diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 64e5ee645b..56172647cf 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,8 +6,8 @@ "redirect_document_id": true }, { -"source_path": "windows/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md", -"redirect_url": "/windows/devices/surface/surface-device-compatibility-with-windows-10-ltsc", +"source_path": "devices/surface/surface-device-compatibility-with-windows-10-ltsb.md", +"redirect_url": "/devices/surface/surface-device-compatibility-with-windows-10-ltsc", "redirect_document_id": true }, { diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 27d7b79e79..5dd7130ea6 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,6 +1,6 @@ # [Surface](index.md) ## [Deploy Surface devices](deploy.md) -### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) +### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsc.md) #### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 9aa9194b2a..a18646b616 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -57,7 +57,7 @@ New or changed topic | Description |New or changed topic | Description | | --- | --- | -|[Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) | New (supersedes [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md))| +|[Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsc.md) | New (supersedes [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md))| ## January 2017 diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index a05b2ce399..d76f67bec8 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -17,7 +17,7 @@ Get deployment guidance for your Surface devices including information about MDT | Topic | Description | | --- | --- | -| [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition. | +| [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition. | | [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.| | [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. | | [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.| diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index fdb52daf8f..a4c9d85f83 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -12,7 +12,7 @@ ms.date: 04/25/2017 # Long-Term Servicing Branch (LTSB) for Surface devices >[!WARNING] ->For updated information on this topic, see [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md). For additional information on this update, see the [Documentation Updates for Surface and Windows 10 LTSB Compatibility](https://blogs.technet.microsoft.com/surface/2017/04/11/documentation-updates-for-surface-and-windows-10-ltsb-compatibility) post on the Surface Blog for IT Pros. +>For updated information on this topic, see [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md). For additional information on this update, see the [Documentation Updates for Surface and Windows 10 LTSB Compatibility](https://blogs.technet.microsoft.com/surface/2017/04/11/documentation-updates-for-surface-and-windows-10-ltsb-compatibility) post on the Surface Blog for IT Pros. General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB). diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 127887c17e..76543bd50f 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/05/2017 +ms.date: 01/08/2018 --- # What's new in MDM enrollment and management @@ -26,6 +26,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What's new in Windows 10, version 1607](#whatsnew1607) - [What's new in Windows 10, version 1703](#whatsnew10) - [What's new in Windows 10, version 1709](#whatsnew1709) +- [Change history in MDM documentation](#change-history-in-mdm-documentation) - [Breaking changes and known issues](#breaking-changes-and-known-issues) - [Get command inside an atomic command is not supported](#getcommand) - [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification) @@ -44,7 +45,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [User provisioning failure in Azure Active Directory joined Windows 10 PC](#userprovisioning) - [Requirements to note for VPN certificates also used for Kerberos Authentication](#kerberos) - [Device management agent for the push-button reset is not working](#pushbuttonreset) -- [Change history in MDM documentation](#change-history-in-mdm-documentation) - [FAQ](#faq) ## What's new in Windows 10, version 1511 @@ -1382,6 +1382,122 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### January 2018 + + ++++ + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, next major update:

+
    +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration
    • +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold
    • +
  • Browser/EnableExtendedBooksTelemetry
    • +
  • Browser/UseSharedFolderForBooks
    • +
  • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter
    • +
  • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
    • +
  • DeliveryOptimization/DODelayForegroundDownloadFromHttp
    • +
  • DeliveryOptimization/DOGroupIdSource
    • +
  • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
    • +
  • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
    • +
  • DeliveryOptimization/DORestrictPeerSelectionBy
    • +
  • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
    • +
  • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
    • +
  • KioskBrowser/BlockedUrlExceptions
    • +
  • KioskBrowser/BlockedUrls
    • +
  • KioskBrowser/DefaultURL
    • +
  • KioskBrowser/EnableHomeButton
    • +
  • KioskBrowser/EnableNavigationButtons
    • +
  • KioskBrowser/RestartOnIdleTime
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
    • +
  • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
    • +
  • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
    • +
  • LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
    • +
  • LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • +
  • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
    • +
  • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
    • +
  • Search/AllowCortanaInAAD
    • +
  • Search/DoNotUseWebResults
    • +
  • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
    • +
  • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
    • +
  • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
    • +
  • TaskScheduler/EnableXboxGameSaveTask
    • +
  • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
    • +
  • UserRights/AccessCredentialManagerAsTrustedCaller
    • +
  • UserRights/AccessFromNetwork
    • +
  • UserRights/ActAsPartOfTheOperatingSystem
    • +
  • UserRights/AllowLocalLogOn
    • +
  • UserRights/BackupFilesAndDirectories
    • +
  • UserRights/ChangeSystemTime
    • +
  • UserRights/CreateGlobalObjects
    • +
  • UserRights/CreatePageFile
    • +
  • UserRights/CreatePermanentSharedObjects
    • +
  • UserRights/CreateSymbolicLinks
    • +
  • UserRights/CreateToken
    • +
  • UserRights/DebugPrograms
    • +
  • UserRights/DenyAccessFromNetwork
    • +
  • UserRights/DenyLocalLogOn
    • +
  • UserRights/DenyRemoteDesktopServicesLogOn
    • +
  • UserRights/EnableDelegation
    • +
  • UserRights/GenerateSecurityAudits
    • +
  • UserRights/ImpersonateClient
    • +
  • UserRights/IncreaseSchedulingPriority
    • +
  • UserRights/LoadUnloadDeviceDrivers
    • +
  • UserRights/LockMemory
    • +
  • UserRights/ManageAuditingAndSecurityLog
    • +
  • UserRights/ManageVolume
    • +
  • UserRights/ModifyFirmwareEnvironment
    • +
  • UserRights/ModifyObjectLabel
    • +
  • UserRights/ProfileSingleProcess
    • +
  • UserRights/RemoteShutdown
    • +
  • UserRights/RestoreFilesAndDirectories
    • +
  • UserRights/TakeOwnership
    • +
  • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
    • +
  • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
    • +
  • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
    • +
  • WindowsDefenderSecurityCenter/HideSecureBoot
    • +
  • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    • +
+
+ ### December 2017 @@ -1686,1326 +1802,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
-### July 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[VPNv2 CSP](vpnv2-csp.md)

Added DeviceTunnel profile in Windows 10, version 1709.

-
[BitLocker CSP](bitlocker-csp.md)Added the following statements:. -
    -
  • When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
    • -
  • When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
    • -
-
[Policy CSP](policy-configuration-service-provider.md) -

Added the following new policies for Windows 10, version 1709:

-
    -
  • Education/DefaultPrinterName
    • -
  • Education/PreventAddingNewPrinters
    • -
  • Education/PrinterNames
    • -
  • Security/ClearTPMIfNotReady
    • -
  • WindowsDefenderSecurityCenter/CompanyName
    • -
  • WindowsDefenderSecurityCenter/DisableAppBrowserUI
    • -
  • WindowsDefenderSecurityCenter/DisableEnhancedNotifications
    • -
  • WindowsDefenderSecurityCenter/DisableFamilyUI
    • -
  • WindowsDefenderSecurityCenter/DisableHealthUI
    • -
  • WindowsDefenderSecurityCenter/DisableNetworkUI
    • -
  • WindowsDefenderSecurityCenter/DisableNotifications
    • -
  • WindowsDefenderSecurityCenter/DisableVirusUI
    • -
  • WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
    • -
  • WindowsDefenderSecurityCenter/Email
    • -
  • WindowsDefenderSecurityCenter/EnableCustomizedToasts
    • -
  • WindowsDefenderSecurityCenter/EnableInAppCustomization
    • -
  • WindowsDefenderSecurityCenter/Phone
    • -
  • WindowsDefenderSecurityCenter/URL
    • -
-

Experience/AllowFindMyDevice - updated the description to include active digitizers.

-
[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)Added the following statement to [MSI/ProductID/DownloadInstall](enterprisedesktopappmanagement-csp.md#msi-productid-downloadinstall): -
    -
  • In Windows 10, version 1703 service release, a new tag "DownloadFromAad" was added to the "Enforcement" section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
    • -
-
[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)Added the following information about the settings pages in AssigneAccessXML: -
    -
  • Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI. For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page.
    • -
  • In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
    • -
-
[DeviceStatus CSP](devicestatus-csp.md)

Added the following settings in Windows 10, version 1709:

-
    -
  • DeviceStatus/DomainName
    • -
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
    • -
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
    • -
  • DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus
    • -
      -
[AssignedAccess CSP](assignedaccess-csp.md)

Here are the changes in Windows 10, version 1709.

-
    -
  • Added Configuration node
    • -
-

Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.

-
[SurfaceHub CSP](surfacehub-csp.md)

Changed PasswordRotationPeriod to PasswordRotationEnabled.

-
- -### June 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)Added a list of registry locations that ingested policies are allowed to write to.
[Firewall CSP](firewall-csp.md)Added the following nodes: -
    -
  • Profiles
    • -
  • Direction
    • -
  • InterfaceTypes
    • -
  • EdgeTraversal
    • -
  • Status
    • -
-Also Added [Firewall DDF file](firewall-ddf-file.md).
[TPMPolicy CSP](tpmpolicy-csp.md)New CSP added in Windows 10, version 1703.
[Policy CSP](policy-configuration-service-provider.md) -

Added the following new policies for Windows 10, version 1703:

-
    -
  • Start/AllowPinnedFolderDocuments
    • -
  • Start/AllowPinnedFolderDownloads
    • -
  • Start/AllowPinnedFolderFileExplorer
    • -
  • Start/AllowPinnedFolderHomeGroup
    • -
  • Start/AllowPinnedFolderMusic
    • -
  • Start/AllowPinnedFolderNetwork
    • -
  • Start/AllowPinnedFolderPersonalFolder
    • -
  • Start/AllowPinnedFolderPictures
    • -
  • Start/AllowPinnedFolderSettings
    • -
  • Start/AllowPinnedFolderVideos
    • -
  • Update/AutoRestartDeadlinePeriodInDays
    • -
-

Added the following new policies for Windows 10, version 1709:

-
    -
  • CredentialProviders/EnableWindowsAutoPilotResetCredentials
    • -
  • DeviceGuard/EnableVirtualizationBasedSecurity
    • -
  • DeviceGuard/RequirePlatformSecurityFeatures
    • -
  • DeviceGuard/LsaCfgFlags
    • -
  • Power/DisplayOffTimeoutOnBattery
    • -
  • Power/DisplayOffTimeoutPluggedIn
    • -
  • Power/HibernateTimeoutOnBattery
    • -
  • Power/HibernateTimeoutPluggedIn
    • -
  • Power/StandbyTimeoutOnBattery
    • -
  • Power/StandbyTimeoutPluggedIn
    • -
  • Defender/AttackSurfaceReductionOnlyExclusions
    • -
  • Defender/AttackSurfaceReductionRules
    • -
  • Defender/CloudBlockLevel
    • -
  • Defender/CloudExtendedTimeout
    • -
  • Defender/EnableGuardMyFolders
    • -
  • Defender/EnableNetworkProtection
    • -
  • Defender/GuardedFoldersAllowedApplications
    • -
  • Defender/GuardedFoldersList
    • -
  • Update/ScheduledInstallEveryWeek
    • -
  • Update/ScheduledInstallFirstWeek
    • -
  • Update/ScheduledInstallFourthWeek
    • -
  • Update/ScheduledInstallSecondWeek
    • -
  • Update/ScheduledInstallThirdWeek
    • -
-

EnterpriseCloudPrint/DiscoveryMaxPrinterLimit is only supported in Windows 10 Mobile and Mobile Enterprise.

-
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)Updated the CSP in Windows 10, version 1709. Added the following settings: -
    -
  • DeviceTagging/Group
    • -
  • DeviceTagging/Criticality
    • -
-
[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md).
[DynamicManagement CSP](dynamicmanagement-csp.md)The DynamicManagement CSP is not supported in Windows 10 Mobile and Mobile Enterprise. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.
[CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md)In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.
- -### May 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md) -

Added the following new policies for Windows 10, version 1703:

-
    -
  • Browser/AllowFlashClickToRun
    • -
  • Experience/AllowFindMyDevice
    • -
  • Privacy/LetAppsAccessTasks
    • -
  • Privacy/LetAppsAccessTasks_ForceAllowTheseApps
    • -
  • Privacy/LetAppsAccessTasks_ForceDenyTheseApps
    • -
  • Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
    • -
-

Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.

-

Added a statment that the following policies must target ./User.

-
    -
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
    • -
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
    • -
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
    • -
  • EnterpriseCloudPrint/CloudPrintResourceId
    • -
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
    • -
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
    • -
-
[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)

Added a section describing SyncML examples of various ADMX elements.

-
[BitLocker CSP](bitlocker-csp.md) -

Added the following setting:

-
    -
  • AllowWarningForOtherDiskEncryption
    • -
-

Note that SystemDrivesMinimumPINLength is 6 digits instead of 4.

-
[Reporting CSP](reporting-csp.md)

Added new settings in Windows 10, version 1703.

-
    -
  • EnterpriseDataProtection/RetrieveByTimeRange/Type
    • -
  • EnterpriseDataProtection/RetrieveByCount/Type
    • -
-
[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)

Added following deep link parameters to the table:

-
    -
  • Username
    • -
  • Servername
    • -
  • Accesstoken
    • -
  • Deviceidentifier
    • -
  • Tenantidentifier
    • -
  • Ownership
    • -
-
[Firewall CSP](firewall-csp.md)

Added new CSP in Windows 10, version 1709.

-
MDM support for Windows 10 S

Updated the following topics to indicate MDM support in Windows 10 S.

-
    -
  • [Configuration service provider reference](configuration-service-provider-reference.md)
    • -
  • [Policy CSP](policy-configuration-service-provider.md)
    • -
-
- -### April 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

-
    -
  • DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
    • -
  • Start/ImportEdgeAssets
    • -
  • Update/DetectionFrequency
    • -
  • Update/PauseFeatureUpdatesStartTime
    • -
  • Update/PauseQualityUpdatesStartTime
    • -
  • Update/SetEDURestart
    • -
  • WiFi/AllowWiFiDirect
    • -
  • WirelessDisplay/AllowProjectionFromPC
    • -
  • WirelessDisplay/AllowProjectionFromPCOverInfrastructure
    • -
  • WirelessDisplay/AllowProjectionToPCOverInfrastructure
    • -
  • WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
    • -
-

DeviceLock/EnforceLockScreenAndLogonImage is not supported in Windows 10 Pro edition.

-
[DMSessionActions CSP](sharedpc-csp.md)

Added new CSP for Windows 10, version 1703.

-

[CertificateStore CSP](certificatestore-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

-
    -
  • My/WSTEP/Renew/RetryAfterExpiryInterval
    • -
-

[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

-
    -
  • SCEP/UniqueID/Install/AADKeyIdentifierList
    • -
-

[DMAcc CSP](dmacc-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

-
    -
  • AccountUID/EXT/Microsoft/InitiateSession
    • -
-

[DMClient CSP](dmclient-csp.md)

Updated in Windows 10, version 1703. Added the following nodes and settings:

-
    -
  • HWDevID
    • -
  • Provider/ProviderID/ManagementServerToUpgradeTo
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage/Title
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage/BodyText
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText
    • -
-
[SharedPC CSP](dmsessionactions-csp.md)

Added new settings in Windows 10, version 1703.

-
    -
  • RestrictLocalStorage
    • -
  • KioskModeAUMID
    • -
  • KioskModeUserTileDisplayText
    • -
  • InactiveThreshold
    • -
  • MaxPageFileSizeMB
    • -
-

The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300.

-
[RemoteLock CSP](remotelock-csp.md)

Added following setting:

-
    -
  • LockAndRecoverPIN
    • -
-
[NodeCache CSP](nodecache-csp.md)

Added following settings:

-
    -
  • ChangedNodesData
    • -
  • AutoSetExpectedValue
    • -
-
[Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)

Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs.

-
[RemoteWipe CSP](remotewipe-csp.md)

Added new setting in Windows 10, version 1703.

-
    -
  • doWipeProtected
    • -
-
[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)

Added new setting in the March service release of Windows 10, version 1607.

-
    -
  • MSI/UpgradeCode/[Guid]
    • -
-
[MDM Bridge WMI Provider](https://msdnstage.redmond.corp.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx)

Updated for Windows 10, version 1703. Added new classes and properties.

-
[Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)

Added a new topic describing how to deploy and configure App-V apps using MDM.

-
- -### March 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

-
    -
  • Accounts/AllowMicrosoftAccountSignInAssistant
    • -
  • Connectivity/AllowConnectedDevices
    • -
  • Display/TurnOffGdiDPIScalingForApps
    • -
  • Display/TurnOnGdiDPIScalingForApps
    • -
  • Location/EnableLocation
    • -
  • SmartScreen/EnableAppInstallControl
    • -
  • SmartScreen/EnableSmartScreenInShell
    • -
  • SmartScreen/PreventOverrideForFilesInShell
    • -
  • Update/IgnoreMOAppDownloadLimit
    • -
  • Update/IgnoreMOUpdateDownloadLimit
    • -
-

For Windows 10, version 1703, added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files.

-
[DeviceLock/DevicePasswordEnabled](policy-configuration-service-provider.md#devicelock-devicepasswordenabled) in Policy CSP

Added the following note:

-

**DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:

-
    -
  • DevicePasswordEnabled is the parent policy of the following: -
    • AllowSimpleDevicePassword
      • -
    • MinDevicePasswordLength
      • -
    • AlphanumericDevicePasswordRequired -
      • MinDevicePasswordComplexCharacters
      •   -
    • MaxDevicePasswordFailedAttempts
      • -
    • MaxInactivityTimeDeviceLock
[Personalization CSP](personalization-csp.md)

Added new CSP for Windows 10, version 1703.

[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)

Added new CSP for Windows 10, version 1703.

[HealthAttestation CSP](healthattestation-csp.md)

Added the following settings:.

-
    -
  • HASEndpoint - added in Windows 10, version 1607, but not documented
    • -
  • TpmReadyStatus - added in the March service release of Windows 10, version 1607
    • -

[SurfaceHub CSP](surfacehub-csp.md)

Updated in Windows 10, version 1703. Added the following nodes and settings:

-
    -
  • InBoxApps/SkypeForBusiness
    • -
  • InBoxApps/SkypeForBusiness/DomainName
    • -
  • InBoxApps/Connect
    • -
  • InBoxApps/Connect/AutoLaunch
    • -
  • Properties/DefaultVolume
    • -
  • Properties/ScreenTimeout
    • -
  • Properties/SessionTimeout
    • -
  • Properties/SleepTimeout
    • -
  • Properties/AllowSessionResume
    • -
  • Properties/AllowAutoProxyAuth
    • -
  • Properties/DisableSigninSuggestions
    • -
  • Properties/DoNotShowMyMeetingsAndFiles
    • -
-
[NetworkQoSPolicy CSP](networkqospolicy-csp.md)

Added new CSP for Windows 10, version 1703.

[EnterpriseAPN CSP](enterpriseapn-csp.md)

Added the following setting:

-
    -
  • Roaming
    • -
-

[WindowsLicensing CSP](windowslicensing-csp.md)

Added the following setting for Windows 10, version 1703:

-
    -
  • ChangeProductKey
    • -
-

Added the following new node and settings in Windows 10, version 1607, but not previously documented:

-
    -
  • Subscriptions
    • -
  • Subscriptions/SubscriptionId
    • -
  • Subscriptions/SubscriptionId/Status
    • -
  • Subscriptions/SubscriptionId/Name
    • -
-
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Added the following settings:

-
    -
  • RevokeOnMDMHandoff
    • -
  • SMBAutoEncryptedFileExtensions
    • -
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

-
    -
  • Configuration/TelemetryReportingFrequency
    • -
-
- -### February 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[SecureAssessment CSP](secureassessment-csp.md)

Updated the following setting names:

-
    -
  • AllowScreenMonitoring - previously ScreenCaptureCapability
    • -
  • RequirePrinting - previously PrintingCapability
    • -
-
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Added the following statement to [Settings/EDPShowIcons](enterprisedataprotection-csp.md#settings-edpshowicons):

    -
  • Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

-
    -
  • ApplicationDefaults/DefaultAssociationsConfiguration
    • -
  • Browser/AllowAddressBarDropdown
    • -
  • Browser/AllowMicrosoftCompatibilityList
    • -
  • Browser/AllowSearchEngineCustomization
    • -
  • Browser/ClearBrowsingDataOnExit
    • -
  • Browser/ConfigureAdditionalSearchEngines
    • -
  • Browser/DisableLockdownOfStartPages
    • -
  • Browser/PreventFirstRunPage
    • -
  • Browser/PreventLiveTileDataCollection
    • -
  • Browser/SetDefaultSearchEngine
    • -
  • Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
    • -
  • Connectivity/AllowConnectedDevices
    • -
  • DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
    • -
  • Experience/AllowTailoredExperiencesWithDiagnosticData
    • -
  • Experience/AllowWindowsSpotlightOnActionCenter
    • -
  • Experience/AllowWindowsSpotlightWindowsWelcomeExperience
    • -
  • Settings/ConfigureTaskbarCalendar
    • -
  • Settings/PageVisibilityList
    • -
  • Start/HideAppList
    • -
  • Start/HideChangeAccountSettings
    • -
  • Start/HideFrequentlyUsedApps
    • -
  • Start/HideHibernate
    • -
  • Start/HideLock
    • -
  • Start/HidePowerButton
    • -
  • Start/HideRecentJumplists
    • -
  • Start/HideRecentlyAddedApps
    • -
  • Start/HideRestart
    • -
  • Start/HideShutDown
    • -
  • Start/HideSignOut
    • -
  • Start/HideSleep
    • -
  • Start/HideSwitchAccount
    • -
  • Start/HideUserTile
    • -
  • Start/NoPinningToTaskbar
    • -
  • System/AllowFontProviders
    • -
  • System/DisableOneDriveFileSync
    • -
  • TextInput/AllowKeyboardTextSuggestions
    • -
  • TimeLanguageSettings/AllowSet24HourClock
    • -
  • Update/ActiveHoursMaxRange
    • -
  • Update/AutoRestartNotificationSchedule
    • -
  • Update/AutoRestartRequiredNotificationDismissal
    • -
  • Update/EngagedRestartDeadline
    • -
  • Update/EngagedRestartSnoozeSchedule
    • -
  • Update/EngagedRestartTransitionSchedule
    • -
  • Update/SetAutoRestartNotificationDisable
    • -
  • WindowsLogon/HideFastUserSwitching
    • -
-

Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enteprise and IoT Enterprise

-

Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.

-

Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.

-
[NetworkProxy CSP](networkproxy-csp.md)

Added new CSP for Windows 10, version 1703.

[BitLocker CSP](bitlocker-csp.md)

Added new CSP for Windows 10, version 1703.

[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.

[DynamicManagement CSP](dynamicmanagement-csp.md)

Added new CSP for Windows 10, version 1703.

[Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)

New mobile application management (MAM) support added in Windows 10, version 1703.

[PassportForWork CSP](passportforwork-csp.md)

Updated in Windows 10, version 1703. Added the following new node and settings:

-
    -
  • TenantId/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
    • -
  • TenantId/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
    • -
  • TenantId/Policies/EnablePinRecovery
    • -
[Office CSP](office-csp.md)

Added new CSP for Windows 10, version 1703.

- -### January 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Reboot CSP](reboot-csp.md)

RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. Also updated the Note in RebootNow.

-
[Device update management](device-update-management.md)

Updated the following section:

-
    -
  • [Recommended Flow for Using the Server-Server Sync Protocol](device-update-management.md#recommendedflow)
    • -
[SecureAssessment CSP](secureassessment-csp.md)

Updated in Windows 10, version 1703. Added the following settings

-
    -
  • AllowTextSuggestions
    • -
  • PrintingCapability
    • -
  • ScreenCaptureCapability
    • -
-
[DevDetail CSP](devdetail-csp.md)

Updated in Windows 10, version 1703. Added the following setting: DeviceHardwareData

[Messaging CSP](messaging-csp.md)

Added new CSP for Windows 10, version 1703. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.

-
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

-
    -
  • DeliveryOptimization/DOAllowVPNPeerCaching
    • -
  • DeliveryOptimization/DOMinDiskSizeAllowedToPeer
    • -
  • DeliveryOptimization/DOMinFileSizeToCache
    • -
  • DeliveryOptimization/DOMinRAMAllowedToPeer
    • -
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
    • -
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
    • -
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
    • -
  • EnterpriseCloudPrint/CloudPrintResourceId
    • -
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
    • -
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
    • -
  • Messaging/AllowMMS
    • -
  • Messaging/AllowRCS
    • -
  • Privacy/LetAppsGetDiagnosticInfo
    • -
  • Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
    • -
  • Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
    • -
  • Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
    • -
  • Privacy/LetAppsRunInBackground
    • -
  • Privacy/LetAppsRunInBackground_ForceAllowTheseApps
    • -
  • Privacy/LetAppsRunInBackground_ForceDenyTheseApps
    • -
  • Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
    • -
-

Added the following new policy for the January service release of Windows 10, version 1607: Update/UpdateServiceUrlAlternate

-

Removed TextInput/AllowLinguisticDataCollection from Policy CSP in Windows 10 version 1703.

-
[CleanPC CSP](cleanpc-csp.md)

Added new CSP for Windows 10, version 1703.

[DeveloperSetup CSP](developersetup-csp.md)

Added new CSP for Windows 10, version 1703.

Added a download of Windows 10 version 1607 DDF files

You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).

-
[DeviceStatus CSP](devicestatus-csp.md)

Added the following values for DeviceStatus/NetworkIdentifiers/MacAddress/Type setting:

-
    -
  • 2 - WLAN (or other Wirless interface)
    • -
  • 1 - LAN (or other Wired interface)
    • -
  • 0 - Unknown
    • -
- -### December, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Update CSP](update-csp.md)

Added the following nodes:

-
    -
  • FailedUpdates/Failed Update Guid/RevisionNumber
    • -
  • InstalledUpdates/Installed Update Guid/RevisionNumber
    • -
  • PendingRebootUpdates/Pending Reboot Update Guid/RevisionNumber
    • -
-
[AppLocker CSP](applocker-csp.md)

Added information about exempt applications list to the EnterpriseDataProtection setting.

-
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

To Settings/RequireProtectionUnderLockConfig, added supported values.

-
[CM_CellularEntries CSP](cm-cellularentries-csp.md)

To PurposeGroups setting, added the following values Windows 10, version 1709:

-
    -
  • Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
    • -
  • Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
    • -
-
[CellularSettings CSP](cellularsettings-csp.md)

[CM_CellularEntries CSP](cm-cellularentries-csp.md)

[EnterpriseAPN CSP](enterpriseapn-csp.md)

In the Windows 10, version 1709, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.

-
Updated the DDF topics.The following DDF topics were updated: -
    -
  • [DeviceManageability DDF file](devicemanageability-ddf.md)
    • -
  • [ClientCertificateInstall DDF file](clientcertificateinstall-ddf-file.md)
    • -
  • [DevDetail DDF file](devdetail-ddf-file.md)
    • -
  • [DeviceStatus DDF file](devicestatus-ddf.md)
    • -
  • [DevInfo DDF file](DevInfo-ddf-file.md)
    • -
  • [RootCATrustedCertificates DDF file](rootcacertificates-ddf-file.md)
    • -
  • [PassportForWork DDF](passportforwork-ddf.md)
    • -
  • [EnterpriseExt DDF](enterpriseext-ddf.md)
    • -
[Reporting CSP](reporting-csp.md)

Reporting/SecurityAuditing setting is not supported in Windows 10, version 1607 in the desktop editions.

-
- -### November 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[EnterpriseAPN CSP](enterpriseapn-csp.md)

The EnterpriseAPN configuration service provider (CSP) is not supported in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), versions 1511 and 1607.

-
[Defender CSP](defender-csp.md)

Added the following values for Defender/Scan setting:

-
    -
  • 1 - quick scan
    • -
  • 2 - full scan
    • -
-
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Added data recovery agent (DRA) information to Settings/DataRecoveryCertificate.

-
[Disconnecting from the management infrastructure (unenrollment)](disconnecting-from-mdm-unenrollment.md)

Added information about unenrollment from Azure Active Directory Join.

-
[Policy CSP](policy-configuration-service-provider.md)

Updated the description of the following policies.

    -
  • [Browser/Homepages](policy-configuration-service-provider.md#browser-homepages)
    • -
  • [DeviceLock/MaxInactivityTimeDeviceLock](policy-configuration-service-provider.md#devicelock-maxinactivitytimedevicelock)
    • -
  • [Experience/ConfigureWindowsSpotlightOnLockScreen](policy-configuration-service-provider.md#experience-configurewindowsspotlightonlockscreen)
    • -

-
- -### October 27, 2016 - - ---- - - - - - - - - - - - - - - - -
New or updated topicDescription
[CM_ProxyEntries CSP](cm-proxyentries-csp.md)

Support for OMA DM was added in Windows 10, version 1607

-
[AppLocker CSP](applocker-csp.md)

[Recommended deny list for Windows Information Protection](applocker-csp.md#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. -

-
- -### October 21, 2016 - - ---- - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Updated the most restricted values for the following policies:

-
    -
  • Browser/AllowDoNotTrack
    • -
  • Browser/AllowPasswordManager
    • -
  • Browser/AllowPopups
    • -
  • Browser/AllowSmartScreen
    • -
- -  - -### October 6, 2016 - - ---- - - - - - - - - - - - - - - - - -
New or updated topicDescription

WindowsTeam CSP

Deleted the WindowsTeam CSP topic. You should use [SurfaceHub](surfacehub-csp.md) instead.

[Policy CSP](policy-configuration-service-provider.md)

Added the following policies:

-
    -
  • Search/DisableBackoff
    • -
  • Search/DisableRemovableDriveIndexing
    • -
  • Search/PreventIndexingLowDiskSpaceMB
    • -
  • Search/PreventRemoteQueries
    • -
- -  - -### September 29, 2016 - - ---- - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Updated the following policy:

-
    -
  • System/AllowBuildPreview - supported in Windows 10 Mobile and Windows 10 Mobile Enterprise
    • -
  • Experience/AllowThirdPartySuggestionsInWindowsSpotlight - supported in Windows 10 Pro.
    • -
- -  - -### September 22, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[AppLocker CSP](applocker-csp.md)

Added the following note the the list of [Inbox apps and components](applocker-csp.md#inboxappsandcomponents):

-
-Note This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience. -
-

[ComputerName](https://msdn.microsoft.com/library/windows/hardware/mt188590) in Windows Provisioning settings reference

ComputerName does not support asterisk (*) and does not support empty string.

[Policy CSP](policy-configuration-service-provider.md)

Updated the supported values for [Update/BranchReadinessLevel](policy-configuration-service-provider.md#update-branchreadinesslevel)

[Device update management](device-update-management.md)

Updated the following section:

-
    -
  • [Getting update metadata using the Server-Server sync protocol](device-update-management.md#gettingupdatemetadata)
    • -
- -  - -### September 12, 2016 - - ---- - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following statement to Update/DeferUpdatePeriod policy:

-

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:

-
    -
  • Update/RequireDeferUpgrade must be set to 1
    • -
  • System/AllowTelemetry must be set to 1 or higher
    • -
-

Added new policy Experience/AllowThirdPartySuggestionsInWindowsSpotlight in Windows 10, version 1607.

- -  - -### September 8, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

Updated the names for the following settings:

-
    -
  • AppInventoryQuery
    • -
  • AppInventoryResults
    • -
[Policy CSP](policy-configuration-service-provider.md)

Updated the following policy description:

-

-
-
System/AllowTelemetry
-

Allow the device to send diagnostic and usage telemetry data, such as Watson.

-

The following lists describe the supported values:

-

Windows 8.1 values

-
    -
  • 0 – Not allowed
    • -
  • 1 – Allowed, except for Secondary Data Requests.
    • -
  • 2 (default) – Allowed.
    • -
-

Windows 10 values

-
    -
  • 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. -
    -Note  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -
    -
    • -
  • 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
    • -
  • 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
    • -
  • 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.
    • -
-
-Important If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. -
-

Most restricted value is 0.

-
-
[OMA DM protocol support](oma-dm-protocol-support.md)

Updated the following description:

-
    -
  • LocURI - Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
    • -
[VPNv2 CSP](vpnv2-csp.md)

Updated the following description:

-
    -

  • VPNv2/ProfileName - Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/).

    -

    Supported operations include Get, Add, and Delete.

    -
    -Note  If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. -
    -
    • -
[MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224)

Replaced the descriptions for each class member with links to the corresponding node in the CSP topic. The CSP topics contain the most up-to-date information.

- -  - -### September 2, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md) -

[PolicyManager CSP](policymanager-csp.md)

Added the following note:

-
    -
  • You cannot disable or enable Contact Support and Windows Feedback apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
    • -
[PassportForWork CSP](passportforwork-csp.md)

Added the following note:

-
-Important  Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. -
-
[ProfileXML XSD](vpnv2-profile-xsd.md)

Updated the [Native profile example](vpnv2-profile-xsd.md#native-profile-example) example.

[Policy CSP](policy-configuration-service-provider.md) -

[Device update management](device-update-management.md)

The following policies are not supported in Windows 10 Mobile Enterprise:

-
    -
  • DeferUpgradePeriod
    • -
  • DeferFeatureUpdatesPeriodInDays
    • -
  • PauseFeatureUpdates
    • -
  • ExcludeWUDrivers
    • -
-
-Note  Since these policies are not blocked, you will not get a failure message when you use them to configure a Windows 10 Mobile Enterprise device. However, the policies will not take effect. -
-

Added additional information about update policies supported for Windows Update for Business in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement).

[DevDetail CSP](devdetail-csp.md)

In Ext/Microsoft/DeviceName node, the Replace operation is only supported in Windows 10 Mobile, and not supported in the desktop.

- -  - -### August 25, 2016 - - ---- - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy DDF file](policy-ddf-file.md)

Updated version for Windows 10, version 1607

[MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)

Updated the section about enrolling in MDM on a desktop. Added a new section for enrolling in MDM on a phone.

- -  - -### August 18, 2016 - - ---- - - - - - - - - - - - - -
New or updated topicDescription
[CertificateStore CSP](certificatestore-csp.md) -

[CertificateStore DDF file](certificatestore-ddf-file.md)

Added the following new settings in Windows 10, version 1607:

-
    -
  • My/WSTEP/Renew/LastRenewalAttemptTime
    • -
  • My/WSTEP/Renew/RenewNow
    • -
- -  - -### August 11, 2016 - - ---- - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)

Added new section:

-
    -
  • [Retry logic in case of a failure](bulk-enrollment-using-windows-provisioning-tool.md#retry-logic-in-case-of-a-failure)
    • -
[Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)

Added a link to MDM enrollment templates and CSS files:

-
    -
  • [Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)
    • -
- -  - -### August 2, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[OMA DM protocol support](oma-dm-protocol-support.md)

Added a table of common SyncML response codes that occur during OMA DM sessions.

[Mobile device enrollment](mobile-device-enrollment.md)

Updated the following section:

-
    -
  • [Enrollment error messages](mobile-device-enrollment.md#enrollment-error-messages)
    • -
[SUPL CSP](supl-csp.md)

LocMasterSwitchDependencyNII setting is not deprecated. Removed the note that it's deprecated in Windows 10.

[Push notification support for device management](push-notification-windows-mdm.md)

Added the following section:

-
    -
  • [Get WNS credentials and PFN for MDM push notification](push-notification-windows-mdm.md#get-wns-credentials-and-pfn-for-mdm-push-notification)
    • -
[RemoteWipe CSP](remotewipe-csp.md)

Updated [The Remote Wipe Process](remotewipe-csp.md#the-remote-wipe-process) section. Added the following note:

-
-Note  On the desktop, the remote wipe effectively performs a factory reset and the PC does not retain any information about the command once the wipe completes. Any response from the device about the actual status or result of the command may be inconsistent and unreliable because the MDM information has been removed. -
-
[Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)

Added new step-by-step guide for creating and applying provisioning packages.

-   ## FAQ diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 49edda7d65..70a293fad5 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -794,9 +794,6 @@ The following diagram shows the Policy configuration service provider in tree fo
DeliveryOptimization/DOAllowVPNPeerCaching
-
- DeliveryOptimization/DOCacheHost -
DeliveryOptimization/DODelayBackgroundDownloadFromHttp
@@ -2758,12 +2755,18 @@ The following diagram shows the Policy configuration service provider in tree fo
System/BootStartDriverInitialization
+
+ System/DisableEnterpriseAuthProxy +
System/DisableOneDriveFileSync
System/DisableSystemRestore
+
+ System/FeedbackHubAlwaysSaveDiagnosticsLocally +
System/LimitEnhancedDiagnosticDataWindowsAnalytics
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 3448fec985..38798af024 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -27,9 +27,6 @@ ms.date: 01/03/2018
DeliveryOptimization/DOAllowVPNPeerCaching
-
- DeliveryOptimization/DOCacheHost -
DeliveryOptimization/DODelayBackgroundDownloadFromHttp
@@ -199,55 +196,6 @@ The following list shows the supported values:
-**DeliveryOptimization/DOCacheHost** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Added in Windows 10, next major update. TBD - - - - - - - - - - - -
- **DeliveryOptimization/DODelayBackgroundDownloadFromHttp** diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 78872346bf..909326c959 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/14/2017 +ms.date: 12/19/2017 --- # Policy CSP - System +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -46,12 +48,18 @@ ms.date: 12/14/2017
System/BootStartDriverInitialization
+
+ System/DisableEnterpriseAuthProxy +
System/DisableOneDriveFileSync
System/DisableSystemRestore
+
+ System/FeedbackHubAlwaysSaveDiagnosticsLocally +
System/LimitEnhancedDiagnosticDataWindowsAnalytics
@@ -603,6 +611,50 @@ ADMX Info:
+**System/DisableEnterpriseAuthProxy** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. + + + + + + +
+ **System/DisableOneDriveFileSync** @@ -731,6 +783,56 @@ ADMX Info:
+**System/FeedbackHubAlwaysSaveDiagnosticsLocally** + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducation
check mark4check mark4check mark4check mark4check mark4
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, next major update. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. + + + +The following list shows the supported values: + +- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. +- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. + + + + + + + + + +
+ **System/LimitEnhancedDiagnosticDataWindowsAnalytics** diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index c6dd23361e..26d0466e4a 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md) New or changed topic | Description --- | --- +[ConnectivityProfiles](wcd/wcd-connectivityprofiles.md) | Added settings for VPN **Native** and **Third Party** profile types. [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) | Clarified that the TopMFUApps elements in layoutmodification.xml are not supported in Windows 10, version 1709. ## November 2017 diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 606cb7c349..5c8c80dffc 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.date: 01/10/2018 --- # ConnectivityProfiles (Windows Configuration Designer reference) @@ -114,15 +114,33 @@ Configure settings to change the default maximum transmission unit ([MTU](#mtu)) | Setting | Description | | --- | --- | | **ProfileType** | Choose between **Native** and **Third Party** | -| RememberCredentials | Select whether credentials should be cached | | AlwaysOn | Set to **True** to automatically connect the VPN at sign-in | -| LockDown | When set to **True**:
- Profile automatically becomes an "always on" profile
- VPN cannot be disconnected
-If the profile is not connected, the user has no network connectivity
- No other profiles can be connected or modified | | ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi neetwork as the VPN client can bypass VPN | | DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is usedas the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList. | -| TrustedNetworkDetection | Enter a comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. | +| LockDown | When set to **True**:
- Profile automatically becomes an "always on" profile
- VPN cannot be disconnected
-If the profile is not connected, the user has no network connectivity
- No other profiles can be connected or modified | | Proxy | Configure to **Automatic** or **Manual** | | ProxyAutoConfigUrl | When **Proxy** is set to **Automatic**, enter the URL to automatically retrieve the proxy settings | | ProxyServer | When **Proxy** is set to **Manual**, enter the proxy server address as a fully qualified hostname or enter `IP address:Port` | +| RememberCredentials | Select whether credentials should be cached | +| TrustedNetworkDetection | Enter a comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. | + +When **ProfileType** is set to **Native**, the following additional settings are available. + +Setting | Description +--- | --- +AuthenticationUserMethod | When you set **NativeProtocolType** to **IKEv2**, choose between **EAP** and **MSChapv2**. +EAPConfiguration | When you set **AuthenticationUserMethod** to **EAP**, enter the HTML-encoded XML to configure EAP. For more information, see [EAP configuration](https://docs.microsoft.com/windows/client-management/mdm/eap-configuration). +NativeProtocolType | Choose between **PPTP**, **L2TP**, **IKEv2**, and **Automatic**. +RoutingPolicyType | Choose between **SplitTunnel**, in which traffic can go over any interface as determined by the networking stack, and **ForceTunnel**, in which all IP traffic must go over the VPN interface. +Server | Enter the public or routable IP address or DNS name for the VPN gateway. It can point to the exteranl IP of a gateway or a virtual IP for a server farm. + +When **ProfileType** is set to **Third Party**, the following additional settings are available. + +Setting | Description +--- |--- +PluginProfileCustomConfiguration | Enter HTML-encoded XML for SSL-VPN plug-in specific configuration, including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plug-in provider for format and other details. Most plug-ins can also configure values based on the server negotiations as well as defaults. +PluginProfilePackageFamilyName | Choose between **Pulse Secure VPN**, **F5 VPN Client**, and **SonicWALL Mobile Connect**. +PluginProfileServerUrlList | Enter a comma-separated list of servers in URL, hostname, or IP format. ## WiFiSense diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 3904305e1b..8340b166b5 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -16,62 +16,54 @@ author: greg-lindsay **Applies to** - Windows 10 -To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. -The following tables summarize different Windows 10 deployment options and requirements. +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.
  -| Scenario | Description | More information | -| :---: | :---: | :---: | -| [Windows AutoPilot](#windows-autopilot) | Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. |[Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-autopilot) | -| [In-place upgrade](#in-place-upgrade) | Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. |[Perform an in-place upgrade to Windows 10 with MDT](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit)
[Perform an in-place upgrade to Windows 10 using Configuration Manager](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager) | -| [Subscription Activation](#windows-10-subscription-activation) | Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. |[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) | -| [AAD / MDM](#dynamic-provisioning) | The device is automatically joined to AAD and configured by MDM. |[Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm) | -| [Provisioning packages](#dynamic-provisioning) | Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. |[Configure devices without MDM](https://docs.microsoft.com/windows/configuration/configure-devices-without-mdm) | -| [Bare metal](#new-computer) | Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt)
[Install a new version of Windows on a new computer with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/install-new-windows-version-new-computer-bare-metal) | -| [Refresh](#computer-refresh) | Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. |[Refresh a Windows 7 computer with Windows 10](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager) | -| [Replace](#computer-replace) | Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. |[Replace a Windows 7 computer with a Windows 10 computer](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager) | + +
Mitigation +
-OS requirements: -
  +[Analyze log files](#analyze-log-files) in order to determine the files or registry entires that are blocking data migration. - - - - - - - - -
- Category - - Scenario - - Windows 10 1703 or later - - Windows 7 up to Windows 10 1607 -
- Modern +This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. + +Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory. + +To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files. + +
+ + + + + + + + + - - + - @@ -79,91 +71,99 @@ OS requirements: Dynamic -
CategoryScenarioDescriptionMore information
Modern + +[Windows AutoPilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - Windows AutoPilot - - - - X +Overview of Windows AutoPilot
- In-place upgrade + +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - - - +Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
- Subscription Activation + +[Subscription Activation](#windows-10-subscription-activation) - + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - X +Windows 10 Subscription Activation
- AAD / MDM + + [AAD / MDM](#dynamic-provisioning) - + The device is automatically joined to AAD and configured by MDM. - +Azure Active Directory integration with MDM
- Provisioning packages + + [Provisioning packages](#dynamic-provisioning) - + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - +Configure devices without MDM
Traditional - Bare metal + + + [Bare metal](#new-computer) - + Deploy a new device, or wipe an existing device and deploy with a fresh image. - + Deploy a Windows 10 image using MDT
Install a new version of Windows on a new computer with System Center Configuration Manager
- Refresh + + [Refresh](#computer-refresh) - + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - + Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
- Replace + + [Replace](#computer-replace) - + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - + Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager

  ->[!NOTE] ->There is no pre-existing OS in the Windows AutoPilot or bare metal scenarios, so apps and settings are not migrated. In all other scenarios the existing apps and user settings are typically migrated to the new operating system. -## Windows AutoPilot +>[!IMPORTANT] +>The Windows AutoPilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows AutoPilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows AutoPilot Windows AutoPilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows AutoPilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. For more information about Windows AutoPilot, see [Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows AutoPilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). -## Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation). - -## In-place upgrade +### In-place upgrade For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. @@ -188,26 +188,27 @@ There are some situations where you cannot use in-place upgrade; in these situat - Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. - Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + ## Dynamic provisioning For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: -- Changing the Windows edition with a single reboot. For organizations that have Software Assurance for Windows, it is easy to change a device from Windows 10 Pro to Windows 10 Enterprise, just by specifying an appropriate product or setup key. When the device restarts, all of the Windows 10 Enterprise features will be enabled. +### Windows 10 Subscription Activation -- Configuring the device with VPN and Wi-Fi connections that may be needed to gain access to organization resources. -- Installation of additional apps needed for organization functions. -- Configuration of common Windows settings to ensure compliance with organization policies. -- Enrollment of the device in a mobile device management (MDM) solution, such as Microsoft Intune. +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation). -There are two primary dynamic provisioning scenarios: -- **Azure Active Directory (Azure AD) Join with automatic mobile device management (MDM) enrollment.** In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment -- **Provisioning package configuration.** Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm). -Either way, these scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. @@ -226,6 +227,7 @@ The traditional deployment scenario can be divided into different sub-scenarios. - **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). ### New computer + This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). The deployment process for the new machine scenario is as follows: @@ -241,6 +243,7 @@ The deployment process for the new machine scenario is as follows: After taking these steps, the computer is ready for use. ### Computer refresh + A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. The deployment process for the wipe-and-load scenario is as follows: @@ -260,6 +263,7 @@ The deployment process for the wipe-and-load scenario is as follows: After taking these steps, the machine is ready for use. ### Computer replace + A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. The deployment process for the replace scenario is as follows: @@ -271,6 +275,7 @@ The deployment process for the replace scenario is as follows: **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. ## Related topics + - [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) - [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)