domain\\*.admx - - *%systemroot%*\Sysvol\Domain\Registry.pol +- *%systemroot%*\Sysvol\Domain\\*.adml - - *%systemroot%*\Sysvol\Domain\\*.aas +- *%systemroot%*\Sysvol\Domain\Registry.pol - - *%systemroot%*\Sysvol\Domain\\*.inf +- *%systemroot%*\Sysvol\Domain\\*.aas - - *%systemroot%*\Sysvol\Domain\\*.Scripts.ini +- *%systemroot%*\Sysvol\Domain\\*.inf - - *%systemroot%*\Sysvol\Domain\\*.ins +- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini - - *%systemroot%*\Sysvol\Domain\Oscfilter.ini +- *%systemroot%*\Sysvol\Domain\\*.ins + +- *%systemroot%*\Sysvol\Domain\Oscfilter.ini ### Active Directory exclusions + This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services. -- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` +#### NTDS database files - - %windir%\Ntds\ntds.dit +The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` - - %windir%\Ntds\ntds.pat +- %windir%\Ntds\ntds.dit -- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path` +- %windir%\Ntds\ntds.pat - - %windir%\Ntds\EDB*.log +#### The AD DS transaction log files - - %windir%\Ntds\Res*.log +The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path` - - %windir%\Ntds\Edb*.jrs +- %windir%\Ntds\EDB*.log - - %windir%\Ntds\Ntds*.pat +- %windir%\Ntds\Res*.log - - %windir%\Ntds\EDB*.log +- %windir%\Ntds\Edb*.jrs - - %windir%\Ntds\TEMP.edb +- %windir%\Ntds\Ntds*.pat -- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` +- %windir%\Ntds\EDB*.log - - %windir%\Ntds\Temp.edb +- %windir%\Ntds\TEMP.edb - - %windir%\Ntds\Edb.chk +#### The NTDS working folder -- Process exclusions for AD DS and AD DS-related support files: +This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` - - %systemroot%\System32\ntfrs.exe +- %windir%\Ntds\Temp.edb - - %systemroot%\System32\lsass.exe +- %windir%\Ntds\Edb.chk + +#### Process exclusions for AD DS and AD DS-related support files + +- %systemroot%\System32\ntfrs.exe + +- %systemroot%\System32\lsass.exe ### DHCP Server exclusions @@ -310,19 +320,19 @@ This section lists the exclusions that are delivered automatically when you inst This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role. -- File and folder exclusions for the DNS Server role: +#### File and folder exclusions for the DNS Server role - - *%systemroot%*\System32\Dns\\*\\\*.log +- *%systemroot%*\System32\Dns\\*\\\*.log - - *%systemroot%*\System32\Dns\\*\\\*.dns +- *%systemroot%*\System32\Dns\\*\\\*.dns - - *%systemroot%*\System32\Dns\\*\\\*.scc +- *%systemroot%*\System32\Dns\\*\\\*.scc - - *%systemroot%*\System32\Dns\\*\BOOT +- *%systemroot%*\System32\Dns\\*\BOOT -- Process exclusions for the DNS Server role: +#### Process exclusions for the DNS Server role - - *%systemroot%*\System32\dns.exe +- *%systemroot%*\System32\dns.exe ### File and Storage Services exclusions @@ -338,43 +348,45 @@ This section lists the file and folder exclusions that are delivered automatical This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role. -- File type exclusions: +#### File type exclusions - - *.shd +- *.shd - - *.spl +- *.spl -- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory` +#### Folder exclusions - - *%system32%*\spool\printers\\* +This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory` -- Process exclusions: +- *%system32%*\spool\printers\\* - - spoolsv.exe +#### Process exclusions + +- spoolsv.exe ### Web Server exclusions This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role. -- Folder exclusions: +#### Folder exclusions - - *%SystemRoot%*\IIS Temporary Compressed Files +- *%SystemRoot%*\IIS Temporary Compressed Files - - *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files +- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files - - *%SystemDrive%*\inetpub\temp\ASP Compiled Templates +- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates - - *%systemDrive%*\inetpub\logs +- *%systemDrive%*\inetpub\logs - - *%systemDrive%*\inetpub\wwwroot +- *%systemDrive%*\inetpub\wwwroot -- Process exclusions: +#### Process exclusions - - *%SystemRoot%*\system32\inetsrv\w3wp.exe +- *%SystemRoot%*\system32\inetsrv\w3wp.exe - - *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe +- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe - - *%SystemDrive%*\PHP5433\php-cgi.exe +- *%SystemDrive%*\PHP5433\php-cgi.exe ### Windows Server Update Services exclusions @@ -391,7 +403,11 @@ This section lists the folder exclusions that are delivered automatically when y ## Related articles - [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) + - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) + - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) + - [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) + - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png new file mode 100644 index 0000000000..cea5e255f5 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg b/windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg new file mode 100644 index 0000000000..d6177a0899 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg b/windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg new file mode 100644 index 0000000000..577f034ff6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 7ebc368cbc..5184c72aca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 03/04/2020 ms.reviewer: manager: dansimp --- @@ -24,8 +24,8 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) There are two types of updates related to keeping Windows Defender Antivirus up to date: -1. Protection updates +1. Protection updates 2. Product updates You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection. @@ -36,15 +36,40 @@ Windows Defender Antivirus uses both [cloud-delivered protection](utilize-micros The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. +Engine updates are included with the Security intelligence updates and are released on a monthly cadence. + ## Product updates -Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. +Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +## Released platform and engine versions + +Only the main version is listed in the following table as reference information: + +Month | Platform/Client | Engine +---|---|--- +Feb-2020 | - | 1.1.16800.x +Jan-2020 | 4.18.2001.x | 1.1.16700.x +Dec-2019 | - | - | +Nov-2019 | 4.18.1911.x | 1.1.16600.x +Oct-2019 | 4.18.1910.x | 1.1.16500.x +Sep-2019 | 4.18.1909.x | 1.1.16400.x +Aug-2019 | 4.18.1908.x | 1.1.16300.x +Jul-2019 | 4.18.1907.x | 1.1.16200.x +Jun-2019 | 4.18.1906.x | 1.1.16100.x +May-2019 | 4.18.1905.x | 1.1.16000.x +Apr-2019 | 4.18.1904.x | 1.1.15900.x +Mar-2019 | 4.18.1903.x | 1.1.15800.x +Feb-2019 | 4.18.1902.x | 1.1.15700.x +Jan-2019 | 4.18.1901.x | 1.1.15600.x +Dec-18 | 4.18.1812.X | 1.1.15500.x + + ## In this section -Topic | Description +Article | Description ---|--- [Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources. [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded. diff --git a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md index 8201f92e0e..77a5c15cf1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Windows Defender Antivirus together with Office 365 (including OneDrive) - better protection from ransomware and cyberthreats -description: Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more. -keywords: windows defender, antivirus, office 365, onedrive +title: "Better together - Windows Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats" +description: "Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more." +keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -14,12 +14,12 @@ ms.topic: article author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 02/26/2020 +ms.date: 03/04/2020 ms.reviewer: manager: dansimp --- -# Windows Defender Antivirus together with Office 365 +# Better together: Windows Defender Antivirus and Office 365 **Applies to:** @@ -46,9 +46,9 @@ Read the following sections to learn more. When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur: -1. **You are told about the threat**. (If your organization is using Microsoft Defender Advanced Threat Protection, your security operations team is notified, too.) +1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.) -2. **Windows Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). +2. **Windows Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.) 3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f). @@ -56,7 +56,7 @@ Think of the time and hassle this can save. ## Integration means better protection -Office 365 Advanced Threat Protection integrated with Microsoft Defender Advanced Threat Protection means better protection. Here's how: +Office 365 Advanced Threat Protection integrated with Microsoft Defender Advanced Threat Protection means better protection for your organization. Here's how: - [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents. @@ -68,7 +68,7 @@ Office 365 Advanced Threat Protection integrated with Microsoft Defender Advance - Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). -If you haven't already done so, [integrate Office 365 Advanced Threat Protection with Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp). +If you haven't already done so, [integrate Office 365 Advanced Threat Protection with Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp). ## More good reasons to use OneDrive diff --git a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md b/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md new file mode 100644 index 0000000000..46ca70b593 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md @@ -0,0 +1,89 @@ +--- +title: Shadow protection in next-generation protection +description: Learn about shadow protection in next-generation protection +keywords: Windows Defender Antivirus, shadow protection, passive mode +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: next-gen +ms.collection: +--- + +# Shadow protection in next-generation protection + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## What is shadow protection? + +Shadow protection (currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection)) extends behavioral-based blocking and containment capabilities by blocking malicious artifacts or behaviors even if [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is not your active antivirus protection. If your organization has decided to use an antivirus solution other than Windows Defender Antivirus, you are still protected through shadow protection. + +> [!TIP] +> To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). And see [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). + +## What happens when something is detected? + +When shadow protection is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). + +The following images shows an instance of unwanted software that was detected and blocked through shadow protection: + +:::image type="content" source="images/shadow-protection-detection.jpg" alt-text="Malware detected by shadow protection"::: + +## Turn on shadow protection + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. + +2. Choose **Settings** > **Advanced features**. + + :::image type="content" source="images/turn-shadow-protection-on.jpg" alt-text="Turn shadow protection on"::: + +3. Turn shadow protection on. + +> [!NOTE] +> Currently, shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to turn shadow protection on or off at this time. + +## Requirements for shadow protection + +|Requirement |Details | +|---------|---------| +|Permissions |One of the following roles should be assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal):
    - Security Administrator or Global Administrator
    - Security Reader
    See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions) | +|Operating system |One of the following:
    - Windows 10 (all releases)
    - Windows Server 2016 or later | +|Windows E5 enrollment |This is included in the following subscriptions:
    - Microsoft 365 E5
    - The Identity & Threat Protection offering for Microsoft 365 E3 customers.
    See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | +|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
    See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). | +|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the `Get-MpComputerStatus` cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the `Get-MpComputerStatus` cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | + +> [!IMPORTANT] +> To get the best protection value, make sure Windows Defender Antivirus is configured to receive regular updates and other essential features, such as behavioral monitoring, IOfficeAV, tamper protection, and more. See [Protect security settings with tamper protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) + + +## Frequently asked questions + +### Will shadow protection have any impact on a user's antivirus protection? + +No. Shadow protection does not affect third-party antivirus protection running on users' machines. Shadow protection kicks in if the primary antivirus solution misses something, or if there is post-breach detection. Shadow protection works just like Windows Defender Antivirus in passive mode with the additional steps of blocking and remediating malicious items detected. + +### Why do I need to keep Windows Defender Antivirus up to date? + +The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack works in integration, and to get best protection value, you should keep Windows Defender Antivirus up to date. + +### Why do we need cloud protection on? + +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on the optics received, along with behavioral and machine learning models. + +### Can I participate in the private preview of shadow protection? + +If you would like to participate in our private preview program, please send email to `shwjha@microsoft.com`. + +## See also + +- [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus) + diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 9ba7a43bf9..9c284e75a0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -1,6 +1,6 @@ --- -title: Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection -description: For best results, use Windows Defender Antivirus together with your other Microsoft offerings. +title: "Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection" +description: "For best results, use Windows Defender Antivirus together with your other Microsoft offerings." keywords: windows defender, antivirus, third party av search.product: eADQiWindows 10XVcnh ms.pagetype: security diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 128fb4d3a3..48ce449ecd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -14,12 +14,9 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 05/17/2018 +ms.date: 02/28/2020 --- -> [!NOTE] -> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/). - # Deploy Windows Defender Application Control policies by using Microsoft Intune **Applies to:** @@ -33,6 +30,10 @@ In order to deploy a custom policy through Intune and define your own circle of ## Using Intune's Built-In Policies +Intune's built-in WDAC support enables you to deploy a policy which only allows Windows components and Microsoft Store apps to run. This policy is the non-Multiple Policy Format version of the DefaultWindows policy; the Multiple Policy Format version can be found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies. + +Setting "Trust apps with good reputation" to enabled is equivalent to adding [Option 14 (Enabled: Intelligent Security Graph Authorization)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-policy-rules) to the DefaultWindows policy. + 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. 2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 97443ac815..44fd750878 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 02/24/2020 +ms.date: 03/04/2020 --- # Understand WDAC policy rules and file rules @@ -126,3 +126,19 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard > [!NOTE] > Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md) + +## Windows Defender Application Control filename rules + +File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies. + +Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario. + +**Table 3. Windows Defender Application Control policy - filename levels** + +| Rule level | Description | +|----------- | ----------- | +| **File Description** | Specifies the file description provided by the developer of the binary. | +| **Internal Name** | Specifies the internal name of the binary. | +| **Original File Name** | Specifies the original file name, or the name with which the file was first created, of the binary. | +| **Package Family Name** | Specifies the package family name of the binary. The package family name consists of two parts: the name of the file and the publisher ID. | +| **Product Name** | Specifies the name of the product with which the binary ships. | diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index e34ac21abb..7c9d0b4790 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -14,6 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp +ms.date: 03/10/2020 --- # Authorize reputable apps with the Intelligent Security Graph (ISG) @@ -25,18 +26,18 @@ manager: dansimp Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task. -Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as the Microsoft Intelligent Security Graph authorization, that allows IT administrators to automatically authorize applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The the Microsoft Intelligent Security Graph option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](https://docs.microsoft.com/graph/overview-major-services). +Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as the Microsoft Intelligent Security Graph authorization, that allows IT administrators to automatically authorize applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The Microsoft Intelligent Security Graph option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](https://docs.microsoft.com/graph/overview-major-services). ## How does the integration between WDAC and the Intelligent Security Graph work? -The the Microsoft Intelligent Security Graph relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the the Microsoft Intelligent Security Graph authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision. +The Microsoft Intelligent Security Graph relies on the same vast security intelligence and machine learning analytics which power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having known good, known bad, or unknown reputation. When an unevaluated file is run on a system with WDAC enabled with the Microsoft Intelligent Security Graph authorization option specified, WDAC queries the file's reputation by sending its hash and signing information to the cloud. If the Microsoft Intelligent Security Graph determines that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the file tries to execute, if there are no explicit deny rules present for the file, it will be allowed to run based on its positive reputation. Conversely, a file that has unknown or known bad reputation will still be allowed to run in the presence of a rule that explicitly allows the file. -After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification. +Additionally, an application installer which is determined to have known good reputation will pass along that positive reputation to any files that it writes. This way, all the files needed to install and run an app are granted positive reputation data. -The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot. +WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option. >[!NOTE] ->Admins should make sure there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Intune can be used to create and push a WDAC policy to your client machines. +>Admins should make sure there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Manager Configuration Manager (MEMCM) and Microsoft Endpoint Manager Intune (MEM Intune) can be used to create and push a WDAC policy to your client machines. Other examples of WDAC policies are available in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). @@ -85,7 +86,7 @@ In order for the heuristics used by the Microsoft Intelligent Security Graph to appidtel start ``` -For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the Configuration Manager WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through Configuration Manager then this step is required. +This step is not required for WDAC policies deployed over MDM using the AppLocker CSP, as the CSP will enable the necessary components. This step is also not required when enabling the Microsoft Intelligent Security Graph through the MEMCM WDAC UX. However, if custom policies are being deployed outside of the WDAC UX through MEMCM, then this step is required. ## Security considerations with the Intelligent Security Graph @@ -104,4 +105,4 @@ The Microsoft Intelligent Security Graph heuristics do not authorize kernel mode In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. >[!NOTE] -> A rule that explicitly allows an application will take precedence over the Microsoft Intelligent Security Graph rule that does not allow it. In this scenario, this policy is not compatible with Intune, where there is no option to add rules to the template that enables the Microsoft Intelligent Security Graph. In most circumstances you would need to build a custom WDAC policy, including the Microsoft Intelligent Security Graph, if desired. +> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. MEM Intune's built-in WDAC support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune#using-a-custom-oma-uri-profile). diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index b3b52de9b2..827bc6fab0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -14,7 +14,7 @@ author: denisebmsft ms.reviewer: isbrahm ms.author: deniseb manager: dansimp -ms.date: 01/08/2019 +ms.date: 01/31/2020 ms.custom: asr --- @@ -59,7 +59,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of ### WDAC System Requirements WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. -WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a scripthost like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. +WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. ## AppLocker @@ -97,6 +97,23 @@ Although either AppLocker or WDAC can be used to control application execution o AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. +## WDAC and AppLocker Feature Availability +| Capability | WDAC | AppLocker | +|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Platform support | Available on Windows 10 | Available on Windows 8+ | +| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
    For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
    Policies deployed through MDM are effective on all SKUs. | +| Management solutions |
    • [Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)
    • [Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
    • [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy)
    • PowerShell
    |
    • [Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
    • MEMCM (custom policy deployment via Software Distribution only)
    • [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)
    • PowerShell
        • | +| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ | +| Kernel mode policies | Available on all Windows 10 versions | Not available | +| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available | +| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available | +| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available | +| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available | +| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | +| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available | +| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ | +| Enforceable file types |
        • Driver files: .sys
        • Executable files: .exe and .com
        • DLLs: .dll and .ocx
        • Windows Installer files: .msi, .mst, and .msp
        • Scripts: .ps1, .vbs, and .js
        • Packaged apps and packaged app installers: .appx
        |
        • Executable files: .exe and .com
        • [Optional] DLLs: .dll and .ocx
        • Windows Installer files: .msi, .mst, and .msp
        • Scripts: .ps1, .bat, .cmd, .vbs, and .js
        • Packaged apps and packaged app installers: .appx
        | + ## See also - [WDAC design guide](windows-defender-application-control-design-guide.md) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index d22f241c9b..b9d400165d 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -55,6 +55,9 @@ Windows Defender SmartScreen provide an early warning system against websites th - **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +> [!IMPORTANT] +> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. + ## Viewing Windows Defender SmartScreen anti-phishing events When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 05dc390aef..f46696402c 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -34,25 +34,30 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) ### Group Policy 1. Click **Start** > type and then click **Edit group policy**. + 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. -![Secure Launch Group Policy](images/secure-launch-group-policy.png) + ![Secure Launch Group Policy](images/secure-launch-group-policy.png) ### Windows Security Center Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**. -![Windows Security Center](images/secure-launch-security-app.png) - + ![Windows Security Center](images/secure-launch-security-app.png) + ### Registry 1. Open Registry editor. + 2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**. + 3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**. + 4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**. + 5. Double-click **Enabled**, change the value to **1**, and click **OK**. -![Secure Launch Registry](images/secure-launch-registry.png) + ![Secure Launch Registry](images/secure-launch-registry.png) > [!IMPORTANT] > If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor. @@ -63,8 +68,8 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Windows Security Center](images/secure-launch-msinfo.png) ->[!NOTE] ->To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity). +> [!NOTE] +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs). ## System requirements for System Guard